Internetnews Blog

Google's Chrome browser updated for security fixes

Sean Kerner — 2009-11-06T11:09:39-05:00

From the 'Auto-Update' files:

Google is updating the stable version of its Chrome browser to version 3.0.195.32.

The new release fixes two security issues and addresses a number of stability issues including a top crash condition and a bug that could have consumed 100 percent of a user's CPU.

On the security side, one of the fixed flaws deals with executable JavaScript warnings, or rather a lack thereof.

"The user was not warned about certain possibly dangerous file types such as SVG, MHT and XML files," Anthony Laforge Google Chrome Program Manager wrote in a blog post. "In some browsers, JavaScript can execute within these types of files. Because the JavaScript runs in the local context, it may be able to access local resources."

The other security issue fixed in Chrome 3.0.195.32 is a memory corruption condition in the Gears plugin. Gears (formerly known as Google Gears) is Google's attempt at providing offline storage for website information.

Chrome 3.0.195.32 also fixes what I consider to be a very serious bug that could have eaten up 100 percent of a user's CPU.

Mozilla updates Firefox 3.5.5 for 'annoying' bug

Sean Kerner — 2009-11-06T10:11:04-05:00

From the 'Quick Fix' files:

For the most part, Mozilla issues updates to its open source Firefox browser for both security and stability related issues. That's not the case with the new 3.5.5 update out today.

Firefox 3.5.5 has no listed security fixes and is all about fixing a few key stability bugs.

The official list of bugs fixed in the 3.5.5 update actually only includes 5 fixed items of which three are labeled by Mozilla as being critical.

One of the critical bugs in the fixed liste deals with crashes in Firefox's GIF image decoder. The flaw was introduced in the Firefox 3.5.4 release which came out on October 28th. The GIF flaw was reported in Mozilla bugzilla bug tracking system by Toronto staffer Joe Drew (JOE DREW!!) on October 29th.

"We're seeing lots of crashes in the GIF decoder, involving nsGIFDecoder2::ProcessData calling GifWrite(), then a null dereference," Drew wrote in the bugzilla entry. "Right now, this is showing up in the noted crash site, but this is a Windows-specific, 3.5.4-specific crash site, since the offset in xul.dll will change with every build, and obviously xul.dll has no meaning on OS X or Linux."

Zoho takes pride in Microsoft's 'Fake Office' zing

David Needle — 2009-11-05T19:03:14-05:00

When the big boy kicks sand in your face, you can either go home and sulk or make jokes about what big feet the bully has. You’ve gotta love upstart Zoho for taking the second course of action.

An early provider of online productivity applications, Zoho has moved quickly to build out a substantial suite of integrated applications that compete with Google and others in the cloud computing space.

Zoho’s CEO Sridhar Vembu had an entertaining blog post yesterday responding to a Microsoft executive’s reference to “fake Office” products. Earlier this week, Microsoft announced price cuts to its Business Productivity Online Suite (BPOS) by a third, bringing the price down from $15 per user to $10 per month. Google’s App Suite, by comparison, costs $50 per user, per year.

Vembu quotes Ron Markezich, corporate vice president of Microsoft Online, as noting the company offers a scaled-down version of BPOS for $36 a year. And furthermore “…we’re not seeing any inclination that Zoho or Google or Zimbra or any other of those offering fake Office capabilities can replace [Microsoft Office].”

That was all too much of a red flag for Vembu not to charge after:

Senate committee clears data breach bills

Kenneth Corbin — 2009-11-05T18:55:53-05:00

A pair of bills that would require businesses to notify consumers in the event of a data breach cleared the Senate Judiciary Committee Thursday, moving on to the full Senate for consideration.

The Data Breach Notification Act, sponsored by Dianne Feinstein (D-Calif.), would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach. It would also extend notification requirements to government agencies.

The more comprehensive Personal Data Privacy and Security Act, introduced by Judiciary Chairman Patrick Leahy (D-Vt.) and co-sponsored by Utah Republican Orrin Hatch and others, would also set notification requirements, as well as tighten criminal penalties for identity theft and willfully concealing information about a breach.

Google brings Closure to open source JavaScript devs

Sean Kerner — 2009-11-05T16:13:23-05:00

From the 'Open Source Development' files:

Google builds a lot of its own tools as part of its development efforts. Sometimes we get all 'get lucky' and the tools become open source and available too.

