wiredmikey shares a report from SecurityWeek: Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.

The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser's automatic update mechanism. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a "type confusion" in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," the company said, with no additional details.

Dave Knott writes: Microsoft has announced Visual Studio 2022, the next major revision of their flagship development IDE. A public beta will be arriving this summer. The most significant change, which has long been rumored, is that the entire application suite will now be 64-bit. Other major changes include:

* Performance improvements in the core debugger
* Support for .NET 6, which can be used to build web, client and mobile apps by both Windows and Mac developers, as well as improved support for developing Azure apps
* An update UI meant to reduce complexity and which will add integration with Accessibility Insights. Microsoft plans to update the icons and add support for Cascadia Code, a new fixed-width font for better readability
* Support for C++ 20 tooling. language standardization and Intellisense
* Integration of text chat into the Live Share collaboration feature
* Additional support for Git and GitHub
* Improved code search

"In Microsoft's ongoing endeavor to convert people to its rebooted Edge web browser, it's launching a new Kids Mode that makes it easy for parents to control how their children surf the web," reports Gizmodo: Parents have the choice between two versions, one for ages five to eight years and one for ages nine to 12 years. Both enable the strictest level of tracking prevention in Edge and Bing SafeSearch by default to filter out adult text, images, and videos from search results. The only difference between the two age ranges is that the older one includes a newsfeed with curated articles from MSN for Kids. Don't worry though: It focuses on more kid-friendly topics like fun science and animal facts rather than breaking news and politics, Microsoft said.

Kids Mode also restricts what sites kids have access to, with roughly 70 popular kids sites allowed from the get-go (any additional allowable sites have to be added to the list individually). If a child tries to view a site that's not on that list, they're met with a cutesy block page, pictured below, that prompts them to ask an adult for permission.

Parallels today announced the release of Parallels Desktop 16.5 for Mac with full support for M1 Macs, allowing for the Windows 10 ARM Insider Preview and ARM-based Linux distributions to be run in a virtual machine at native speeds on M1 Macs. From a report: Parallels says running a Windows 10 ARM Insider Preview virtual machine natively on an M1 Mac results in up to 30 percent better performance compared to a 2019 model 15-inch MacBook Pro with an Intel Core i9 processor, 32GB of RAM, and Radeon Pro Vega 20 graphics. Parallels also indicates that on an M1 Mac, Parallels Desktop 16.5 uses 2.5x less energy than on the latest Intel-based MacBook Air. Microsoft does not yet offer a retail version of ARM-based Windows, with the Windows 10 ARM Insider Preview available on Microsoft's website for Windows Insider program members. The ability to run macOS Big Sur in a virtual machine is a feature that Parallels hopes to add support for in Parallels Desktop later this year as well.

April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA). The Register reports: Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical. "This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post. "These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA. Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems. "NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks," the signals intelligence agency said via Twitter.

Microsoft's long-awaited new webcam is finally here, alongside a number of accessories designed for the work from home era. From a report: Rumors of a new Microsoft webcam have been circulating for years, and the result is what Microsoft calls the Modern Webcam. It's a fairly basic and affordable 1080p webcam that will start shipping for $69.99 in June. The Microsoft Modern Webcam will support up to 1080p HDR output at 30fps and connects via USB-A, not USB-C. It's not the 4K webcam found on Microsoft's Surface Hub 2, and it doesn't include Windows Hello support either. It's really a simple webcam designed for students or workers to quickly add a better video calling option to an existing laptop or PC. Microsoft is also including a privacy shutter and LED indicator to let people easily see when the webcam is active. Microsoft is also launching a new USB-C speaker. The Modern USB-C Speaker is designed primarily for Microsoft Teams, and it even includes a button to launch a control panel for Teams with quick actions for meetings.

Microsoft on Tuesday announced a new 2021 Surface Laptop, called the Surface Laptop 4. The new version adds 11th-gen Intel Core processors, paired with Intel Iris XE graphics. There's also an AMD processor option -- Zen 2 series -- with a graphics chip called AMD Radeon Graphics Microsoft Surface Edition. From a report: For all the buzz Microsoft's Surface tablets get, I've always thought the Surface Laptop was actually Microsoft's secret weapon. Since Surface Laptop debuted in 2017, it's been a strong contender for the best all-purpose slim Windows laptop. But plenty of companies offer 13-inch-class slim laptops, all hoping to be the Windows version of Apple's ubiquitous MacBook Air. (Microsoft also introduced a 15-inch version in 2019.) Microsoft says the Surface Laptop has the Surface line's highest level of customer satisfaction. Besides simply working well and being stylish and easy to use, the Surface Laptop was frequently on sale at very reasonable prices, making it a great way to get a rock-solid clamshell laptop for not much money. Shortly before the Surface Laptop 4 preorders went live, you could still order a Core i5 13-inch Surface Laptop 3 (with 8GB RAM and a 128GB SSD) for $769, or $899 for a 256GB SSD.

