If you're new here, you may want to subscribe to my RSS feed. If you are unsure on what this means, and how it can help you, please visit the following link: RSS feed help. Also feel free to subscribe to our "Tip of the Week" Newsletter, where you discover ways to save money on your computer. Thanks for visiting!
Google is unveiling the Chromebook this week – a laptop that runs on Chrome OS. The Chrome OS is a cloud based operating system which means that all your data (or most of it) will be stored on a remote server rather than on the local hard drive. Another way of saying it is you can literally rip apart and destroy your Chromebook (assuming you have deep pockets) and still get a good night’s sleep because your data is safely backed up somewhere on the net.
“Google Chrome OS is designed around the concept of “expendable” terminals that you can lose, drop or simply throw away without fear of losing your data, which is safely stored into the cloud. However, one thing is certain, with all your data being available into the cloud, in one place, available 24/7 through a fast internet link, this will be a goldmine for cyber-criminals. All that is necessary here is to get hold of the authentication tokens required to access the cloud account.”
The following are some of the advantages of Chromebook as touted by Google.
Boots in 8 seconds flat.
Full support for Adobe Flash and the latest web standards.
Share your Chromebook with friends and family without giving them access to your email and personal data.
Automatic OS updates provided seamlessly over the net.
Secure out of the box – Providing multiple layers of protection,including sandboxing, data encryption, and verified boot.
3G and WiFi support.
The Chromebook is a computer designed to work with Chrome OS
The boot process verifies your Chrome OS install ensuring that it is not tampered with and thus free of viruses and other malware. If there is any tampering, the system is repaired automatically
The Chromebook runs Chrome OS
Chrome OS is a Linux-based OS that is optimized to run ONLY the Google Chrome browser
Chrome OS does not have any applications installed on it other than the Chrome browser
One cannot install traditional Windows, Mac OSX, or even Linux apps on Chrome OS
All your work needs to be done online using tools such as Google Docs (office applications), Piknik(Image editing), GMail (email), etc.
One can install web apps from the Google Chrome Web Store (now including the popular Angry Birds)
Chrome OS is stateless. i.e. since all your operations are performed on the cloud your netbook itself stores nothing. You can discard it log in from another device and have the same experience.
Chrome OS keeps up to date automatically
Chrome OS keeps your data encrypted so even if your device gets lost, your data is safe
Google has brought in Samsung and Acer to market the first set of Chromebooks.
If the price is right, this could be an exciting proposition for any one. In fact, Google says it will offer Chromebooks to the student community for a monthly fee of $20 per student and for the business community for a monthly price of $28 per user, which is exciting if this price also includes a data plan.
For the rest of us, the Samsung Series 5 Chromebook is set to cost US$429, while the Acer Chromebook would cost US$349 for the Wi-Fi version. The 3G version would be slightly more expensive at US$499 and will be sold by Best Buy and Amazon in the US starting June 15.
“Both hardware- and software-wise, [Chromebooks] are nothing special: You can download Chrome OS’s open source brother, Chromium OS, for free — and at around $400 for a Chromebook, you would certainly expect some better hardware than what Samsung and Acer are offering. In fact, for around $300 you can get a cheaper and more powerful netbook with Windows 7 pre-installed — and it only takes about 30 minutes to wipe Windows and install Chrome OS yourself.”
If you can install your own OS, then (1) you are smart enough to install a regular Linux distro, and (2) you probably like to install your own stuff, so Chrome is not the best option for you. Except, maybe, if you want to give the net-book to someone else.
Google’s Sundar Pichai noted at the Google I/O Day 2 keynote that the company’s most important products – Gmail, Calendar and Docs will be receiving offline support in the near future. That pretty much means this summer. Google had said that the feature was set to debut this past spring but the project has been delayed for some reason.
The keynote was every bit as news-heavy and action-packed as the first day keynote: Google also unveiled some Chrome OS upgrades that give users more control over locally stored files, along with announcing several key HTML5-related updates to its Chrome browser. But the announcement that got some of the biggest cheers was this one: Angry Birds will become available as a desktop app in the Chrome Web Store!
