Google’s Project Zero publishes another Microsoft vulnerability

Why it matters to you

If you use Microsoft’s Internet Explorer or Edge browser, you should know that the Google Project Zero team just publicized a bug that could leave you vulnerable to attack.

Google’s Project Zero is the company’s initiative to identify and eventually publicize security vulnerabilities in software and systems, with the express purpose of compelling developers to fix them. Project Zero staff notify developers about “zero-day” bugs, or those that a developer is not aware of and can be exploited, and the team then gives that vendor 90 days to fix it before it’s publicized.

Microsoft has been at the receiving end of a few of Project Zero’s efforts, raising some questions as to whether Google’s team of white hat hackers is acting irresponsibly by revealing bugs that a developer simply hasn’t had time to fix. The most recent Microsoft zero-day bug is one involving the company’s Internet Explorer and Edge browsers, as MSPU reports.

More: Stop refreshing Windows Update! Microsoft’s February 2017 Patch Tuesday is cancelled

The bug, which causes browser crashes and allows nefarious parties to execute arbitrary code, was identified by Project Zero on November 25, 2016 and then published on February 23, 2017. At that time, Microsoft had already cancelled its Patch Tuesday release of bug fixes for Windows operating systems for February 2017, pushing it off until a month later — leaving systems vulnerable to this and other bugs right as Google has notified the world of the bug’s existence.

According to the Project Zero team, exploiting the vulnerability appears to be a relatively trivial task, requiring only 17 lines of HTML code. The details are meaningful mainly to developers and those who would exploit the code, but it basically involves modifying table properties. The post does not indicate precisely which versions of Internet Explorer and Edge running on which Windows operating systems are affected.

The net result is that hackers now have all of the information they need to attack vulnerable systems. Until Microsoft issues a bug fix, which could come in the next Patch Tuesday in March 2017, there’s not much users can do to avoid the bug. As MSPU points out, you can utilize or create a separate admin account on your Windows machine and then use it to make sure your primary account is running at a limited security level. That would take away much of the damage that browsers could wreak on a system, but of course could also impact how other applications function.

Fairphone has sold 125,000 modular phones and is rolling out Android 6.0

Why it matters to you

If you believe in fair-trade food or ethically produced clothing, why not similar treatment for phones?

Fairphone, the social enterprise dedicated to manufacturing modular, ethically sourced smartphones, held a press conference at MWC in Barcelona on February 27, but, characteristically for the environmentally-conscious company, there was no new device on display. Instead, CEO Bas van Abel revealed that more than 125,000 Fairphones have been sold so far.

More: Fairphone 2 review

Any Fairphone 2 owners out there will be glad to hear that the device is set to get an Android 6.0 update in the “next few weeks.” We bemoaned the aging version of Android that the device was released with in our review, so that’s good news, although we could point out that Android 7.0 Nougat is available now.

The sustainability message was front and center, and we learned that Fairphone has shipped nearly 100,000 waste phones back from Ghana to date in order to extract and reuse the minerals within. It also continues to work to find alternatives to conflict minerals and to improve the efficiency of the supply chain to reduce the environmental footprint of its devices.

The modular design of the Fairphone 2 makes it very easy to repair, in fact it’s the only device to get full marks from iFixit for repairability.

“This is the first and only smartphone to receive a perfect score from us, and the modular design is a major factor,” explained iFixit Director, Matthias Huisken. “It was very impressive to be able to replace the display in seconds without any tools.”

Easy repairability and modularity is all about trying to extend the life of the device. That means the forthcoming new camera module, which includes the front and back cameras, will be easy for owners to fit, requiring just three screws.

Fairphone offers a wide range of modules for core phone functions, including the battery, which Huisken described as a “death clock” for devices with batteries that can’t be replaced. Fairphone has sold 70,000 spare parts so far and DIY repairs have scored a 95-percent success rate.

A number of Fairphone partnerships were also highlighted during the conference, including with Ubuntu, Jolla’s Sailfish, and Teclib’s Uhuru Mobile.

In the immediate future, Fairphone intends to improve its modular-part ecosystem, hoping to make it as easy as possible to extend the life of its products. It’s also working to strengthen business links where there’s fresh interest in the idea of an easily maintainable phone that will last for five years or more.

