An anonymous reader shares a report: When a group of security researchers reported a popular but allegedly dangerous Mac App Store utility to Apple, noting that it secretly sends "highly sensitive user information" to an "unscrupulous" developer, Apple's response for a full month was surprising: "crickets." But after a cluster of bad press today, Apple finally pulled Yongming Zhang's app Adware Doctor: Anti Malware &Ad from the store.

Three researchers, including former NSA staffer Patrick Wardle, Thomas Reed of Malwarebytes, and "privacy fighter" @privacyis1st, said in a blog post today that they reported Adware Doctor last month for sending a user's Safari, Chrome, Firefox, and App Store browsing histories alongside lists of the Mac's apps and running processes to a server in China. Despite receiving confirmation that Apple received the report, the $5 app remained in the App Store -- where it was ranked the number one paid app across all Mac utilities.

Since the release of Chrome 69 earlier this week, countless of users have gone on social media and Google Product Forums to complain about "blurry" or "fuzzy" text inside Chrome. ZDNet: The blurred font issue isn't only limited to text rendered inside a web page, users said, but also for the text suggestions displayed inside the address bar search drop-down, and Chrome's Developer Tools panel. [...] According to reports, the issue only manifests for Chrome 69 users on Windows. Those who rolled back to Chrome 68 stopped having problems. Users said that changing Chrome, operating system, or screen DPI settings didn't help. "Our team is investigating reports of this behavior. You can find more information in this public bug report," a Google spokesperson said last night after first user complaints started surfacing online. Some users have also expressed concerns over Chrome not showing "trivial subdomains" including www and secure lock sign in the address bar.

The Tor Browser has rolled out a new interface with the release of v8. From a report: The Tor Browser has always been based on the Firefox codebase, but it lagged behind a few releases. Mozilla rolled out a major overhaul of the Firefox codebase in November 2017, with the release of Firefox 57, the first release in the Firefox Quantum series. Firefox Quantum came with a new page rendering engine, a new add-ons API, and a new user interface called the Photon UI. Because these were major, code-breaking changes, it took the smaller Tor team some time to integrate all of them into the Tor Browser codebase and make sure everything worked as intended. The new Tor Browser 8, released yesterday, is now in sync with the most recent version of Firefox, the Quantum release, and also supports all of its features. This means the Tor Browser now uses the same modern Photon UI that current Firefox versions use, it supports the same speed-optimized page rendering engine and has also dropped support for the old XUL-based add-ons system for the new WebExtensions API system used by Chrome, Opera, Vivaldi, Brave, and the rest of the Chromium browsers.

Mark Wilson shares a report from BetaNews: Acknowledging that we are now very much in the streaming age, BitTorrent has launched the first version of Torrent Web. The aim of the browser-based tool is to make torrenting as simple as possible and -- most importantly -- support torrent streaming. It remains to be seen how many people are willing to switch from a dedicated app to a browser-based torrenting experience, but the promise that you can "play while you download, no more staring at progress bars" is certainly alluring. Files are streamable near-instantly as they download, but they are also saved locally in the way you're used to. uTorrent Web is available for Chrome, Firefox, Internet Explorer, Microsoft Edge and Opera and the release finds BitTorrent partnering with Adaware to check torrents for signs of malware, and even download torrents without having to visit websites. Warning: the installer includes (optional) bundleware in the form of Adaware Internet Security and the Opera web browser.

The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet reports. From the report: The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform. The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.

An anonymous reader writes: Google today launched Chrome 69 for Windows, Mac, and Linux, Android, and iOS, just a few days after the browser's 10-year anniversary. The release includes a new design, more powerful omnibox, updated password manager, more accurate autofill, plenty of developer-specific changes, and a slew of security improvements. You can update to the latest version now using Chrome's built-in updater, download it directly from google.com/chrome, or grab it from Google Play and Apple's App Store. Further reading: As Chrome turns 10, Google bets on AI and AR, and Google wants to kill the URL.

As Chrome looks ahead to its next 10 years, the team is mulling its most controversial initiative yet: fundamentally rethinking URLs across the web. From a report: Uniform Resource Locators are the familiar web addresses you use everyday. They are listed in the web's DNS address book and direct browsers to the right Internet Protocol addresses that identify and differentiate web servers. In short, you navigate to WIRED.com to read WIRED so you don't have to manage complicated routing protocols and strings of numbers. But over time, URLs have gotten more and more difficult to read and understand. The resulting opacity has been a boon for cyber criminals who build malicious sites to exploit the confusion. They impersonate legitimate institutions, launch phishing schemes, hawk malicious downloads, and run phony web services -- all because it's difficult for web users to keep track of who they're dealing with. Now, the Chrome team says it's time for a massive change.

