Mozilla security chief Window Snyder (left) has confirmed the existence of a serious code execution vulnerability in the brand-new Firefox 3.0 browser.

Snyder’s confirmation follows a public warning by TippingPoint’s ZDI (Zero Day Initiative) that the flaw could lead to PC takeover hijacks if a user simply surfs to a rigged Web site with Firefox.

On the Mozilla security blog, Snyder said the bug impacts Firefox versions 2.x and 3.0:

This issue is currently under investigation.  To protect our users, the details of the issue will remain closed until a patch is made available.  There is no public exploit, the details are private, and so the current risk to users is minimal.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure.  The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

As previously reported, the vulnerability was sold to TippingPoint ZDI a few hours after Mozilla’s shipped the final release of Firefox 3.0.

If you aren’t sure, you will soon be able to download a tool from Google that will tell you once and for all if they are. If ISP’s aren’t going to tell their users exactly what is happening with their network connections, Google wants to make sure that these people have the ability to tell for themselves. This announcement is Google’s most recent attempt at raising awareness about net neutrality.

This isn’t the first time someone has made software to monitor your network to figure out if your ISP is doing anything fishy, NNSquad Network Measurement Agent is a tool that does exactly that already. In fact, this might actually be the tool Google is referring to. Vint Cerf, Google’s chief Internet Evangelist, is part of the NNSquad already.

It’s unclear what kind of effect something like this will have on the network neutrality debate, but it certainly can’t hurt.

Instant-messaging power users, rejoice: a barrier between two previously isolated realms of online chat is coming down.

A minor sidelight in the Yahoo-Google search ad deal announced Thursday is that the two companies “agreed to enable interoperability between their respective instant-messaging services, bringing easier and broader communication to users,” the companies said. They’re not sharing further details at this stage, but it’s safe to bet that means people on Yahoo’s IM network will be able to chat with those on Google’s and vice-versa.

That’s a big step in the right direction.

IM is a useful if sometimes intrusive tool, especially in this day and age when the Internet has tightened ties among co-workers, family, and friends. But people and companies don’t always use the same networks, meaning that power users either must run multiple IM programs or try to bridge the divide with multiprotocol packages such as Trillian, Adium, Digsby, Kopete, or Pidgin.

IM today is similar to the early days of electronic mail, when users couldn’t send messages between incompatible services such as AOL, Prodigy, and CompuServe. Happily, the Internet’s SMTP standard for e-mail emerged victorious, and now we only need one e-mail address (leaving aside the issue of personal vs. work identities, but that’s a story for another day).

A power user’s plight
I’m one of those heavy IM users tormented by today’s situation. I have to talk to people on Windows Live Messenger, Yahoo Messenger, AOL Instant Messenger, and Google Talk. It’s a pain having separate usernames for each service, but much worse is looking for software that centralizes IM for me.

I recognize I’m not a representative sample of the population at large. I have 797 buddies, many of them the same people represented on multiple services.

AOL said in a statement, in effect, that I am indeed an anomaly. “We have no evidence that interoperating with other consumer IM services is of great interest to AIM users,” the company said.

But I’ve seen the problem worsen in the years I’ve used IM, and I believe mainstream people will encounter this problem with greater frequency as they change jobs, graduate from schools, meet new friends, and otherwise expand their social horizons.

Walled gardens
There are signs that these days are numbered. As Internet companies race to build rich communities and services on the Web, “walled gardens” have become widely disparaged as a relic.

Yahoo, for example, has pledged to expose formerly closed parts of its business through its Yahoo Open Strategy. And AOL is opening up AIM some, for example, letting Meebo and eBuddy link up.

But it’ll take awhile to convince me that the IM walls are truly coming down.

For one thing, most of the progress to date has been through interoperability agreements that permit one service to link with another. That’s like CompuServe building a custom gateway to translate and route e-mail from AOL–helpful, but symptomatic of the larger problem. The more IM services there are, the more gateways each service needs to work with the others, and more services are cropping up as companies such as MySpace, Skype, and Facebook add chat abilities.

What we really need is an IM communication standard. The obvious candidate is the XMPP protocol on which Google built its service but that none of the other major players use.

Google, unsurprisingly, shares my view. “The Web is based on open standards and protocols so users can use any browser on any operating system to visit any Web site. We think the open Web model ought to apply to IM,” Seth Demsey, senior product manager for Google Talk, said in a statement.

Of course, it’s a lot easier for underdogs to endorse standards, and Google has 1 percent share of IM users worldwide, according to ComScore figures in April.