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. Computest researchers Daan Keuper and Thijs Alkemade earned themselves $200,000 for this Zoom discovery, as it was part of the Pwn2Own contest.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. "The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Microsoft is finally releasing a 64-bit version of OneDrive, roughly 14 years after the first 64-bit version of Windows was released. Engadget reports: In an announcement spotted by Windows guru Paul Thurrott, the company says the new version of OneDrive will help those who need to transfer large files or many files at the same time since 64-bit systems can access more resources than their 32-bit counterparts.

"We know this has been a long-awaited and highly requested feature, and we're thrilled to make it available for early access," the company said. "You can now download the 64-bit version for use with OneDrive work, school, and home accounts." One thing to note is the preview is currently only available on x64 installs of Windows. If you own a computer like the Surface Pro X -- and therefore have Windows 10 on ARM installed on your system -- you'll have to wait. Microsoft recommends you continue using the 32-bit version for the time being.

Mark Wilson writes: Microsoft has launched a preview version of its own distribution of Java, making it available for Windows, macOS and Linux. The company has named the release Microsoft Build of OpenJDK, and describes it as its "new way to collaborate and contribute to the Java ecosystem". The company has made available Microsoft Build of OpenJDK binaries for Java 11, which are based on OpenJDK source code. Microsoft says it is looking to broaden and deepen its support for Java, "one of the most important programming languages used today".

An inventive MacRumors forums member has successfully retrofitted a water-cooling system to their 15-inch Intel-based MacBook Pro, thereby eliminating fan noise and boosting performance. From the report: MacRumors forums member "theodric" explained that the noise of their MacBook Pro's fans had become disruptive during conference calls, so amid ordering an M1 MacBook Air, they decided to fit a water cooling system to their machine. theodric used inexpensive parts such as Bitcoin ASIC miner blocks from AliExpress, an Aquastream XT Ultra water pump, and a Zalman radiator and reservoir from 2005 to create the system.

High-transmissivity thermal pads were added between the case shell and various motherboard components to conduct heat away from the MacBook Pro and into the water cooling system. The thermal shielding from the bottom of the case was also removed, as well as the feet, to ensure full contact with the new cooling plates. The pump, which requires Windows software to operate, was run via a virtual machine, and a Raspberry Pi was used for monitoring. theodric says that they have "hardly heard the fan since I started using it" and have seen benchmark scores significantly improve under the system. See theodric's full post for more information about the ambitious project.

Last year, NetMarketShare showed that Edge's 7.59% desktop market share pushed it past Firefox in March last year. Now, StatCounter reports that Edge has been adding users over the last few months as Firefox's userbase shrinks. TechSpot reports: While the data doesn't prove Firefox users have been leaving for Edge, we see that Microsoft's browser has seen its market share jump from 7.81% to 8.03% this year, while Mozilla's product declined from 8.1% to 7.95%. That's an all-time high for Edge, according to StatCounter. Edge's gain in users hasn't secured it the second position. That honor goes to Safari, which now has a 10.11% share, though its numbers have been falling since December, so Edge could overtake it soon enough.

Like Windows 7, it seems some people are having trouble letting go of the now-discontinued Internet Explorer. It has a 1.7% share that is declining very slowly. The data is only for the desktop market. Looking at all platforms -- desktop, tablet, and mobile -- iPhones and iPads make Safari's second spot more secure with a 19.03% share, while Firefox moves ahead of Edge, albeit by just 0.23%.

Duo, the authentication service Cisco acquired for $2.35 billion in 2018, today announced its plans to launch a passwordless authentication service that will allow users to log in to their Duo-protected services through security keys or platform biometrics like Apple's Face ID or Microsoft's Windows Hello. The infrastructure-agnostic service will go into public preview in the summer. From a report: "Cisco has strived to develop passwordless authentication that meets the needs of a diverse and evolving workforce and allows the broadest set of enterprises to securely progress towards a passwordless future, regardless of their IT stack," said Gee Rittenhouse, SVP and GM of Cisco's Security Business Group. "It's not an overstatement to say that passwordless authentication will have the most meaningful global impact on how users access data by making the easiest path the most secure." If you're using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene -- and to the despair of any IT department, they also keep forgetting them.