That's what has happened today with the Google Closure tools which are a set of JavaScript optimization tools. Considering the extreme importance of JavaScript in all modern web applications and browsers, it makes sense in my opinion for Google and everyone else to have the best JavaScript code possible.

Among the tools released by Google is the Closure Compiler which aims to compile web apps down into compact, JavaScript code.

"The compiler removes dead code, then rewrites and minimizes what's left so that it will run fast on browsers' JavaScript engines," Google stated. "The compiler also checks syntax, variable references, and types, and warns about other common JavaScript pitfalls."

That's kinda cool, but what's even more impressive in my opinion are the usage mechanisms that Google is making available for the Closure Compiler. In addition to the command-line they've also got a Firefox extension that works with their Page Speed optimization tool.

What that means to me is I can easily check JavaScript on any page and see how the JavaScript can be improved.

That's one heck of a powerful tool to have.

Cisco's Chambers & EMC's Tucci: Buddies in Bad Times

Sean Kerner — 2009-11-05T10:24:51-05:00

From the 'Former Wang Employees' files:

Sometimes is not what you know that's important, it's who you know -- right?

This week, Cisco, EMC and VMware entered into a partnership for delivering integrated virtual data center solutions.

Aside from the news itself, one of the most interesting pieces of drama in the whole event was the extreme chumminess between Cisco CEO John Chambers and EMC CEO Joe Tucci.

During the event there were a few back slaps (and the pic left from Cisco shows one of them, that's Chambers on the left and Tucci on the right) and many friendly words shared and said between the two CEOs.

Chambers said at multiple points during the launch press conference how his 20 years of friendship with Tucci helped to make the deal possible. Chambers actually worked for Tucci at one point, when both men were at the now-defunct Wang Labs.

Adobe updates Shockwave for 5 critical vulnerabilities

Sean Kerner — 2009-11-04T10:58:34-05:00

From the 'Shocking Updates' files:

Adobe Shockwave users, it's time to update.

Adobe has issued an updated version of its Shockwave Player to address 5 critical vulnerabilities. The flaws affect Adobe Shockwave Player 11.5.1.601 and prior versions. The new version is numbered 11.5.2.602.

"The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system," Adobe stated in its advisory.

Two of the vulnerabilities deal with invalid pointer issues that could lead to arbitrary code execution.

Arbitrary code execution is also the potential end result for two of the other flaws fixed by Adobe in this new Shockwave update. There is an invalid index issue that could also lead to code execution vulnerabilities. As well there is an invalid string length vulnerability that has now been addressed.

A potential Denial of Service (DoS) attack vector is fixed in the Shockwave Player 11.5.2.602 release thanks to a fix for a boundary condition issue.

The Shockwave Player 11.5.2.602 is the third security update for the Adobe product this year.

In June, Adobe issued the 11.5.2.600 update fixing a critical zero day flaw. That update was followed in July with the 11.5.3.601 update which was related to Microsoft's Active Template Library (ATL) fixes made at the same time.

Sun updates Java 6 for the 17th time

Sean Kerner — 2009-11-04T10:28:22-05:00

From the 'Still Owned by Sun' files:

If you're like 80 percent of all web users, chances are that you're running Java. Have you updated to the latest version yet?

Yesterday, Sun released Java 6 Update 17, fixing multiple vulnerabilities.

Among the issues fixed by Sun is a command execution vulnerability in the Java Runtime Environment Deployment Toolkit. According to Sun's advisory on the issue, the vulnerability could potentially be leveraged to execute arbitrary code.

There is also critical fix for a vulnerability in the Java Web Start Installer which potentially could enable an untrusted Java app to run as trusted and then run whatever code it wants.

Update 17, also addresses what Sun refers to as, "Multiple buffer and integer overflow vulnerabilities in the Java Runtime Environment". The overflow vulnerabilities could potentially lead to a privilege escalation attack.

From my perspective, there is one other key vulnerability that Sun is addressing with this update. It has to do with the actual Java update mechanism. Many (if not most) users have their Java installations automatically checking Sun's server periodically for updates. According to Sun, it didn't always work.

AMD opening shop in the Middle East?

Andy Patrizio — 2009-11-03T20:03:25-05:00

It looks like AMD and Globalfoundries are going to set up shop in Dubai after taking a hefty chunk of change from an investment firm based in the emirate. AMD CEO Dirk Meyer told Emirates Business that the firm is looking to a open chip design center in Dubai, and maybe a fabrication plant in Abu Dhabi.