Interoperability isn’t easy

To be fair, IM interoperability isn’t an easy technical problem to tackle for mammoth services with millions of users and messages. There also are privacy issues when one service is sharing data and buddy lists with another.

More complicated are higher-level features and services that IM companies have added atop basic text chat: status messages, avatars, file transfer, voice and video chat, message forwarding to mobile phones. I think there’s still value to unifying basic text chat even if higher-level features remain fragmented.

Then, of course, there are business reasons to keep things separate. Yahoo, AOL, and Microsoft all display ads on their services, and AOL is trying to make its service into a foundation on which programmers will create online applications. Opening up IM connections to other services means, for example, that someone using AIM might not see the ads displayed on the AIM software.

I can’t help but wonder, though, if a unified IM landscape might spur faster growth and more extensive use of IM services–factors that mean those people using popular chat software could spend even more time gazing at ads.

Other interoperability deals
There are some other interoperability deals besides the Yahoo-Google one announced Thursday. Most notably, users of Microsoft and Yahoo instant-messenger services can link up and chat if they’re using recent versions of the software.

And there could be more progress on this front: “Microsoft looks forward to continuing our interoperability reach to customers worldwide,” Brian Hall, Microsoft’s general manager of Windows Live, said in a statement.

Users of Apple iChat can link with AIM and Google.

Google’s situation is complicated, in part because it has multiple IM options. The company offers Google Talk in two incarnations: client software that can be installed on Windows machines and a gadget that runs in a Web browser. Those versions can work with any XMPP-based chat service. (They’re not popular, so you probably haven’t heard of them.)

Google also has Gmail chat, which runs alongside the company’s Web-based e-mail service. It can work with AIM.

So tell me: Am I an anomaly because I use multiple chat networks? And how do you solve your IM needs? Does a single IM client suffice, or do you use two to cover the bases? Send an e-mail to stephen.shankland@cnet.com or share your opinion in the feedback section below.

Intel is expected to bring out low-cost quad-core processors in the third quarter to compete with AMD’s triple-core Phenom chip. One site is also posting specifications for upcoming Nehalem processors.

The Core 2 Quad Q8000 series will include the Q8200, which will be priced as low as $203, according to Chinese-language technology Web site HKEPC.

Tech Web site The Inquirer also cited an Intel slide with the processor.

The 45-nanometer Q8000 series will be relatively low performance and stripped down, running at a clock speed of only 2.33GHz and integrating only 4MB of cache memory.

The currently shipping Intel quad-core processor that comes closest to this is the popular Q6600, which runs at 2.4GHz and packs 8MB of cache memory. This is priced at $224. Typically, the more cache memory integrated into a processor, the better the performance.

An Intel Q8000 quad-core chip priced at $203 would still be more expensive, however, than an AMD triple-core Phenom. A triple-core Phenom processor 8750 (2.4GHz) is listed on AMD’s processor pricing page at $195. The Phenom 8650 (2.3GHz) is listed at $165 and the Phenom 8450 (2.1GHz) at $145.

The price difference between a system using a Phenom and one based on a Core 2 Quad is typically even more stark at first-tier vendors like Hewlett-Packard, where it can be as much as $300. Presumably, a system with a Q8000 quad-core processor would fall below the Q6600-based system in price.

HKEPC is also posting specifications on Intel’s upcoming Nehalem processor, which is based on a new architecture featuring a high-speed data transfer technology called QuickPath (PDF).

At least three Nehalem “Bloomfield” quad-core processors are slated for the fourth quarter, with speeds ranging between 2.66GHz and3.2GHz, targeted at the mainstream and high end of the market. The processors will also use a new “X58″ chipset, according to the report.

HP released a slew of new consumer and business products–including 17 new laptops–at an event in Berlin earlier today. In addition to HP and Compaq notebooks, new products include a refresh of its TouchSmart all-in-one PC, a Voodoo-branded desktop and notebook (the Voodoo PC site had been down for several days), and a 30-inch LED-backlit flat-panel display.

The new notebook roster consists of six consumer models and 10 business laptops, including the HP EliteBook, a 14.1-inch thin-and-light with an anodized aluminum case and magnesium alloy chassis. These are also the first HP laptops to offer AMD’s Puma platform with Turion 64 X2 Ultra processors and the still unannounced Intel Centrino 2 platform, also known as Montevina. Several models also offer an optional LED-backlit display, which is lighter and more energy-efficient.

Consumer Notebooks
Both the Pavilion and Compaq Presario models (PDF with details here) include a new surface design, HP Imprint 2. Depending on the model and configuration, the Pavilions also include touch-capacitive controls, optional widescreen displays with flush bezels, discrete graphics (both AMD and Nvidia), Blu-ray drives and TV tuners. HP also announced several new accessoires including Bluetooth headphones and a redesigned media docking station.