The Samsung Chrome OS laptop will have a 12.1 inch display, “all-day” battery usage, Wi-Fi and an option for Verizon 3G service. The Wi-Fi only version will cost $429, while the 3G version will go for $499. The Acer Chrome Book will have an 11.6-inch screen and Wi-Fi, and will sell for “$349 and up.”
Google’s slogan for the Chromebooks is “Chromebook: Nothing but the web.” The argument behind it is this: The Chromebook is almost completely an internet device. If you can do your work and access your content on the web, you don’t need the virus updates, slow local services, and endless startup process that can plague a conventional PC.
But Google clearly knows that asking users to give up the security of a local hard drive and conventional desktop software is a hard sell. So it tried to make businesses a particularly compelling offer.
Google wants businesses to use the new Chromebooks to quickly and inexpensively update their laptops to run a modern OS. Google says half of all company-owned PCs in America still run Windows XP.
To make the Chromebooks fit in better in the office, Google is working on a “Chrome Box”, a flat square box that connects Chromebooks to large monitors and company file systems.
Google says it is offering businesses the Chromebooks, the Chrome Box, full support, full warrantee service and automatic end-of-life equipment replacement at a price of $28 per month per user.
$336/yr or $1008 over 3yrs (typical corporate lifespan of laptop) isn’t bad if (BIG IF) the helpdesk/support link can be removed from the loop.
In short, Google is seriously upping the ante in its challenge to Microsoft in the workplace. It’s already making inroads with its Google Docs cloud-based productivity apps, but now it has dramatically sweetened its offer to provide the OS and even the hardware, too. At this price, Google’s offer could be a very attractive to many businesses.
A similar offer is being extended to education, but the price per month per user for schools is only $20.
Improvements to OS
The biggest problem with the Chrome OS to date is that it’s been so completely about the web that you really miss being able to do things like download and install apps or play music or video content on the local hard drive. You just couldn’t do that in the first iteration of Chrome OS.
Knowing this Google appears to have made some real-world concessions in response to the problem. It has added a file manager, where you can store music and video files you’ve downloaded. There’s also a new media player in the OS that you can use to play the content. This alone makes me want to give Chrome OS another chance.
Google says the OS will stream content from Hulu and Netflix and the new media manager will plug into the new Google Music Beta and Google Movies services. The OS handles photos better now too. Users can now plug in a camera to the Chromebook, move photos from the camera, then store them in the cloud.
Chrome Browser Improvements
Google announced recently that several cool new HTML5 tricks for its Chrome browser. Google has been a strong proponent of HTML5, which it says developers can use to develop one version of a Website or service that will have advanced capabilities, and most importantly, work on “all modern browsers.”
Google has built some impressive APIs for the Chrome browser that will help developers create cool web pages faster. For instance, developers can use a Google API to build voice recognition into their apps. Google says it has also improved the hardware acceleration of its browser, which revs up the graphics card in the PC to render highly dense, colorful animated graphics.
Chrome Web Store
Google also made several announcements about its Web App Store, where Chrome users can grab apps to run in the Chrome browser. Google says that people spend twice as much time in Chrome apps compared with apps on other platforms, and make two and a half times more purchases within the apps.
When the guy who made Angry Birds took the stage here it was clear that the popular game had come to the desktop as a Chrome App. Huge applause. Developers, it appears, love Angry Birds too. (It occurred to me that employers everywhere should mourn the time and productivity that just went out the window with the announcement of a desktop-based game as addictive as Angry Birds.)
The only thing developers love more: Keeping as much money as possible from the sale of their apps. Google got uproarious applause with the announcement that it will take only a 5 percent flat commission on each app sold by a developer at the Web Store. Apple, by contrast, takes a 30 percent commission on app sales.
With the news that Chromebooks will be available to the public on June 15, there is some pressure here for the company to deliver on that promise. The fact that they have already announced when Chrome OS will be available, up’s the ante for whatever team is working to bring this feature to the masses.
Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program.
The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.