"People have a really hard time understanding URLs," says Adrienne Porter Felt, Chrome's engineering Manager. "They're hard to read, it's hard to know which part of them is supposed to be trusted, and in general I don't think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone -- they know who they're talking to when they're using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it as we're figuring out the right way to convey identity."

If you're having a tough time thinking of what could possibly be used in place of URLs, you're not alone. Academics have considered options over the years, but the problem doesn't have an easy answer. Porter Felt and her colleague Justin Schuh, Chrome's principal engineer, say that even the Chrome team itself is still divided on the best solution to propose. And the group won't offer any examples at this point of the types of schemes they are considering. The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.

Google first released its Chrome browser 10 years ago today. Marketed as a "fresh take on the browser," Chrome debuted with a web comic from Google to mark the company's first web browser. From a report: It was originally launched as a Windows-only beta app before making its way to Linux and macOS more than a year later in 2009. Chrome debuted at a time when developers and internet users were growing frustrated with Internet Explorer, and Firefox had been steadily building momentum. Google used components from Apple's WebKit rendering engine and Mozilla's Firefox to help bring Chrome to life, and it made all of Chrome's source code available openly as its Chromium project. Chrome focused on web standards and respected HTML5, and it even passed both the Acid1 and Acid2 tests at the time of its release. This was a significant step as Microsoft was struggling to adhere to open web standards with its Internet Explorer browser.

Another significant part of Chrome's first release was the idea of "sandboxing" individual browser tabs so that if one crashed it wouldn't affect the others. This helped improve the speed and stability of Chrome in general, alongside Google's V8 JavaScript engine that the company constantly tweaked to try and push the web forwards. After a decade of Chrome, this browser now dominates as the primary way most people browse the web. Chrome has secured more than 60 percent of browser market share on desktop, and Google's Chrome engineers continue to improve it with new features and push the latest web standards. To mark the milestone, Google said it would make a surprise announcement on Tuesday -- some improvements coming to Chrome.

Ars Technica sees new $600 "premium Chromebooks" Dell, Samsung, HP, and Lenovo as a growing challenge to Windows, proving that Chrome OS is reaching beyond the education market. These $600 machines aren't aimed at those same students. Lenovo reps told us that its new Chromebook was developed because the company was seeing demand for Chromebooks from users with a bit more disposable income. For example, new college students that had used Chrome OS at high school and families who wanted the robustness Chrome OS offers are looking for machines that are more attractive, use better materials, and are a bit faster and more powerful. The $600 machines fit that role.

And that's why Microsoft should be concerned. This demand shows a few things. Perhaps most significantly of all, it shows that Chrome OS's mix of Web applications, possibly extended with Android applications, is good enough for a growing slice of home and education users. Windows still has the application advantage overall, but the relevance of these applications is diminishing as Web applications continue to improve... Second, this demand makes clear that exposure to Chrome OS in school is creating sustained interest in, and even commitment to, the platform. High school students are wanting to retain that familiar environment as they move on. The ecosystem they're a part of isn't the Windows ecosystem. Finally, it also shows that Chrome OS's relatively clean-slate approach (sure, it's Linux underneath, but it's not really being pushed as a way of running traditional Linux software) has advantages that are appealing even to home users. The locked down, highly secure Chrome OS machines require negligible maintenance while being largely immune to most extant malware.

Computerworld suggests a strange strategy for Windows: If you can't beat Chromebook, join Chromebook: The eagle-eyed developers at XDA Developers have spotted a new Google Pixelbook firmware branch. This new code, "eve-campfire," includes a new "Alt OS mode." That "Alt OS"? WIndows 10. From the clues XDA has picked up, this looks as if it will be a real offering and not just an internal project that will never see the light of day. XDA thinks it will be a built-in dual-boot option such as Apple's Boot Camp....

So, why offer Windows on the Chromebook...? I think it's two things. One, Google wants to snag all those users who are still stuck on Windows because of a favorite game or required application. Two (and if I'm right, this is so sneaky of Google), Windows 10 will run like a dog on Chromebooks... would Google rub Microsoft's face in just how much better Chromebooks are than Windows laptops by letting users see for themselves? Sure it would.

VC Fred Wilson writes: I've been thinking about moving from a Mac to a Chromebook as my primary computing device. I have not used desktop software for probably a decade now. The browser is how I do all of my desktop computing. Paying up for a full blown computer when all I need is a browser seems like a waste. And there are some security things that appeal to me about a Chromebook. I like the ability to do two factor authentication on signing into the device, for example. I am curious what advice those of you who use Chromebooks have for me. In the comments section, Kevin C Tofel, a long time journalist and an ex-Googler writes: I'm all on in Chromebooks, currently using a Pixelbook. Base model is fine for my needs, which sound very similar. I am taking some CompSci classes but even from a programming standpoint, the addition of Linux running in containers -- available in Dev and Beta channels now, coming to Stable v. 69 in the coming weeks -- fills that need easily and securely. I don't do a bunch of video editing but I can do audio edits in Audacity for Linux once audio support arrives for Linux on Chrome OS.