Sony Xperia Ear open-style earbuds let you listen to music, the world around you

Why it matters to you

Sony’s new Xperia Ear open-style concept earbuds may one day provide a convenient, safe means of interacting with a voice assistant.

These days, the toughest thing about AI-powered assistants is choosing a device to use. Amazon’s Alexa powers not only Amazon’s Echo artificial intelligence, but the AI in smartphones, smart home products, and smartwatches. Microsoft’s Cortana is integrated tightly with Windows 10 machines. And Google recently announced that its voice-activated, artificially intelligent Assistant will make its way to Android devices running newer versions of Android.

But Sony thinks there’s room for one more assistant-touting wearable.

More: Sony Xperia X series hands-on impressions

At the Mobile World Congress conference in Barcelona this week, the company took the wraps off a new version of the Xperia Ear “open-style concept,” which are earbuds that sport Sony’s Agent digital assistant. Unlike the off-the-shelf headphones you’re used to seeing packed in with a new phone, they’re completely “hands-free” and “eyes-free” thanks to “open ear” technology that transmits sound “directly to the ear canal.” You can hear not only audio, but the noises around you.

The prototype Xperia Ear achieves the bizarre effect with a spatial acoustic conductor: a driver unit that generates sound and a C-shaped duct that transfers that sound to a ring-shaped bit of plastic that fits inside your inner ear. Effectively, it’s a form of conduction, vibrating your skulls’ bones and amplifying whatever audio the Xperia Ear earbuds are playing.

We tried a pair, which we weren’t allowed to photograph, at Sony’s Mobile World Congress booth. And the effect, safe to say, is disconcerting: When you listen to music, it seems as though everyone around you can hear it, because you can hear them. When a Sony representative wore them, however, we weren’t able to hear any sound leaking from the earbuds’ plastic cone.

More: Bluetooth earpieces get a brand new bag in Sony’s new Xperia Ear

The quality seemed good, though it was difficult to tell over the roar of MWC’s crowds. They’re obviously not ideal for a jam session, a fact Sony is well aware of.

Company reps told us that the open-concept Xperia Ear earbuds aren’t meant to replace a standard pair of headphones. Rather, they’re intended as a convenient, safe, and quick way of interacting with digital assistants on the street, in the office, or any environment where being able to hear ambient noise is important. The company sees them as an especially great fit for physical activities like running that require you keep an eye — and ear — on your surroundings. You’ll be able to cross the road safely, for example, or pretend you’re listening to a co-worker while streaming Aerosmith.

The Xperia Assistant component of the Xperia Ear wasn’t functional in the units we tried, but Samsung said it will be able to do things like let you know when you’ve got appointments or meetings, give you turn-by-turn directions to nearby places, and let you record reminders. If and when the open-style Xperia Ear comes to market, it’ll support the Google Assistant, too, for users who prefer the search giant’s assistant to Sony’s.

More: Coros’ smart cycling helmet doubles as a pair of bone-conduction headphones

Unfortunately, that’s all Sony was willing to disclose. Company reps refused to talk about the Xperia Ear concept’s battery size and sensors, and in fact said the earbuds were at the “working prototype” phase — they stressed that the finished product would look different (and weigh a little more).

Whether they make it to market isn’t a sure thing. The Xperia Ear open-style’s availability and price will depend on its reception, Sony said. So if the idea of open-style earbuds strikes your fancy, you’d best show your interest on social media.

As for owners of Sony’s older Xperia ear earbuds, new features are coming down the pipeline. Sony announced Anytime Talk, which will let you start a group conversation by pushing a button or gesturing with your head, will launch in beta “in the coming months.” And the company said it’s working with the developers of messaging app Line on “a new integrated voice experience.”

Here’s a list of sites and services affected by Cloudbleed, and what to do next

Why it matters to you

Cloudbleed is a far-reaching security issue affecting countless sites and services across the internet, and if there’s even a chance that your user data is out in the wild, now is the time to take action.

Last week, we found out about Cloudbleed, a major leak of user data affecting sites and services that use infrastructure provided by Cloudflare. It’s still too early to determine the scale of the problem — but it’s an ideal time to respond if you’re looking to avoid the fallout.