The latest version is Java 6 Update 26 (v. 1.6.0.26), and is available either through the updater built in to Java (accessible from the Windows control panel) or by visiting java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.
Java’s broad install base has made it a major target for computer crooks. It certainly does not help that so many users fail to keep this very powerful program updated. If you have no use for Java, my advice is to get rid of it.
If you can’t bring yourself to do that, consider disabling the Java plug-in(s) in your browser of choice unless and until you need the program.
Java 6 update 26 for Windows, Linux and Solaris is designed to plug these multiple holes and is available for download from Oracle here. The last major update on this scale was three months ago.
Java packages on Windows can alternatively be patched using a built-in update function.
Apple users will have to wait until Apple releases an update to address these vulnerabilities, since there’s no update for Mac OS X from Oracle.
The ubiquity of Java and the difficulty many users understandably have in keeping the software up to date have made it an attractive target for hackers. Users should consider whether they might be better off uninstalling Java from their systems or, at the very least, disabling Java altogether.
For Windows users there is a another problem that has been circulating around the web of late. Yea what else is new. I find these reports rather comical, as being a Linux user they do not apply to me period. Out of the three big browsers out on the block, Google Chrome, Firefox and Internet Exploiter. Google Chrome should be the safest one to use these days on the web.
If you are however a strict user of Firefox already, then I highly recommend the use of Firefox and the NoScript addon and your problem will be fixed. You’ll never even see the attack page in the first place. It’ll just be blank. Note to first-time users of NoScript: It is a WHITELIST, not a blacklist. Some sites are programmed into it, but 90% of them are not. You will have to approve various sites yourself. Yes this may seem like a pain, but 5-seconds of pain beats a being infected.
You can also disable proxies in the connections tab of your browser under advanced settings. LizaMoon uses a proxy server to redirect your browser. Disabling the proxy eliminates the popups and allow you to download a scanning tool like ESET’s online scanner tool or HitManPro’s scanner.
A new bit of malware has been making headway across the Internet, but is it really that big of a deal? You’ve probably seen the news that “Lizamoon,” an SQL injection attack designed to point your browser to a piece of fake security malware, had infected hundreds of thousands of pages across the Internet. And this includes links found within Apple’s iTunes itself… to a degree.
But here’s the deal: In order for the script to have any noticeable effect on your computer, you have to agree to allow it to work its unhealthy magic on your system, according to WebSense (video below).
Simply visiting a site with injected code only redirects your browser to another site, and the social engineering takes over from there.
The simple solution: Don’t install unknown files! The more complex solution: Know what antivirus programs already exist on your system, and know what they look like when they scan for and find files. If something says you have malware on your system, and this something looks nothing like applications you already have on your system, be suspicious!
In this case, a successful Lizamoon redirect takes you to a dummy pages that looks as if a large antivirus/anti-malware scan is taking place on your computer. Go figure, the scan finishes quite quickly, and a user is alerted that his or her machine might be compromised by various Trojan horse attacks and other cleverly titled malware. If a user is still playing ball, he or she can click on the simulated option to “remove” these malware apps, which then pulls up a simple download window for a “malware-removing” executable.
Still with us? Here’s the deal: If you push some common sense into the mix, you’ll notice that this entire process seems a bit fishy to begin with. Step one: A virus scan for Windows Explorer appears in your browser window. Step two: It finishes in lightning speed. Step three: You have to download a file–apparently via Windows Explorer, but using your browser’s standard download file prompt–to finish the deal.
In short, Lizamoon can’t do a thing to your system unless you let it. So if you see sort of popup like the one’s I am showing here, do not click on anything! Just turn off your computer and reboot. If your already running a ESET NOD32 and or OpenDNS then you shouldn’t be able to visit any site that is compromised.
The SQL injection attack on the initial site you were visiting, which itself prompts the redirect to the bogus scanning site, only works on this first web site. Lizamoon doesn’t hang out in your browser, or continually redirect you to fake sites, or install itself on your computer in a manner that doesn’t first require you to perform the action yourself.
