An anonymous reader writes: Mozilla today launched Firefox 57, branded Firefox Quantum, for Windows, Mac, Linux, Android, and iOS. The new version, which Mozilla calls "by far the biggest update since Firefox 1.0 in 2004," brings massive performance improvements and a visual redesign. The Quantum name signals Firefox 57 is a huge release that incorporates the company's next-generation browser engine (Project Quantum). The goal is to make Firefox the fastest and smoothest browser for PCs and mobile devices -- the company has previously promised that users can expect "some big jumps in capability and performance" through the end of the year. Indeed, three of the four past releases (Firefox 53, Firefox 54, and Firefox 55) included Quantum improvements. But those were just the tip of the iceberg. Additionally, Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work, the company said.

Catalin Cimpanu, writing for BleepingComputer: Firefox 57, set to be released tomorrow, will ship with improvements to the browser's sandbox security feature for Linux users. The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files. Chrome has always run inside a sandbox. Initially, Firefox ran only a few plugins inside a sandbox -- such as Flash, DRM, and other multimedia encoding plugins.

A popular Firefox browser add-on that saves and syncs bookmarks has started to lose those bookmarks instead, users are complaining. From a report: According to user reports -- and your reporter's own experience -- the problems arose when Xmarks updated the add-on to version 4.5.0.4, the first version to work on the new WebExtensions API, Firefox's new add-on technology. Since then, Firefox users have reported a wide range of problems, but among which the biggest was the fact that Xmarks was not syncing bookmarks as it should. The problems did not manifest the same way for all users. Some users said the add-on stopped syncing new bookmarks altogether, some reported corrupted links, others said they lost all bookmarks, while other reported that only a small portion of new bookmark URLs was being added to their Xmarks account.

An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.

Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.

An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.

"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.

"Could it turn out users actually prefer to trade a little CPU time to website owners in favor of them not showing ads?" writes phonewebcam, a long-time Slashdot reader. Slashdot covered the downside [of in-browser cryptocurrency mining] recently, with even [Portuguese professional sportsballer] Cristiano Ronaldo's official site falling victim, but that may not be the full story. This could be an ideal win-win situation, except for one huge downside -- the current gang of online advertisers.
By "current gang of online advertisers," he means Google, according to a longer essay at LinkedIn: Naturally, the world's largest ad broker, which runs the world most popular browser (desktop and mobile) is keen to see how this plays out, and is also uniquely placed to be able to heavily influence it, too... As it happens, Chrome users can already do something about it via extensions, for example AntiMiner... If cryptocurrencies have a future - and that's a big if (look at China's Bitcoin ban) - it could well turn out that their role just took an unexpected turn.

Mozilla has announced deeper partnerships with Microsoft, Google, Samsung, and web standards body W3C to create cross-browser documentation on MDN Web Docs, a web development documentation portal created by Mozilla. From a report: MDN Web Docs first came to fruition in 2005, and it has since been known under various names, including the Mozilla Developer Network and Mozilla Developer Center. Today, MDN Web Docs serves as a community and library of sorts covering all things related to web technologies and standards, including JavaScript, HTML, CSS, open web app development, Firefox add-on development, and more. The web constitutes multiple players from across the technology spectrum and, of course, multiple browsers, including Microsoft's Edge, Google's Chrome, Mozilla's Firefox, and the Samsung Internet Browser. To avoid fragmentation and ensure end-users have a (fairly) consistent browsing experience, it helps if all the players involved adhere to a similar set of standards.

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.

Google is rolling out a trio of important changes to Chrome for Windows users. From a report: At the heart of these changes is Chrome Cleanup. This feature detects unwanted software that might be bundled with downloads, and provides help with removing it. Google's Philippe Rivard explains that Chrome now has built-in hijack detection which should be able to detect when user settings are changes without consent. This is a setting that has already rolled out to users, and Google says that millions of users have already been protected against unwanted setting changes such as having their search engine altered. But it's the Chrome Cleanup tool that Google is particularly keen to highlight. A redesigned interface makes it easier to use and to see what unwanted software has been detected and singled out for removal.