Cloudbleed refers to a memory leak that caused user data from apps and websites that use Cloudflare’s services to be splashed across the internet, and is being compared to the Heartbleed bug that reared its head in 2014. Unfortunately, it’s thought that some of the data leaked as a result of Cloudbleed may have been cached by search engines, meaning that malicious entities could have intercepted it, according to a report from Gizmodo.

More: ‘Cloudbleed’ bug may have leaked your personal data all over the internet

Cloudflare has such an enormous list of clients that it’s difficult to list every single site and service that could be affected — although an effort to do just that is in progress on GitHub. Here’s a list of some of more commonly used domains that could have had user data leaked (although there’s no confirmation that they’ve been compromised as of yet):

• uber.com
• yelp.com
• medium.com
• 4chan.com
• bitcoin.de
• fitbit.com
• authy.com
• tfl.gov.uk
• okcupid.com
• discordapp.com
• feedly.com
• thepiratebay.org
• pastebin.com
• change.org
• puu.sh

The above is by no means a definitive list, as millions of domains could potentially be at risk. However, it should demonstrate the variety of services that could be affected.

To check whether any sites or apps you use are at risk, you can scour the full list on GitHub, or use the Does it use Cloudflare? web tool. However, most internet users are likely to hold an account on at least one affected site, so password refreshes are recommended for all.

Changing out every password you are currently using may seem extreme, but the stakes are high. If your user data has been leaked, and you use the same password for multiple sites, it might be possible for a stranger to gain access to all kinds of services on your behalf.

More: What is the Heartbleed OpenSSL Bug, and how can you protect your PC?

As such, it’s well worth doing a sweep now, and changing up your passwords to ensure that you’re kept safe. The inconvenience of spending a hour or two completing the task is a small price to pay for peace of mind.

This might also be a good time to improve your online security across the board. If you’re not already using a password manager and two-factor authentication to keep your accounts safe, there’s no better time to implement these services.

Above all else, vigilance is key. This is an evolving situation, since the problem was only made public a matter of days ago, and there are so many domains that could be affected. Keep a close eye on important accounts, and if you notice anything suspicious, make sure to follow up.

T-Mobile is handing out a free extra line to its customers, and it could save you $40

Why it matters to you

If you’re in the market for an unlimited data plan for your family, T-Mobile’s already compelling offering just became even more enticing.

T-Mobile’s latest promotion may not be as tasty as the free pizzas the Un-carrier has been handing out to its customers, but it will be even friendlier on your wallet. Customers in good standing with at least two lines of service are eligible for another line for free starting March 1, the company announced Monday.

The offer applies to those on the new T-Mobile One plan as well as Simple Choice customers, although, as of January, new users can no longer sign up for Simple Choice. The One plan guarantees unlimited data — with the typical footnote of throttling past a 28 GB threshold — at $70 per month for the first line, $50 for the second, and $20 for each additional line thereafter. T-Mobile was already running a promotion under which customers could receive two lines for $100, after agreeing to auto pay. Coupled with the free extra line, that means one could open three lines for the same $100, as opposed to the normal price of $140.

More: The Best Unlimited Data Plan: Verizon vs. T-Mobile vs. AT&T vs. Sprint

For that deal, however, you need to be a One customer. Up until T-Mobile improved the plan last month, that came with a few unique caveats.

In its initial incarnation last fall, One reduced the quality of all streaming video to 480p, and restricted data tethering to pedestrian 3G speed. Customers could avoid these restrictions with the One Plus plan, but that came at an extra $25 per line, per month. When Verizon revived its own form of unlimited data several weeks ago, T-Mobile did away with the shortcomings to stay competitive.

One customers now receive 10 GB of LTE tethering each month, and video streaming is handled at whatever resolution is specified by the content provider. The plan also comes with international data and calling in 140 countries around the world and T-Mobile Tuesdays deals, good for the aforementioned free pizza, among such other things as movie tickets.

The carrier notes that the free line can be used for any purpose, be it another smartphone or tablet, smartwatch, or hot spot. T-Mobile says the promotion is only running for a limited time, but customers can keep the free line as long as they remain on an eligible plan and in good standing with the company.