An anonymous reader shares a report from Motherboard, written by Ben Munster: When you buy an NFT for potentially as much as an actual house, in most cases you're not purchasing an artwork or even an image file. Instead, you are buying a little bit of code that references a piece of media located somewhere else on the internet. This is where the problems begin. Ed Clements is a community manager for OpenSea who fields these kinds of problems daily. In an interview, he explained that digital artworks themselves are not immutably registered "on the blockchain" when a purchase is made. When you buy an artwork, rather, you're "minting" a new cryptographic signature that, when decoded, points to an image hosted elsewhere. This could be a regular website, or it might be the InterPlanetary File System, a large peer-to-peer file storage system.

Clements distinguished between the NFT artwork (the image) and the NFT, which is the little cryptographic signature that actually gets logged. "I use the analogy of OpenSea and similar platforms acting like windows into a gallery where your NFT is hanging," he said. "The platform can close the window whenever they want, but the NFT still exists and it is up to each platform to decide whether or not they want to close their window." [...] "Closing the window" on an NFT isn't difficult. NFTs are rendered visually only on the front-end of a given marketplace, where you see all the images on offer. All the front-end code does is sift through the alphanumeric soup on the blockchain to produce a URL that links to where the image is hosted, or less commonly metadata which describes the image. According to Clement: "the code that finds the information on the blockchain and displays the images and information is simply told, 'don't display this one.'"

An important point to reiterate is that while NFT artworks can be taken down, the NFTs themselves live inside Ethereum. This means that the NFT marketplaces can only interact with and interpret that data, but cannot edit or remove it. As long as the linked image hasn't been removed from its source, an NFT bought on OpenSea could still be viewed on Rarible, SuperRare, or whatever -- they are all just interfaces to the ledger. The kind of suppression detailed by Clements is likely the explanation for many cases of "missing" NFTs, such as one case documented on Reddit when user "elm099" complained that an NFT called "Big Boy Pants" had disappeared from his wallet. In this case, the user could see the NFT transaction logged on the blockchain, but couldn't find the image itself. In the case that an NFT artwork was actually removed at the source, rather than suppressed by a marketplace, then it would not display no matter which website you used. If you saved the image to your phone before it was removed, you could gaze at it while absorbing the aura of a cryptographic signature displayed on a second screen, but that could lessen the already-tenuous connection between NFT and artwork. If you're unable to find a record of the token itself on the Ethereum blockchain, it "has to do with even more arcane Ethereum minutiae," writes Ben Munster via Motherboard. He explains: "NFTs are generally represented by a form of token called the ERC-721. It's just as simple to locate this token's whereabouts as ether (Ethereum's in-house currency) and other tokens such as ERC-20s. The NFT marketplace SuperRare, for instance, sends tokens directly to buyers' wallets, where their movements can be tracked rather easily. The token can then generally be found under the ERC-721 tab. OpenSea, however, has been experimenting with a new new token variant: the ERC-1155, a 'multitoken' that designates collections of NFTs.

This token standard, novel as it is, isn't yet compatible with Etherscan. That means ERC-1155s saved on Ethereum don't show up, even if we know they are on the blockchain because the payments record is there, and the 'smart contracts' which process the sale are designed to fail instantly if the exchange can't be made. [...]"

In closing, Munster writes: "This is all illustrative of a common problem with Ethereum and cryptocurrencies generally, which despite being immutable and unhackable and abstractly perfect can only be taken advantage of via unreliable third-party applications."

Security researcher Brian Krebs wants you to know... "New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let's just get this out of the way right now: It wasn't me." The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with [a domain that begins with brian . krebsonsecurity... Not a safe domain.] Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and "honeypots" — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. "web shells") that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server's emails)... Shadowserver's honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file "krebsonsecurity.exe"... Oddly, none of the several dozen antivirus tools available to scan the file at Virustotal.com currently detect it as malicious. The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute.

Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. But Watson said they don't know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain. "Despite the abuse, this is potentially a good opportunity to highlight how vulnerable/compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message out to victims that they need to sign up our free daily network reports," Watson said.

This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 23rd anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5.

Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones.

Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.

libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs.

curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites.

Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles.

Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl.

I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide...

Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.
Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl.

In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."

Two software engineers with injuries or chronic pain conditions have both started voice-coding platforms, reports IEEE Spectrum. "Programmers utter commands to manipulate code and create custom commands that cater to and automate their workflows." The voice-coding app Serenade, for instance, has a speech-to-text engine developed specifically for code, unlike Google's speech-to-text API, which is designed for conversational speech. Once a software engineer speaks the code, Serenade's engine feeds that into its natural-language processing layer, whose machine-learning models are trained to identify and translate common programming constructs to syntactically valid code...

Talon has several components to it: speech recognition, eye tracking, and noise recognition. Talon's speech-recognition engine is based on Facebook's Wav2letter automatic speech-recognition system, which [founder Ryan] Hileman extended to accommodate commands for voice coding. Meanwhile, Talon's eye tracking and noise-recognition capabilities simulate navigating with a mouse, moving a cursor around the screen based on eye movements and making clicks based on mouth pops. "That sound is easy to make. It's low effort and takes low latency to recognize, so it's a much faster, nonverbal way of clicking the mouse that doesn't cause vocal strain," Hileman says...

Open-source voice-coding platforms such as Aenea and Caster are free, but both rely on the Dragon speech-recognition engine, which users will have to purchase themselves. That said, Caster offers support for Kaldi, an open-source speech-recognition tool kit, and Windows Speech Recognition, which comes preinstalled in Windows.

According to Deadline, Warner Bros. will return to releasing its theatrical films exclusively in theaters next year, ending the studio's 2021 experiment of releasing major films simultaneously on its HBO Max streaming service and in theaters for the first 30 days they're released. The Verge reports: The news comes as part of an announcement from Warner Bros. of a new deal with Regal cinemas owner Cineworld, the second largest theater chain in the world. After over six months of shutdowns, Regal's theaters will reopen in April, and they'll begin showing Warner Bros. films like Kong vs. Godzilla and Mortal Kombat alongside their HBO Max debuts. When Warner Bros. films come back to theaters in 2022, Regal theaters will once again have full exclusivity (with no HBO Max or paid streaming rental competition). But that exclusivity window will be for a much shorter amount of time: Regal will only have a 45-day theatrical exclusivity window, half of the 90-day standard that existed in years past.

Following reports that a recent update to Windows 10 was causing blue screens as well as problems with printing, Microsoft issued a new series of updates to address the issues. But it seems that the problems caused by this month's Patch Tuesday updates are actually worse than first thought. BetaNews reports: Users with certain brands of printer experienced APC_INDEX_MISMATCH errors and blue screens, but now Microsoft has issued a warning that there may be additional problems with elements missing from print outs, or even entirely blank pages being output. The problematic updates are KB5000802, KB5000808, KB5000809 and KB5000822. In the support documentation for these four updates, Microsoft acknowledges the APC_INDEX_MISMATCH error problems and BSoDs, and directs people to install the relevant patches for their system. But the company now also acknowledges that there are more problems with the original updates than first appeared to be the case.

For each of these four updates Microsoft issues the same warning: "After installing updates released March 9, 2021 or March 15, 2021, you might get unexpected results when printing from some apps..." There is currently no fix, and Microsoft is not even able to offer a workaround right now. Instead, the company simply says: "We are working on a resolution and estimate a solution will be available in the coming days."

An anonymous reader quotes a report from Ars Technica: Google is officially bringing its "Live Caption" technology to any website with the new version of Chrome. The feature, which debuted on Pixel phones and should be available on most Android 10+ devices, lets you easily apply Google's speech-to-text technology to any audio source, making it simple to get closed-captioning on audio that's lacking in the accessibility department. Starting today, Google is beginning to roll out the feature to Chrome 89 and up on desktop PCs.

You can enable the feature from the Chrome settings by going to "Advanced" and "Accessibility" and then turning on "Live Caption." Live captions appear on webpages as a gray box that fills with text as the video or audio plays. You can drag the box around so it never gets in the way, and you can even pick between two sizes. Live Caption will attempt to work with every audio source on the web; you can temporarily close the box each time you load a page, but there's no way to enable it on some websites and disable it on others. Google says all the processing happens locally on your device and won't end up on the Internet. For now, Google says Live Caption "currently supports English and is available globally on the latest release of Chrome on Windows, Mac and Linux devices and will be coming soon to ChromeOS."