So what has Lizamoon taught consumers? Don’t let your browser con you into thinking that some kind of action is magically happening on your system, don’t trust this magical action if it takes less than 30 seconds to do or looks otherwise unknown to you, and run an up-to-date virus-scanner in the background of your system. Ta-da: Lizamoon defeated.
When you get hit by the infected website and are referred two things happen, you get hit with a popup box, and you lose control of both your browser and ctrl+alt+del functions. As with all browser windows you have the option to hit the red X to close everything down, but not this baby, touch anything on this baby and you spark up what is now a computer hijackers website. For those few moments the only solution is a log off or reboot. Blocking the hijacker with your firewall is a waste of time. The infection is designed to refer you to several thousand backup addresses that refers you to thousands of ever changing country specific domains like .ms, or .uk. The worst part is the address in the browser address bar is not the address of the web page you are looking at, the web page isn’t in .uk or .us but in Russia. The penultimate hop to the hijacker is a secure firewall server in the USA. The only way of shutting these hijackers out of your computer is by blocking the CIDR address of 212.124.96.0/19 with your firewall.
Don’t know which bothers me the most; the problem or people trying to turn a profit from it. If you run Windows simply hit the power button; after shut down, restart in safe mode and run restore. The malware is gone.
Those who want a secure operating system are better off just leaving Microsoft altogether, not to mention cost savings and other commonly-stated advantages as you do NOT have to purchase additional software to make Windows function safely. Windows does not seem to impress people all that much.
Linux is becoming dominant not just in phones but on desktops too. One adoption curve drives the other and people who own an Apple or Google phone sooner or later rethink their desktop operating system (a personal observation).
Google will pay $20,000 to the first researcher to exploit its Chrome browser. The award is the largest ever for the annual challenge, which will kick off for the fifth time at this year’s Pwn2Own hacking contest at CanSecWest in Vancouver, BC, on March 9.
This contest is a nice cheap way to find problems with your browser. You end up getting lots of very talented people to look at your code for you. They have the additional benefit of not being the original programmers. This helps them have a new perspective on the code.
Note: Two things that bother me is that they do not include any popular Linux distributions, nor do they offer the Opera browser as a contender. An inquiry to the organization provided a response that, “Linux and Opera, do not hold significant market share.” I am still scratching my head with that statement. Anyways, here are the details.
Target: Web Browsers
This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:
Microsoft Internet Explorer
Apple Safari
Mozilla Firefox
Google Chrome
Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
At this year’s Pwn2Own, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down Microsoft’s IE, Mozilla’s Firefox, Apple’s Safari and Chrome. The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards. ‘We’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000,’ said Aaron Portnoy, the manager of the sponsor, HP TippingPoint’s security research team, which set the contest’s rules Wednesday in a blog post written by Portnoy.
New this year is Google’s participation. The company is the first browser vendor to put money into the prize kitty. “Kudos to the Google security team for taking the initiative to approach us on this,” Portnoy said.
The rules for Chrome are slightly different than for the other browsers because it’s the only one of the four that uses a “sandbox,” an anti-exploit defense. A sandbox isolates system processes, preventing or at least seriously hindering malware from escaping an application — in this case Chrome — to wreak havoc on the computer.
To exploit a sandboxed program like Chrome, researchers require not one but two vulnerabilities: The first to allow their attack code to escape the sandbox, and a second to exploit a Chrome bug.
Other software developers have followed in Chrome’s footsteps to try to make their applications more secure. Last year, for example, Adobe added a sandbox — derived in part from Google’s work — to its popular Reader program.
To walk off with Google’s $20,000 on Pwn2Own’s first day, a researcher must find and exploit two vulnerabilities in Google’s code. Only on the second and third days of the contest can researchers employ a non-Chrome bug, say one in Windows, to break out of the sandbox. A successful attack on the second and third days will still put $20,000 in the researcher’s pocket, but only $10,000 of that will come from Google; TippingPoint will pony up the other $10,000.
Google’s participation in this year’s Pwn2Own may be a mark of its confidence that Chrome can’t be hacked. Although Chrome has been one of the browser targets at Pwn2Own since 2009, no researcher has exploited the browser and grabbed the cash.