"We have chip design centers around the world, including in India and China, and the capabilities by Dubai Silicon Oasis present interesting future opportunities. In time we will [design chips in the UAE], and it's hard to be specific on the time frame. There is a definite opportunity in such a partnership," said Meyer.

The Dubai Silicon Oasis Authority (DSOA) is a proposed massive integrated technology park intended to create a Silicon Valley for the Middle East to lure offices for the major players in the semiconductor industry, except this would be design on the large scale like everything else in Dubai. The intention is to provide a giant "technology oasis" for all of these firms, with housing, commercial and other considerations all close to work.

But the first priority is a new Globalfoundries fab in Abu Dhabi. "The top priority for AMD is to deepen our partnership with ATIC and Globalfoundries, which continues to expand its partner pool to make sure that infrastructure in Abu Dhabi gets ready for a fabrication plant in the future," said Meyer.

Meyer went on to say that "as a company, we will want to participate fully in the market through our sales and marketing team and make sure people are IT savvy. Acquisitions are not on the agenda presently but could be a possibility over a period of time."

Such talk and interest is not surprising, given Advanced Technology Investment Company (ATIC) owns approximately two-thirds of Globalfoundries' fully-converted common stock and a large chunk of AMD as well. AMD might be bankrupt by now were it not for the ATIC bailout. ATIC's sole shareholder is the government of the Emirate of Abu Dhabi, making it a state-owned investment firm.

Creative: cooking up an e-reader?

mmegna — 2009-11-03T13:13:59-05:00

(Two new e-reader entries: left, Spring Design's Alex; right, B&N's Nook.)

Creative Labs, maker of the Zen MP3 player, PC speakers and other hardware, surprised investors by showing off a prototype of a touchscreen e-reader during a recent annual meeting -- and by trash-talking the Kindle.

If reports are true as described by blog EpiZENter, the device is being called the MediaBook for now and features a touchscreen, text-to-speech, SD memory card slot and will offer Internet access. It will be powered on the company's Zii processor.

Though spokesmen for Creative had not returned calls by press time, CEO Sim Wong Hoo wrote in the introduction of the company's most recent earnings filings that new Zii products "can possibly include mobile phones, TV set-top boxes, video conferencing systems, digital signs, netbooks, eBooks and other mobile communication devices."

The MediaBook would join a fleet of fledgling wireless reading devices, including Barnes & Noble's Nook, Sony's Daily Edition, the iRex by iRex Technologies, Que by Plastic Logic and Spring Design's Alex, all chasing after Amazon's front-runner, the Kindle.

However, William Png, Creative's chief of strategic business, believes the MediaBook will stand out from the crowd. He reportedly described the Kindle as "just another electronic device that displays books in text," while the Creative device would appear to be almost an e-reader-multimedia-tablet hybrid that "will harness videos, pictures, text and services in one device that supports a media-rich experience."

Google Chrome 4 Beta debuts including bookmark sync

Sean Kerner — 2009-11-03T10:44:33-05:00

From the 'Delicious Feature' files:

Google's Chrome 4 web browser is now in Beta. Chrome 4 has been in the dev-channel cycle since August and has one key differentiating feature over its predecessors in the Chrome 3 browser series, bookmark syncing.

Google has three main releases for Chrome, dev, beta and stable channel. The move into the beta channel for Chrome 4 means it's getting ready for prime time.

Back in August, I had some issue with the bookmarking syncing feature which wasn't really well integrated with either Google's online services or with Chrome itself. That was months ago, and Google has since improved the whole process.

"Once you've activated Google Chrome bookmark sync on each of your computers, any changes you make to your bookmarks will appear on all synced computers in just a few seconds," Google engineers wrote in a blog post.

The synchronization leverages Google's XMPP (that's the same protocol used by Jabber and Google Talk) assets to synchronize bookmarks.

Open Source Skype? Not yet, but soon

Sean Kerner — 2009-11-02T16:02:35-05:00

From the 'Codecs, Codecs, Codecs' file:

Is Skype going open source? Apparently so.

"Yes, there's an open source version of Linux client being developed. This will be a part of larger offering, but we can't tell you much more about that right now," a Skype developer wrote on Skype list. "Having an open source UI will help us get adopted in the "multicultural" land of Linux distributions, as well as on other platforms and will speed up further development. We will update you once more details are available."

I run Linux and I also run Skype on my Linux desktop today. I also run Adobe's Flash and AIR too. None of them are open source, but all are freely available. As an end-user I'm not sure that it makes a difference.