Xiaomi just released a new selfie stick that doubles as a tripod

Why it matters to you

Think selfie sticks are so last year? Xiaomi disagrees and has just released the Mi Selfie Stick Tripod.

Did you think the era of the selfie stick had come and gone? Well think again. Chinese company Xiaomi is here to prove that our narcissism doesn’t have an expiration date, and that selfie sticks are still relevant in 2017. Meet the Mi Selfie Stick Tripod, a selfie stick that fulfills all your self-photography needs.

Launching just ahead of Mobile World Congress, the Mi Selfie Stick Tripod doubles as a tripod and a selfie stick, which means that you can not only take pictures of yourself that are up close and personal, but you can also set your smartphone at a distance, and take wonderfully staged shots (because not all of us have the luxury of traveling with a photographer).

More: Xiaomi Mi 6 news and rumors

The detachable Bluetooth remote control will allow you to take photos from a distance, so you don’t have to worry about beating the timer. After all, no one wants to look winded in a glamour shot. The Tripod comes in white and black variants, folds into a portable stick so that it can follow you on just about any adventure, and weighs in at no more than 155 grams.

The Selfie Stick works alongside Apple and Android devices alike — you’ll just need to have a phone running Android 4.3 or later or iOS 5.0 or later. The Tripod’s mount is capable of rotating 360 degrees, and is compatible with phones of a width between 56mm and 89mm, which means it’ll fit even the largest of gargantuan mobile devices. Made of an aluminum alloy, this selfie stick is dependable for outdoor use, Xiaomi claims. Unfortunately, it’s only available in China for the time being,

In any case, the Xiaomi Selfie Stick Tripod has just launched in China for now, and is available on Mi.com for about $13. So if you’re planning a trip to Asia, this may be one travel accessory you need to pick up along the way.

You’ll soon be able to run Jolla’s Sailfish OS on Sony’s Xperia devices

Why it matters to you

Competition is good, and Jolla is desperately trying to chip away at Android’s marketshare with Sailfish OS. A collaboration with Sony should help in that regard.

Mobile operating systems other than Android and iOS exist — they may not have much of a market share, but they certainly are doing whatever they can to stay afloat. Jolla’s Sailfish OS is one such system. The Finnish company, which once filed Chapter 11 bankruptcy and then canceled it, is finally expected to make a profit this year.

Jolla operates Sailfish OS, an “independent” mobile OS that’s often marketed as an alternative to Android. Sony’s Open Devices Program is now bringing the Xperia X into the lineup of Sailfish OS smartphones. The Xperia X is a device the company launched last year, and it’s available for purchase running Android. Eventually when the software is finalized, you’ll be able to purchase not just the Xperia X but a range of Xperia devices with Sailfish OS, rather than Android.

More: Russia certifies Jolla’s Sailfish OS for government, corporate use

This offering is expected to initially be released to Jolla’s customers and community members by the end of the second quarter of this year, likely toward the end of June.

Jolla has also forged partnerships with a Chinese consortium and Russia — two countries that have had weak relationships with Google.

Jolla has now unveiled a new smartphone for the Russian enterprise market, the Inoi, and it’s a device that’s certified by Russian authorities. It has a heavy emphasis on security, and it’s completely “Google=free.” Most of Jolla’s devices can access a third-party app store to download Android apps, but Russia doesn’t want anything Google-related, if possible.

More: DT Daily MWC Day Zero: Phones from LG, Huawei, Motorola, Nokia, and even Blackberry

The phone was made by Open Mobile Platform, a Russian venture that aims to put these Sailfish-powered handsets in state-run corporations and government agencies.

The China consortium similarly has granted Jolla the opportunity to build a Sailfish OS-based independent operating system for the country. This OS wouldn’t just be aimed at smartphones, but would extend to TVs, the IoT industry, smartwatches, and the automotive industry.

Win an IOU for a BlackBerry KEYone from CrackBerry Kevin!

Fill out the form below for your first chance to win a BlackBerry Mercury

A few weeks ago Daniel Bader wrote many kind words here on Android Central letting you know that CrackBerry Kevin was coming out of retirement to celebrate 10 Years of CrackBerry and to cover the hell out of the BlackBerry “Mercury” launch.