IE, Firefox and Safari have fallen to attackers each of the last two years, sometimes in an embarrassingly short amount of time. In 2009, one researcher — a German computer science major who gave only his first name, Nils – hit the trifecta by exploiting all three browsers and taking home $15,000 total, $5,000 for each hack.
Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldn’t commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.
“Pwn2own now offering 20k for attack on Chrome,” said Miller on Twitter. “Must be hard, glad Mac OS X doesn’t sandbox their browser.”
Miller is a Mac hacking authority — he co-authored The Mac Hacker’s Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner — and has exploited Safari each of the last three years. As he pointed out, Safari is not sandboxed.
TippingPoint will also run a mobile hacking track at Pwn2Own next month that will let researchers try to exploit smartphones running Apple’s iOS, Google’s Android, Microsoft’s Windows 7 Phone and RIM’s BlackBerry OS.
Successful smartphone attacks will be awarded $15,000.
As Apple, Google and Microsoft battle for mobile supremacy, Canonical — promoter of Ubuntu Linux — is preparing its own mobile moves. Ubuntu 11.04 will ship in April 2011 with a kernel version customized for OMAP 3 ARM processors, according to Ubuntu developer notes. Does this mean Canonical hopes to target more types of mobile devices in the future? Here’s the scoop, along with some thoughts.
Texas Instruments’ OMAP 3 chips are a family of ARM processors designed primarily for use in mobile devices. They boast ready support for multimedia applications and acceleration, and are already in use on a variety of phones.
During the last meeting of the Ubuntu Kernel Team on Jan. 4, 2011, developers decided to release a kernel for the next version of Ubuntu, 11.04, customized for the OMAP 3 architecture. This is part of an ongoing effort to expand Ubuntu support for ARM chips.
While no OMAP 3 kernel has been released yet, meeting notes indicate that one should be coming in the future, as the development cycle for the next version of Ubuntu continues. “We are still working to determine how to provide OMAP 3 kernels; testing is ongoing of a master-based kernel,” according to the notes.
Ubuntu 11.04 Desktop
Ubuntu On Your Phone?
Ubuntu ports customized for OMAP chips already exist, and plenty of geeks have successfully run Ubuntu on mobile phones in the past. In that sense, the announcement of an OMAP 3 kernel build for Ubuntu 11.04 may not be too exciting.
Official Ubuntu support for OMAP 3 devices, however, represents a major milestone in that it would be the first Ubuntu kernel flavor targeted primarily at mobile hardware — not to mention smartbooks, which may well become an important new family of devices in the coming year.
That change itself may not mean that 2011 will become the Year of the Ubuntu Cellphone, but it could be a significant first step toward a new market for Ubuntu, a Linux distribution traditionally focused on desktops and servers.
Other ARM-related goals for Ubuntu 11.04 include the release of an ARM image and ARM build support on Launchpad, a further indication of Canonical’s aspiration of placing Ubuntu at the forefront of the ARM-based hardware market.
Google’s Chrome OS, of course, which is based on Ubuntu, will also support ARM chips, and it seems likely that many more end users will run Google’s operating system on their devices than Ubuntu 11.04.
All the same, Canonical’s casting of a direct bid for ARM market share could have significant implications for the evolution of Ubuntu going forward, as smaller devices may become an increasingly important focus of Ubuntu developers. It’s also good news for end users who want smartbook hardware but are reluctant to sell their souls to Google by running Chrome OS, which in all likelihood will come tightly entwined with Google services.
Damon Sicore, Senior Director of Platform Engineering at Mozilla, has announced that the company is almost ready to ship Firefox 4. On its mailing list, Mozilla has revealed it has around 160 hard blockers to fix, before proceeding to Release Candidate stage. Both the RC and the final version would arrive in February, according to Sicore.
Mozilla was originally planning on having Firefox 4 out by the end of last year, but it had to delay the release till 2011. Last month, Firefox 4 Beta 8 was released for Windows, Mac OS X, and Linux 32-bit/64-bit, with support for 57 languages. Mozilla’s roadmap says it still wants to release a Beta 9, a Beta 10, and at least one Release Candidate build before the final version.