Sure, open source software is a good thing enabling developers to expand it more easily than closed source. As a developer, I sure would like to get into the internals of Skype and see what I can hack on.

That said, I know full well that the heart of the magic that makes Skype actually work are a number of patented close-sourced proprietary media codecs. The there is also the issue of the network itself which isn't exactly open either.

But there are some real positives from Skype going open source too.

Google Back to Full Speed on Chrome browser dev

Sean Kerner — 2009-11-02T14:39:36-05:00

From the 'Code Yellow Alert' Files:

Google Chrome development is moving along full speed ahead. Why is this news? Well let me tell you...

Early last week, Google developer Anthony LaForge (no not Geordi, he's working on the warp core still...) issued a 'Code Yellow' alert halting all Google Chrome release until some critical bugs could be fix.

By the end of the week, not only was the Code Yellow lifted, but Google also managed to issue two dev-channel releases for the Chrome browser. Nice recovery Google, very nice.

The 4.0.223.11 dev-channel release is the most recent release and packs in a few interesting additions to Chrome. There are numerous bug fixes for all platforms and Mac users finally get printing and the Apple Quicktime plugin.

What's also interesting from my point of view is that Google is now treating its Chrome Frame - the effort to enable Chrome to run inside of a Microsoft Internet Explorer browser - as its own release version, same as Windows, Linux and Mac.

There are 14 seperate fixes for Chrome Frame made by Google in its recent release, and that's significant. It means that Google takes its fight to take over IE from the inside seriously and is putting the full weight of its Chrome engineering expertise into the effort.

Firefox 3.6 Beta 1 doesn't know about:me, but it's fast

Sean Kerner — 2009-11-02T10:02:22-05:00

From the 'Where Did the Features Go?' files:

The first official Mozilla Firefox 3.6 Beta release is now available, bringing with it a whole bunch of improvements to the open source web browser. It's also (to my naked eye) missing a few features that I had initially expected to see in Firefox 3.6.

Officially the Firefox 3.6 release is being called a minor upgrade and will be made available to all Firefox 3.5.x users.

While it's called minor by Mozilla, in my own limited tests on both Linux and Windows XP SP 3, the Firefox 3.6 browser starts faster than its Firefox 3.5.x predecessor. According to Mozilla, overall JavaScript performance has been improved as well.

On the security front, Firefox 3.6 includes a built-in plugin detection capability to alert users to out-of-date items.

In previous versions of Firefox users could 'theme' there browsers, but with Firefox 3.6 there is integrated support for Firefox Personas which are complete skins for the browser.

Then there are the under the hood improvements like expanded CSS support and support for the the new Web Open Font Format (WOFF) which builds on Firefox 3.5.x earlier work on expanding Font support and options to developers.

Not a bad list of items and certainly the speed improvements of this release make it worthwhile.

That said, it is missing a number of items that I was looking forward to seeing in this release.

This tech news is not embargoed

David Needle — 2009-10-30T18:51:44-05:00

Embargoes — can’t live with them, can’t live without them. That was one of several themes running through a spirited discussion among tech journalists and PR people last night.

For the uninitiated, embargoes are the controversial process where a tech company, usually its PR firm, offers to give advance details on a news story in exchange for the reporter agreeing not to publish the story until the exact release date and time dictated by the vendor.

The event, titled: “Embargo 2010: An Industry Discussion on Future Rules of Media Engagement,” was held in downtown San Francisco at the Varnish gallery and wine bar and hosted by Waggener Edstrom, one of the longtime biggies in tech PR that counts Microsoft among its key clients.

(Photo: from left to right: Mark Glaser, Damon Darlin, Tom Foremski and Dylan Tweney. Photo by Marie Domingo).

The kickoff was a panel smoothly moderated by former tech reporter Sam Whitmore that included editors from the New York Times (Damon Darlin), Wired.com (Dylan Tweney), Mark Glaser, MediaShift (PBS) and the tech blog Silicon Valley Watcher (Tom Foremski).

The reason embargoes are controversial is they require reporters give up a level of control in how and when a story is reported. Publications and Web sites also often break embargo agreements, deliberately or by accident, leaving the competition fuming as they scramble to catch up in this increasingly real-time news cycle.

“Embargo is Latin for ‘(expletive) you’!” cracked Tweney. “For the reader embargoes let us do more timely, thorough coverage, but we’ve also been screwed by them.”