An anonymous reader quotes Computerworld:Microsoft's Edge easily beat rival browsers from Google and Mozilla in third-party tests of the behind-the-scenes services which power anti-malware warnings and malicious website-blocking... NSS Labs says Windows 10's default browser is better at blocking phishing and socially-engineered malware attacks than Google Chrome or Mozilla Firefox... According to NSS Labs of Austin, Texas, Edge automatically blocked 92% of all in-browser credential phishing attempts and stymied 100% of all socially-engineered malware (SEM) attacks. The latter encompassed a wide range of attacks, but their common characteristic was that they tried to trick users into downloading malicious code. The tactics that SEM attackers deploy include links from social media, such as Facebook and Twitter, and bogus in-browser notifications of computer infections or other problems.

Edge bested Chrome and Firefox by decisive margins. For instance, Chrome blocked 74% of all phishing attacks, and 88% of SEM attacks. Meanwhile, Firefox came in third in both tests, stopping just 61% of the phishing attacks and 70% of all SEM attempts... Both Chrome and Mozilla's Firefox rely on the Safe Browsing API (application programing interface), but historically, Mozilla's implementation has performed poorly compared to Google's. No shock: Google created the API. Edge also took top prize in blocking attacks from the get-go. In NSS's SEM attack testing, for example, the Microsoft browser stopped nearly every attempt from the first moments a new attack was detected. Chrome and Firefox, on the other hand, halted 75% and 54% of the brand-new attacks, respectively. Over a week's time, Chrome and Firefox improved their blocking scores, although neither reached Edge's impressive 99.8%.
The researchers spent three weeks continuously monitoring the browsers on Windows 10 computers. But in the real world, Edge runs on just 5% of all personal computers, while Firefox runs on 13% and Chrome on 60%.

An anonymous reader quotes Ars Technica: Equifax isn't the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, [was] also sending visitors to the fraudulent updates and other types of malicious pages... Malwarebytes security researcher Jerome Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins... "This is not something users want to have," Segura told Ars...

Equifax on Thursday was quick to say that its systems were never compromised in the attacks. TransUnion said much the same thing. This is an important distinction in some respects because it means that the redirections weren't the result of attackers having access to restricted parts of either company's networks. At the same time, the incidents show that visitors to both sites remain much more vulnerable to malicious content than they should be.
Both sites hosted fireclick.js, an old script from a small web analytics company which pulls pages from sites like Akamai, SiteStats.info, and Ostats.net. "It appears that attackers have compromised the third-party library," writes BankInfoSecurity, adding that Malwarebytes estimates over a 1,000 more sites are using the same library.

Ad blocking firm AdGuard has found that over 500 million people are inadvertently mining cryptocurrencies through their computers after visiting websites that are running background mining software. The company found 220 popular websites with an aggregated audience of half a billion people use so-called crypto-mining scripts when a user opens their main page. Newsweek reports: The mining tool works by hijacking a computer's central processing unit (CPU), commonly referred to as "the brains" of a computer. Using part of a computer's CPU to mine bitcoin effects the machine's overall performance and will slow it down by using up processing power. The researchers found that bitcoin browser mining is mostly found on websites "with a shady reputation" due to the trouble such sites have with earning revenue through advertising. However, in the future it could become a legitimate and ethical way of making money if the website requests the permission of the visitor first.

"220 sites may not seem like a lot," the researchers wrote in a blogpost detailing their discovery. "But CoinHive was launched less than one month ago on September 14. The growth has been extremely rapid: from nearly zero to .22 percent of Alexa's top 100,000 websites. "This analysis well illustrates the whole web, so it's safe to say that one of every forty websites currently mines cryptocurrency (namely Monero) in the browsers their users employ."

An anonymous reader quotes a report from Bleeping Computer: A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online. Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords. The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked. By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user. Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month with the release of Chrome 61. Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it. Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.

An anonymous reader writes: If you want more proof that Microsoft is embracing Android and iOS, boy, do we have it for you today. The company has launched Edge for iOS in preview, promised Edge for Android is coming soon, and launched Microsoft Launcher for Android in public preview. Edge for iOS preview is available via Apple's TestFlight and is limited, per Apple's rules, to 10,000 users. Microsoft is inviting Windows Insiders in the U.S. to sign up here. Android users can also sign up at that same link -- the preview will hit the Google Play Store in the coming weeks. Microsoft is hoping to release Edge for Android and iOS out of preview "later this year." The Microsoft Launcher is available in preview for English users in the United States on Google Play. Microsoft promises to bring it to other markets "over time" and launch it out of preview "later this year," as well.