I actually use Google for my password management. It's built in to Chrome / Chrome OS and syncs to all devices. Plus, you can always log in and look up passwords at passwords.google.com. Sure if Google is hacked, someone has my passwords, but same can be said for any cloud-based password manager or (if you run 1Password, etc... locally) if someone gains access to your device. I use Google's 2FA to log in to my Google account and even to log in to my Pixelbook - can be done with an authenticator app, SMS or -- my preferred method -- a Yubikey. I'l be buying a Google Titan Security key to replace my Yubikey once they go on sale.

secwatcher shares a report: Last week we reported that Chrome has started displaying alerts more often that suggest users remove programs that are considered incompatible applications with Chrome because they inject code into the browser's processes. These alerts are displayed by Chrome after the browser crashes and suggest the user remove the listed programs because "this application could prevent Chrome from working properly." One of the programs that a lot of users have seen listed in these alerts and is suggested to be removed is the Bitdefender antivirus program as shown above. Having a well known company like Google telling users to remove a security solution is a problem as these programs are important for many users to have installed on their computers in order to protect them from malware, unwanted programs, and malicious websites. Due to these alerts and their suggestion to remove the antivirus software, Bogdan Botezatu, a senior e-threat analyst for Bitdefender, has told Bleeping Computer that as of August 20th, Bitdefender is no longer monitoring Chrome 66 and later with their anti-exploit technology.

While we know that Linux app support is coming to a range of Chromebooks from Lenovo, Acer, Dell and others, a post on the Chromium Gerrit reveals that devices running Linux 3.14 or older will miss out. BetaNews: Chrome OS is able to run Linux apps through the use of containers which help to keep the rest of the operating system safe from harm. As container support requires features that are only found in more recent versions of the Linux kernel, it means that many Chromebooks -- whose kernels are usually not updated -- will not be able to run Linux apps.

Here's the full list of Chromebooks that won't be getting the Linux love: AOpen Chromebase Mini (Feb 2017; tiger, veyron_pinky), AOpen Chromebox Mini (Feb 2017; fievel, veyron_pinky), ASUS Chromebook C201 (May 2015; speedy, veyron_pinky), Acer C670 Chromebook 11 (Feb 2015; paine, auron), Acer Chromebase 24 (Apr 2016; buddy, auron), Acer Chromebook 15 (Apr 2015; yuna, auron), Acer Chromebox CXI2 (May 2015; rikku, jecht), Asus Chromebit CS10 (Nov 2015; mickey, veyron_pinky), Asus Chromebook Flip C100PA (Jul 2015; minnie, veyron_pinky), Asus Chromebox CN62 (Aug 2015; guado, jecht), Dell Chromebook 13 7310 (Aug 2015; lulu, auron), Google Chromebook Pixel (Mar 2015; samus), Lenovo ThinkCentre Chromebook (May 2015; tidus, jecht), Toshiba Chromebookk 2 (Sep 2015; gandof, auron).

Google's curvy tab Material Design update for Chrome will arrive in version 69 of the browser due out in September. From a report: Google flags the upcoming changes in its Enterprise release notes for Chrome 69, which gives a brief mention under browser interface changes to a "new design across all operating systems." Chrome 69, penciled in for stable release on September 4, will also get native Windows 10 notifications, which have been rolling out to users over the past month. Chrome 69 will also progress the long-running project to deprecate Flash Player, which Adobe has announced will reach end of life in 2020. Microsoft, Mozilla, and Apple have similar deprecation timelines for Flash on their desktop browsers. Once ubiquitous, Flash content is now hardly used at all by Chrome users, though Google won't fully remove support until Chrome 87 in 2020. At present, if a user enables Flash for a particular site, they don't need to approve it if they visit the site again. However, in Chrome 69, every time users restart Chrome, they'll need to give permission for sites to use Flash.

Citing a report [PDF] published on Tuesday by Digital Content Next and Vanderbilt University, CNN writes that "short of chucking your phone into the river, shunning the internet, and learning to read paper maps again, there's not much you can do to keep Google from collecting data about you." From the report: So says a Vanderbilt University computer scientist who led an analysis of Google's data collection practices. His report, released Tuesday, outlines a myriad ways the company amasses information about the billions of people who use the world's leading search engine, web browser, and mobile operating system, not to mention products like Gmail, platforms like YouTube, and products like Nest. Although the report doesn't contain any bombshells, it presents an overview of Google's efforts to learn as much as possible about people.