Mozilla’s Firefox recently overtook Microsoft’s Internet Explorer to become the most popular browser in Europe. Worldwide though, the browser’s market share has largely stagnated.
Here is the full message, posted on mozilla.dev.planning:
We’ve worked tremendously hard on Firefox 4, and it’s time to ship it. I’m seeing the same burst of excitement and activity that we’ve seen in the endgame of every release. Over the past several days, component leads have again reduced their blockers by identifying hard blockers and those we can live without. We’ve around 160 hard blockers remaining, and historically it has taken us six weeks to reach RC once we have 100 blockers left. We must press hard now.
To Finish:
1) We have to reach Release Candidate status as quickly as possible, ideally finishing the hard blockers by the beginning of February and shipping final before the end of February. We’ll need your help to balance these targets against the need to build a high quality product.
2) Bug counts demand another beta. We’ll drive the beta bugs to zero and ship another beta. If we can’t get them to zero in reasonable time, we’ll repeat, deliberately. It depends on how quickly we can drive down the list of hard blockers that need beta feedback. This is our top development priority, since it pushes the rest of our schedule.
3) We need *everyone* to help in testing. Specifically: Do not disable Flash, Silverlight, or other major plugins as we need as many people testing these as possible. Windows users: We need to know if you are affected by hardware acceleration causing crashes or other issues. Don’t just assume that someone else has filed a bug already. Make sure. Ask someone if you don’t know how. This is very important.
MOST IMPORTANT: We must ship the best possible product we can. If a blocker needs more time, tell release drivers and component leads immediately. If you disagree with a blocking call, say so loudly. Do not be timid. This is your product, we need you to own it.
I know you’re all tired and stressed. You all do incredible work every day, and you’ve built an amazing product. Stay focused. Be nice to each other. Firefox 4 is gonna kick ass, and you should be fiercely proud of it.
On a side note, I have been using Google Chromium, which a the open-source web browser for almost a year now, it’s faster then Firefox 3.6 and less prone to crashing, it can update itself and install plugins without restarting. I also pulled the analytics report for this website during 2010 and looked at the percentages of people using what browser, interesting knowing how little Internet Exploiter is used these days.
Google in December unveiled a beta version of its Chrome OS notebook, dubbed Cr-48. Google plans to release two, Intel-based Chrome OS notebooks from Acer and Samsung in mid-2011, with Verizon Wireless providing cellular connectivity. No pricing information was released for the upcoming Acer and Samsung devices; Google said its partners will hold their own launch events in the future with more details. Google has announced that it has partnered with Verizon Wireless to provide 3G wide area network (WAN) coverage on every Chrome OS device. Each device will receive 100MB of data for free each month for two years. The Cr-48 has a 1.6 GHz Atom – 64-bit instruction set and hyperthreading but no virtualization bits. Rumors are that the production units will be true dual-core, not hyperthreaded. A machine like that can run a lot more than a browser!
My prediction on pricing will be under $100 and probably about $50.
The reason is that Google can come in below the price of the Amazon Kindle and under the price of many netbooks and most Android tablet PCs.
I think Google will subsidize its hardware partners because it is a thin browser that looks in Google search and advertising. If they can make $10 per month, then a $50 subsidy makes sense.
Google will be able to do the locking of search and browser because it is a dedicated device for that purpose and not like Microsoft Internet Explorer was a locking after the fact to a monopoly OS.
You will be buying a locked in situation and you will know that from the get-go to devices that start with no market share.
Why is there Google Android devices and Google Chrome devices
There are two because they serve different purposes. Google Android is a thicker and more flexible and more open software which is to compete with Apple iPhone and Tablets by using many hardware and software partners.
Google Chrome can go thinner, more closed, better security, less to hack but able to deliver to Google search and advertising domination. Chrome can also require more leverage of the Google cloud solutions (Gmail, Google Docs etc…)
Google can then subsidize based on estimate of the per seat revenue they expect each month or year from another person just playing with Google’s stack.