Fast forward through a crazy few weeks of editorials, youtube videos, tweets, instagram photos and even an onstage appearance at BlackBerry’s press event and it feels to me like CBK never left. It’s been a helluva fun month!

More exciting than CBK having tech blogging fun again is that the newly-christened BlackBerry KEYone has shaped up to be helluva good phone. Having used one now for a few days now, I think it’s a phone that BlackBerry users past and present will absolutely love, and many who have never touch a keyboard before may even find themselves developing a crush on if they give it a try. The hardware build quality and design is top notch. The physical keyboard is fantastic to type on (having a fingerprint sensor in the spacebar is brilliant), the battery life is amazing, having the same camera sensor as the Google Pixel means it takes fantastic photos, and despite having a keyboard there all the time the screen size itself as you use the device is BIG (prior to the KEYone I was using the Pixel XL, DTEK60 and iPhone 7 as daily drivers). This finally is the no compromise BlackBerry I have been waiting on for YEARS. Running on Android, I finally have the app ecosystem I need and it’s also giving me the features of BlackBerry I’ve always loved.

Enter to Win an IOU for a BlackBerry KEYone from CrackBerry Kevin

Clearly, I’m gushing all over for my new BlackBerry KEYone. And I know there a LOT of former BlackBerry users here on Android Central who used to be highly active on CrackBerry (I’m glad when you left you found your way over to the best Android site and community in the universe!). In the spirit of our CrackBerry 10 year anniversary, the return of CBK and the fact that I’m legit in love with a BlackBerry again, I want to give a KEYone away to an Android Central reader.

To enter, you just need to fill out the form below! We’ll run this giveaway through to the end of March and I’ll announce the winner here on Android Central on April 1st. Open worldwide! As soon as the KEYone becomes available for purchase I’ll buy and one send it to you myself.

Name*

Email*

Android Central Username

City

Country

How many years have you been a BlackBerry user?

What BlackBerry or Android Phone are you using now?

Twitter

Instagram

Snapchat

Occupation

*Required field

Rebuilding the BlackBerry Community Bottom Up!

With a giveaway of this nature, we typically make it really easy to enter – just asking for you to leave a simple comment to enter. This time around I am asking for more, for a reason. I want to be able to get to better know and communicate with all of the biggest BlackBerry and Android fans in the world. First Example – I want to know what city you live in. If I’m visiting, I want to be able to send out an email to all the fans living there – you never know, maybe we can make an impromptu meet up happen to talk tech. Second Example – Occupation. So we can better plan our content, I’d love to get a better sense of everybody’s background in this community: are we students, IT admins, entrepreneurs, business professionals, teachers or ??? If you’re on social, I’d love to know your handles so we can follow you there too. The data will not be shared, and only your name and email address is mandatory to enter, but knowing more about you will help reforge a stronger BlackBerry community!

Enter now. Good luck!! And if you ever want to swing by CrackBerry.com for a visit, don’t be shy. The team over here at Android Central is CRUSHING it on all the coverage, but nobody will get mad if you spend some time hanging out on both Android Central and CrackBerry 🙂

Related CrackBerry Kevin Videos

Image Source

This is why Sony phones in the U.S. don’t have fingerprint sensors

This has crossed into ‘ridiculous’ territory — but we now have a better idea of why.

Another year, another Sony phone launching in the U.S. without a fingerprint sensor — despite the exact same model packing the biometric authentication process everywhere else in the world. With the announcement of the Xperia XZ Premium and XZs, Sony once again has a couple of enticing phones. And even though it seems to have made good strides in terms of cameras and a few other pain points, this one issue still plagues it. For whatever reason, Sony cannot bring a phone to the U.S. with a functioning fingerprint sensor.

The question of why this is the case has been a constant bugbear for us as we speak with Sony representatives time after time, and at MWC 2017 we got perhaps the most candid explanation of what’s going on.

Speaking with Don Mesa, who is Head of Marketing, North America for Sony Mobile U.S., we started to get a more concrete picture of what’s going on here. When asked about the exclusion of fingerprint authentication on the Xperia XZ Premium specifically, Mesa explained, “There are a lot of external and internal factors that contribute to us making a conscious decision not to include [fingerprint].”