1. HP Pavilion dv4t (Intel): 14.1-inches; late June; $999
2. HP Pavilion dv4z (AMD): 14.1 inches; early September; $799
3. HP Pavilion dv5t (Intel): 15.4 inches; late June; $899
4. HP Pavilion dv5z (AMD): 15.4 inches; late June; $699
5. HP Pavilion dv7t (Intel): 17 inches; late June; $1,299
6. HP Pavilion dv7t (AMD): 17 inches; July; $949
7. Compaq Presario CQ40: 14.1 inches; varies by region
8. Compaq Presario CQ45: 14.1 inches; varies by region
9. Compaq Presario CQ50: 15.4 inches; varies by region

Business Notebooks
The EliteBook is the big news here, but there are other changes worth noting (PDF with details here). Some models offer the HP un2400 wireless WAN module, which uses Qualcomm’s Gobi software-defined radio that works with multiple carriers and wireless networks. HP has added several utilities for providing quick aceess to e-mail, contacts and appointments; managing usernames and passwords; securely erasing files; and encrypting the contents of the hard drive. (The latter two appear to be on s-series laptops only.)

• HP EliteBook: 14.1 inches; 4.7 pounds
• HP Compaq 6530b and 6535b: 14.1 inches; 5.3 pounds
• HP Compaq 6730b and 6735b: 15.4 inches; 5.9 pounds
• HP Compaq 6530s and 6535s: 14.1-inch WXGA or HP BrightView; 5.3 pounds
• HP Compaq 6730s and 6735s: 15.4 inches; 5.9 pounds
• HP Compaq 6830s: 17 inches

All of these models will be available later this month at starting prices ranging from $799 for the s-series to $1,179 for the semi-ruggedized EliteBook.

HP TouchSmart AIO
This refresh has a 22-inch widescreen, Intel Core 2 Duo processors and 4GB of memory. The emphasis is on the expanded touchscreen functions. The updated software, TouchSmart IQ500 series, lets you manage photos, music and video with your fingers without using the keyboard or mouse–much like the multi-touch controls on newer Apple products. There are two models: the IQ504 (no TV tuner), which starts at $1,299, and the IQ506 (with a TV tuner), which starts at $1,499. Both are available for pre-order online and will be in stores on July 13.

Voodoo PCs
After purchasing this boutique gaming PC outfit, HP kept the brand alive through a well-received line of Blackbird gaming rigs that were billed as having “Voodoo DNA.” Now HP is restoring Voodoo’s full status with a new desktop, the Voodoo Omen, and laptop, the Voodoo Envy 133. The Voodoo Omen will initially be available by invitation only (no, I’m not making this up) at prices starting around $7,000. The Envy, which has a 13.3-inch display and weighs only 3.4 pounds, will be available this summer starting at $2,099. The detailed specs on both are available as PDFs on the voodoopc.com site.

In a somewhat confusing arrangement, the new Voodoo-branded PCs will be sold through the redesigned voodoopc.com site, while the Blackbird 002 and future “with Voodoo DNA” products will be sold through www.hp.com/voodoodna.com. As I mentioned yesterday, the Blackbird 002 will also be sold in retail.

HP DreamColor Display

HP is pitching this 30-inch display as a “color-critical” panel for pros at a fraction of the price. The DreamColor name, which stems from HP’s relationship with DreamWorks, is meant to drive this point home. HP has used the sub-brand in connection with some printers, but the LP2480zx is the first DreamColor display. HP says the LED-backlit display is capable of displaying more than 1 billion colors. It is available now for $3,499.

we now have a name for the next-generation iPhone - the iPhone 3G.

Here’s what we know:

• 3G support
• Built-in GPS
• Black plastic back (white shell version of the 16GB model available)
• Metal buttons
• Same display
• Camera
• Flush headphone jack (requested feature)
• Better audio

Pricing:

• 8GB: $199
• 16GB: $299

Battery life:

• Stand by time: 300 hours
• 3G talk time: 5 hours
• Browsing: 5-6 hours browsing
• Video: 7 hours video
• Audio: 24 hours

Spec as on the Apple Store website:

Screen size

- 3.5 inches (diagonal)

Screen resolution

- 480 by 320 pixels (163 ppi)

Input method

- Multi-Touch

Storage

- 8GB and 16GB

Cellular

- UMTS/HSDPA (850, 1900, 2100 MHz)
- GSM/EDGE (850, 900, 1800, 1900 MHz)