An anonymous reader quotes a report from Bleeping Computer: Mozilla announced today plans to stop all support for the Firefox browser on Windows XP and Vista in June 2018. Earlier this year, Mozilla already moved Firefox users on XP and Vista machines to the Firefox 52 ESR (Extended Support Release). The move of XP and Vista users to Firefox ESR was previously announced in December 2016, when Mozilla also said it would provide a final answer on Firefox support for XP and Vista in September 2017. Well, that date has arrived (and passed), and after an internal review, Mozilla announced it would sunset all support for Firefox on the two Windows platforms. Mozilla joins Google, who dropped support for XP and Vista back at version 50, released in April 2016. Microsoft has stopped XP and Vista support in April 2014 and April 2017, respectively.

An anonymous reader writes: Google is working on blocking tab-under behavior in Chrome, according to a document seen by Bleeping Computer. For users unfamiliar with the jargon, Google considers tab-under behavior when an unsuspecting user is scrolling or clicking on a page, but the site duplicates the current page in another tab and shows an ad or a new website in the page the user was initially reading. Countless of website owners and advertisers have abused tab-unders to show ads and redirect users to unwanted sites, all for the sake of ad impressions and redirection fees. This demo site created by Google engineers that shows how tab-unders work. Earlier today, Google published a document detailing three ways it's currently looking at for dealing with tab-unders in Chrome. The current approved proposal is for the browser maker to block websites before opening a new tab, similar to the pop-up blocking mechanism. According to Chrome engineer Charles Harrison, the tab-under blocking feature will be supported on five of the six Blink platforms -- Windows, Mac, Linux, Chrome OS, and Android, but not Android WebView. Once the feature is ready, it will ship with Chrome Canary under its own option on the chrome://flags settings page.

Apple is ditching Bing and will now use Google to power the default search engine for Siri, Search within iOS (iOS search bar), and Spotlight on Mac. From a report: TechCrunch reported Monday that Apple users will now see search results powered by Google, instead of Bing, when using those tools. For example, when an iPhone user asks Siri a question that needs a search engine result, the voice assistant will now pull from Google, not Bing. Apple will still use Bing for image search queries using Siri or Spotlight on Mac, TechCrunch reported. Apple said the move was done for consistency; its Safari browser uses Google as the default search engine. In a statement, the company told TechCrunch that "we have strong relationships with Google and Microsoft and remain committed to delivering the best user experience possible." Google is reportedly paying Apple $3 billion this year to remain as the default search engine on iPhones and iPads.

An anonymous reader writes: Russian hacktivist group Fancy Bear (also referred to as APT28, Sofacy, and Strontium) has been using a flaw in Google's caching of Accelerated Mobile Pages (AMP) to phish targets, Salon reports. To make matters worse, Google has been aware of the bug for almost a year but has refused to fix it... The vulnerability involves how Google delivers google.com URLs for AMP pages to its search users in an effort to speed up mobile browsing. This makes Google products more vulnerable to phishing attacks.
Conservative blogger Matthew Sheffield writes in the article that most of the known targets "appear to have been journalists who were investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government." One such target was Aric Toler, a researcher and writer for the website Bellingcat who specializes in analyzing Russian media and the country's relationship with far-right groups within Europe and America... another journalist who writes frequently about Russia, David Satter, was taken in by a similar AMP phishing message... Shortly after Satter was tricked into visiting the fake website and entering his password, a program that was hosting the site logged into his Gmail account and downloaded its entire contents. Within three weeks, as the Canadian website Citizen Lab reported, the perpetrators of the hack began posting Satter's documents online, and even altering them to make opponents and critics of Russian President Vladimir Putin look bad.
Google told Salon they've "made a number of changes" to AMP -- without saying what they were. (After contacting Google for a comment, AMP's creator and tech lead blocked public comments on a Github bug report about Google's AMP implementation.) "More things ... will come on Google's side in the future and we are working with browser vendors to eventually get the origin right," AMP's tech lead wrote last February.

Jason Kint, CEO of a major web publishing trade association, told Salon that "This report of an ongoing security issue is troubling and exactly why consolidation of power and closed standards are problematic. The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better."