For now, in order for Sony to sell phones in the U.S. it cannot include fingerprint sensors.

The “external” portion of that statement is the interesting part, and something that wasn’t previously disclosed. For the past couple of years, Sony’s stance on not including fingerprint sensors in the U.S. was that it didn’t see demand for them and there was a business decision made to not include the feature. This external factor, it seems, is something to do with deals it has made (or terminated) in the U.S. specifically. When asked further about those factors Mesa continued, “[…] that was very much about us consciously deciding that we want to continue our business here [in the U.S.], and [that’s] one of the conditions for us to be able to do business.”

So here’s the meat of the issue: based on some deal previously made relating specifically to the U.S., in order for Sony to sell phones in the country it cannot ship them with functioning fingerprint sensors. Taking the lesser of two evils, Sony chose to continue to sell phones with the fingerprint sensor disabled instead of give up on the U.S. entirely — and this seems to be the case still, as Sony has continued to sell a wide range of unlocked phones here. So despite this bizarre limitation against using fingerprint sensors, Sony still sees the U.S. as an important market and wants to keep selling its top-end devices here.

When pressed for specifics, Mesa acknowledged the rub with U.S. carriers in Sony’s transition from selling carrier-backed phones to going entirely unlocked, eventually leading to this fingerprint situation in some way. Events like the launched-then-canceled Xperia Z4V and various one-off carrier devices that never sold well seem to point to Sony having troubles dealing with the U.S. operators. It wouldn’t be surprising if a deal (or deals) gone bad led to some fingerprint exclusivity problems as a penalty of such a fallout. Of course the real rub here is the specifics of such deals are not — and may never be — disclosed.

So what can we take away from this? Well, the first part is that Sony confirms it is indeed consciously shipping its phones to the U.S. with fingerprint sensors … and that at the same time it is explicitly disabling them in software. Sony Mobile U.S. is, for the first time, also confirming that without these outside factors influencing these decisions, it would prefer to be shipping phones in the U.S. with fingerprint sensors enabled. That in no way completely lets Sony off the hook here, though — it takes two to tango, and Sony itself was obviously involved in whatever mechanism led to this odd limitation surrounding fingerprint sensors. Someone signed off on this, and it’s been a constant thorn in the side of the company since.

And no matter the mechanism of how this all came to be, it isn’t much solace for those of us in the U.S. who are big fans of Sony design and hardware but will continue to refuse to buy its phones until they have such a basic feature. U.S. customers deserve a fingerprint sensor just as much as anyone else in the world buying a Sony phone. And Sony itself seems to think this is a short-term limitation that, when lifted, will comfortably be put in the rear-view mirror as it continues to sell unlocked phones in the country.

How awesome is 5G? We’ll find out in 2019!

5G is going to be a really big deal, eventually.

It’s a lot of fun to get excited about what comes next, sometimes. When we think about a phone launching, the wait is usually days or weeks. When we think about an entirely new technology for wireless communication, the wait is considerably longer.

Qualcomm demonstrated that with its new X50 5G modem family, built to handle anything and everything on 5G networks as soon as they exist in 2019.

It’s looking more and more like the mistakes from the early days of 4G LTE are being left in the past

There’s a lot about 5G to get excited about when we can finally use it. This is a network promising Gigabit LTE speeds and more convenient mechanisms for the Internet of Things. It’s faster, will use less power, and is expected to have significantly reduced latency. Naturally, Qualcomm wants manufacturers to know it has the modems needed to make this new network function smoothly. The X50 5G modems are expected to be a big part of the first 5G wave, just like the company has done with most other mobile networks in the past.

Qualcomm’s biggest bragging point with the X50 is going to be great for early adopters, because it’s all about backwards compatibility. These chips will support simultaneous connectivity across 4G and 5G networks, and allows for 2G/3G access as well. The first devices to use these modems will work flawlessly on existing networks, but are expected to shine when you’re in places that have 5G once that network is publicly available.

There’s no doubt 2019 is far away in smartphone years, and it’s likely most people won’t have 5G in their area until well into 2020, but it’s nice knowing Qualcomm is prioritizing existing network access. It’s looking more and more like the mistakes from the early days of 4G LTE are being left in the past, which will be great news in a couple of years.