Wireless data

- Wi-Fi (802.11b/g)
- UMTS/HSDPA (850, 1900, 2100 MHz)
- EDGE (850, 900, 1800, 1900 MHz)
- Bluetooth 2.0 + EDR

GPS

- Assisted-GPS

Camera

- 2.0 megapixels

Battery

- Talk time: Up to 5 hours on 3G;
- up to 10 hours on 2G
- Standby time: Up to 300 hours
- Internet use: Up to 5 hours on 3G;
- up to 6 hours on Wi-Fi
- Video playback: Up to 7 hours
- Audio playback: Up to 24 hours

Dimensions

- 4.5 by 2.4 by 0.48 inches
- (115.5 by 62.1 by 12.3 mm)

Weight

- 4.7 ounces (133 grams)

Adobe has released the beta version of its Flash Player 10 code name ‘Astro‘. Flash Player 10 public beta is now available for download for Windows, Mac and Linux.

Some great new features for web developers added to Flash Player 10 include:

• Support for 3D rendering effects
• New drawing APIs
• Adobe Pixel Blender Filters
• New text rendering engine
• Graphics acceleration

Flash Player is generally the most popular internet explorer enahncing software. As it is in beta, so bugs are expected. There’s no date mentioned for final release.

Jeff Yan and Ahmad Salah El Ahmad, at the School of Computing Science, Newcastle University, England England recently published a research paper entitled “A Low-cost Attack on a Microsoft CAPTCHA“, demonstrating how they’ve managed to attack the Microsoft’s CAPTCHA used on several of their online services such as Hotmail and Windows Live, with over 92% recognition rate. Here’s a summary of the research :

In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that “automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

Realizing the potential for massive abuse from spammers, the researchers notified Microsoft in Sept, 2007 then awaited the response publishing the paper last month. Even though they’ve scientifically justified their success, the CAPTCHAs used on some of the most popular Internet are known to have been successfully broken in the past, with the CAPTCHA recognition process available on request in a customer-tailed fashion given the specific CAPTCHA. The following is a brief retrospective of some of the do-it-yourself CAPTCHA breaking services, incidents and tools that I’ve been tracking for a while :

• in July, 2006, Fortinet came across Ebay bots that were automatically talking with each other and recommending each other, raising suspicion on the possibly broken Ebay’s CAPTCHA due to the automated registration and posting process
• in March, 2007, Vladuz’s Ebay CAPTCHA Populator became freely available as a browser add-on successfully breaking Ebay’s CAPTCHA. Vladuz has since been arrested
• in September, 2007, I came across a service that was automatically breaking the CAPTCHA of several email providers, and when it wasn’t able to recognize the CAPTCHA it would leave the field blank to be filled by a human, but autogenerate the account names to speed up the process
• in October, 2007, another such DIY service was located, where the only differentiation factor compared to the previous one was its on demand nature, namely, the service whose CAPTCHA should be broken is first submitted for them to analyze, and then figure out how to break
• in November, 2007, another CAPTCHA breaking service became publicly available, this time already able to successfully recognize the CAPTCHA images at some of the most popular Chinese Internet services
• in February, 2008, Websense published a detailed analysis showing Google CAPTCHA breaking in progress
• again in February, Websense released another research, this time demonstrating the CAPTCHA breaking against Windows Live Mail
• in March, 2008, Wintercore Labs demonstrated how Google’s audio CAPTCHA can also be recognized
• according to MessageLabs Intelligence reports for March, 2008, they’ve detected an increase of spam coming from legitimate email services such as Gmail and Yahoo, with Yahoo mail being the most abused Web mail service responsible for sending 88.7 percent of all Web mail-based spam, the reason for which was due to the successful recognition of the CAPTCHAs at these services

All of these developments clearly indicate the demand and supply for CAPTCHA breaking services, as well as the potential for abusing the clean domain reputation of the most popular email providers whose continuous emphasis on usability, namely coming up with more user friendly CAPTCHAs, often results in the easy of which the process can be automated. No CAPTCHA is perfect, and any CAPTCHA is subject to a great deal of attacks, what can on the other hand render someone’s ambitions for automatic recognition is figuring out how to break out of the current CAPTCHA model. And if CAPTCHA recognition is to be undermined on a large scale, such novel and adaptive approaches should be considered like the following replacements for text based CAPTCHAs :

• IMAGINATION: Image-based Authentication
• Animated GIF CAPTCHA
• KittenAuth
• ESP-PIX - The CAPTCHA Project
• Asirra

Information Source:

http://blogs.zdnet.com/security/?p=1232