Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials

A flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances. The upshot is that your Exchange-connected email client may give away your username and password to a stranger, if the flaw is successfully exploited. In a report scheduled to be published on Wednesday, security firm Guardicore said it has identified a design blunder that leaks web requests to Autodiscover domains that are outside the user's domain but within the same top-level domain (TLD). Exchange's Autodiscover protocol, specifically the version based on POX XML, provides a way for client applications to obtain the configuration data necessary to communicate with the Exchange server. It gets invoked, for example, when adding a new Exchange account to Outlook. After a user supplies a name, email address, and password, Outlook tries to use Autodiscover to set up the client.

Mozilla Firefox and Google Chrome

• Firefox Add-on Reviews: YouTube your way—browser extensions put you in charge of your video experience

  YouTube wants you to experience YouTube in very prescribed ways. But with the right browser extension, you’re free to alter YouTube to taste. Change the way the site looks, behaves, and delivers your favorite videos. [...] Though its primary function is to automatically play all YouTube videos in their highest possible resolution, YouTube High Definition has a few other fine features to offer.

• Location history: How your location is tracked and how you can limit sharing it

  In real estate, the age old mantra is “location, location, location,” meaning that location drives value. That’s true even when it comes to data collection in the online world, too — your location history is valuable, authentic information. In all likelihood, you’re leaving a breadcrumb trail of location data every day, but there are a few things you can do to clean that up and keep more of your goings-on to yourself. [...] For some apps, location helps them function better, like navigating with a GPS or following a map. Location history can also be useful for retracing your steps to past places, like finding your way back to that tiny shop in Florence where you picked up beautiful stationery two years ago. On the other hand, marketing companies use location data for marketing and advertising purposes. They can also use location to conduct “geomarketing,” which is targeting you with promotions based on where you are. Near a certain restaurant while you’re out doing errands at midday? You might see an ad for it on your phone just as you’re thinking about lunch. Location can also be used to grant or deny access to certain content. In some parts of the world, content on the internet is “geo-blocked” or geographically-restricted based on your IP address, which is kind of like a mailing address, associated with your online activity. Geo-blocking can happen due to things like copyright restrictions, limited licensing rights or even government control.

• An update on Memory Safety in Chrome [LWN.net]

  The Google security blog provides an overview of what is being done to address memory-safety problems in the Chrome browser.

• Chrome 94 Released for Android, macOS, Windows, Linux: What's New | Technology News

  Chrome 94 stable update has been released by Google for Android, iOS, Mac, and Windows operating systems. The update will be rolled out over the coming weeks and it brings new security features, new functionality, and bug fixes. Google Chrome 94 stable is the first version of Chrome of the new four-week release cycle. Previously, Chrome update was released every six weeks. Its features include HTTPS-First mode that makes users browsing more secure. Also, Google said that 19 different security issues were fixed in the Chrome 94 version. The update for Google Chrome was announced through a blog post on September 21. Chrome 94 introduces HTTPS-First mode. It is available in Chrome for desktop systems and for Android. HTTPS is a more secure version of HTTP and many websites support it. With the latest update, the browser will also show a full-page warning when the user loads a site that doesn't support HTTPS. This ensures privacy when using public Wi-Fi. Google says this was previously planned for Chrome 92.

• Google emits Chrome 94 with 'Idle Detection' API to detect user inactivity amid opposition

  Google has released Chrome 94 for desktop and Android, complete with an "Idle Detection" API to detect user inactivity, despite privacy concerns expressed by Mozilla and Apple. New and changed features in Chrome 94 are listed here and include the removal of the AppCache feature, described as a "security and stability liability", and something which has "imposed a tax on all of Chrome's significant architectural efforts." There is also a new VirtualKeyboard API with more control over its shape and an event fired when it covers page content; more efficient low-level access to media encoders and decoders; and a new JavaScript Self Profiling API which enables developers to collect JavaScript performance profiles from end users.

Kernel: Google, Xen, and Mesa

• Google Finally Shifting To "Upstream First" Linux Kernel Approach For Android Features

  Google's Android had been notorious for all of its downstream patches carried by the mobile operating system as well as various vendor/device kernel trees while in recent years more of that code has been upstreamed. Google has also been shifting to the Android Generic Kernel Image (GKI) as the basis for all their product kernels to further reduce the fragmentation. Looking ahead, Google is now talking of an "upstream first" approach for pushing new kernel features. Google's Todd Kjos talked today during Linux Plumbers Conference (LPC2021) around their Generic Kernel Image initiative. With Android 12 and their Linux 5.10 based GKI image they have further cut down the fragmentation to the extent that it's "nearly eliminated". With the Android 12 GKI, most of the vendor/OEM kernel features have now either been upstreamed into the Linux kernel, isolated to vendor modules/hooks, or merged into the Android Common Kernel.

• Google Finally Shifting To 'Upstream First' Linux Kernel Approach For Android Feature

• Clang-format for Xen Coding Style Checking Scheduled - Xen Project

  At the moment there is no tool that would allow to format patches in Xen. The idea of Xen-checker is to use the clang-format approach as a base for Xen ‘checkpatch’ process. The new tool consists of modified .clang-format configuration file to automate Xen patches format checking and reformatting. The tool can be used as a pre-commit hook to check and format every patch automatically. Some features are missing in the clang configurator, so new clang-format options have been proposed for more flexible code formatting. Also, the purpose of the topic is to start the discussion about the existing rules for Xen code formatting to eliminate possible inaccuracies in the work of the Xen checker. This will make it easier to adhere to the unanimous decision.

• Mesa Merge Pending For Vulkan Ray-Tracing On Older AMD GPUs - Phoronix

  Merged yesterday for Mesa 21.3 was open-source Vulkan ray-tracing for AMD RDNA2 / RX 6000 series GPUs with the RADV driver. Opened today now is a merge request that would provide Vulkan ray-tracing with RADV to pre-RDNA2 GPUs on this driver going back to the likes of Polaris, granted the performance is another story. Joshua Ashton known for his work on DXVK and other Direct3D-on-Vulkan efforts for Valve has opened the merge request to enable RADV Vulkan ray-tracing for older generations of AMD GPUs.

Astro Pi Mk II, the New Raspberry Pi Hardware Headed to the Space Station

While Izzy and Ed are still going strong, the ESA has decided it’s about time these veteran Raspberries finally get the retirement they’re due. Set to make the journey to the ISS in December aboard a SpaceX Cargo Dragon, the new Astro Pi MK II hardware looks quite similar to the original 2015 version at first glance. But a peek inside its 6063-grade aluminium flight case reveals plenty of new and improved gear, including a Raspberry Pi 4 Model B with 8 GB RAM. The beefier hardware will no doubt be appreciated by students looking to push the envelope. While the majority of Python programs submitted to the Astro Pi program did little more than poll the current reading from the unit’s temperature or humidity sensors and scroll messages for the astronauts on the Astro Pi’s LED matrix, some of the more advanced projects were aimed at performing legitimate space research. From using the onboard camera to image the Earth and make weather predictions to attempting to map the planet’s magnetic field, code submitted from teams of older students will certainly benefit from the improved computational performance and expanded RAM of the newest Pi. As with the original Astro Pi, the ESA and the Raspberry Pi Foundation have shared plenty of technical details about these space-rated Linux boxes. After all, students are expected to develop and test their code on essentially the same hardware down here on Earth before it gets beamed up to the orbiting computers. So let’s take a quick look at the new hardware inside Astro Pi MK II, and what sort of research it should enable for students in 2022 and beyond.