[...] Google collects far more data than Facebook, according to the report, and it is the world's largest digital advertising company. Its vast portfolio of services, from Android to Google Search to Chrome to Google Pay, create a firehose of data. Professor Douglas Schmidt and his team intercepted data as it was transmitted from Android smartphones to Google servers. They also examined the information Google provides users in its My Activity and Google Takeout tools, as well as the company's privacy polices and previous research on the topic. The researchers claims that almost every move you make online is collected and collated, from your morning routine (such as music tastes, route to work, and news preferences) to errands (including calendar appointments, webpages visited, and purchases made). "At the end of the day, Google identified user interests with remarkable accuracy," the report states. In a statement, Google said, "This report is commissioned by a professional DC lobbyist group, and written by a witness for Oracle in their ongoing copyright litigation with Google. So, it's no surprise that it contains wildly misleading information."

Mozilla announced today plans to remove all Firefox legacy add-ons from the official Mozilla add-ons portal in early October. From a report: The move comes after Mozilla updated the Firefox core to use a new add-ons system based on the Chrome-compatible WebExtensions API. This new add-ons API replaced Firefox's old XUL-based add-ons API in November 2017, with the release of Firefox 57. All Firefox legacy add-ons stopped working in Firefox 57, but Mozilla continued to support them in the Firefox Extended Support Release (ESR) 52 branch. Support for Firefox ESR 52 will end on September 5, in two weeks, meaning there won't be any official Firefox version that supports legacy add-ons anymore.

Redcore, a Chinese start-up that claims to have produced a homegrown browser used by key government bodies and state-run companies, has come under fire after users discovered its software was heavily based on Google's Chrome browser [Editor's note: the link may be paywalled; alternative source]. From a report: The company, which says it has created "innovative and world-leading" browser technology, came under scrutiny on Thursday when users looked through the browser's installation directory and discovered an original "chrome.exe" file along with image files of the Chrome logo. "We have launched the world's only purely China-owned browser Redcore, to break the US monopoly," the company said in a statement on Wednesday. The Financial Times verified Chinese users' findings and found with its own examination that Redcore was using components from the v. 49 version of Google Chrome. "Redcore has Chrome [elements] in it," said company founder Gao Jing in response to fierce public criticism. "But this is not plagiarism; rather, we are standing on the shoulders of a giant for our own innovation," she added, according to local media reports. Ms Gao was also quoted as saying that the company had so far been doing very well in terms of customer satisfaction.

An anonymous reader writes: "Google has patched a vulnerability in the Chrome browser that allows an attacker to retrieve sensitive information from other sites via audio or video HTML tags," reports Bleeping Computer. The attack breaks CORS -- Cross-Origin Resource Sharing, a browser security feature that prevents sites from loading resources from other websites -- and will attempt to load resources (some of which can reveal information about users) inside audio and video HTML tags. During tests, a researcher retrieved age and gender information from Facebook users, but another researcher says the bug can be also used to retrieve data from corporate backends or private APIs. Ron Masas, a security researcher with Imperva, first discovered and reported this issue to Google. The bug was fixed at the end of July with the release of Chrome v68.0.3440.75.

secwatcher writes: Google has started rolling out support for built-in lazy loading inside Chrome. Currently, support for image and iframe lazy loading is only available in Chrome Canary, the Chrome version that Google uses to test new features. Two flags are now available in the chrome://flags section of Chrome Canary. They are: chrome://flags/#enable-lazy-image-loading, chrome://flags/#enable-lazy-frame-loading. Enabling these two flags will activate a new type of content loading behavior inside the Chrome browser. The two flags have been available in Chrome Canary for a few days, since v70.0.3521.0.

The encryption that protects your browser's connection to websites is getting a notch faster and a notch safer to use. From a report: That's because the Internet Engineering Task Force (IETF) on Friday finished a years-long process of modernizing the technology used to secure website communications. You may never have heard of Transport Layer Security -- TLS for short -- but version 1.3 is now complete and headed to websites, browsers and other parts of the internet that rely on its security. "Publishing TLS 1.3 is a huge accomplishment. It is one the best recent examples of how it is possible to take 20 years of deployed legacy code and change it on the fly, resulting in a better internet for everyone," said Nick Sullivan, head of cryptography for Cloudflare, which helps customers distribute their websites and other content around the world, in a blog post.

TLS 1.3 brings some significant improvements over TLS 1.2, which was finished 10 years ago. Perhaps first on the list is that it'll mean websites load faster. Setting up an encrypted connection on the web historically has caused delays since your browser and the website server must send information back and forth in a process called a handshake. The slower your broadband or the more congested your mobile network is, the more you'll notice these delays. Firefox and Chrome already support a draft version of TLS 1.3.