I think Google will not go totally free right away because there will be need to ramp up production and to not have it perceived a free and disposable.
Cheap Google Chrome OS notebooks could also eventually compete for the $10-20 netbooks for the developing world.
For the second time in four months, a Google researcher has publicly revealed a fresh security flaw in Microsoft’s Internet Explorer web browser.
Jerry Bryant, manager of response communications for Microsoft’s Trustworthy Computing group, says Zalewski increased the risk that cyber criminals will find a way to take advantage of the browser flaw before a patch can be refined, tested and widely distributed.
“Microsoft is committed to working with researchers and the companies who employ them,” says Bryant. He says collaborating behind the scenes “to address potential vulnerabilities before details are made public reduces the overall risk to customers. Microsoft’s primary goal is to reduce customer risk, not amplify it. In this case, risk has now been amplified. ”
Bryant says Microsoft is trying to determine if hackers could actually exploit the flaw; he said no known attacks have taken place so far.
Last September, a Google researcher named Chris Evans did much the same thing. After discovering a fresh IE vulnerability, Evans disclosed it publicly before Microsoft could get a patch ready. Evans said at the time that he did not think Microsoft was moving fast enough to issue a patch.
It’s worth noting that Google’s Chrome web browser competes directly against IE, the world’s most widely used browser. Chrome is part of Google’s strategy to displace Microsoft Office with Google Apps. Microsoft, meanwhile, is pushing hard to grab chunks of Google’s core search advertising business with its Bing search services.
The browser vulnerabilities discovered by Zalewski and Evans represent fresh ways for cybercrimnals and cyberspies to take control of Internet-connected computers, says Arian Evans, Vice President of Operations at website security company WhiteHat Security.
Announcing cross_fuzz, a potential 0-day in circulation, and more
I am happy to announce the availability of cross_fuzz – an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and is still finding more. The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.
Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.
A security fuzzer is a tool used by security professionals (and professional hackers) to test a parameter of an application. Typical fuzzers test an application for buffer overflows, format string vulnerabilities, and error handling. More advanced fuzzers incorporate functionality to test for directory traversal attacks, command execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Web Vulnerability scanners typically perform all of this functionality, and can be considered an advanced fuzzer.
“Today attackers tend to leverage browser exploits by first exploiting the web application,” says Evans. “After compromising the web application, they use the browser-level exploits, like this IE exploit discovered by Michal Zalewski, to compromise and take over the website users’ computers. So these types of exploits are used together to compromise both web application and the end user PC.”
Conclusion: Do not use Internet Explorer for browsing….PERIOD.
Just read this, it is a fair assessment from a new user of Ubuntu Linux.
An older model laptop showed up at our home this summer; the HP Pavilion DV6000 to be exact. Kim has mentioned how convenient it would be to have a laptop she could keep upstairs while working in the kitchen or to take the beach during the summer. Or maybe it was her subtle way of asking for an iPad. I’ll never know.
Although this HP was a few years old, I figured it should fill in nicely as a kitchen computer.
One week into ownership, Kai managed to pry off a dozen keys. We tried to line up the tiny springs and keys, but that only resulted in frustration. My father-in-law suggested I search for a keyboard on eBay when I was about to toss the laptop on the scrap heap. For about twenty bucks, I was able to replace the keyboard and assumed we were back in business. We were for a while.
But Windows XP began giving us problems. It would send the laptop into death mode (sleep mode) and never recover. Only a hard boot would return the machine to Windows, but only temporarily. I assumed Windows 7 would fix the problem. So I spent an evening installing Windows 7 Home Premium. The installation took less than forty minutes but downloading and installing the dozens of patches and driver updates took a few hours. This isn’t uncommon on such an older machine.
Windows 7 worked great for a few weeks. A fresh Windows 7 install seemed to fix the dreaded sleep mode issue. But its performance was still incredibly sluggish. Boot times took minutes. Programs wouldn’t launch quickly. Or when they did, they crashed under minimal use. I began to wonder if underlying problems with the hardware were the real culprits. I ran Windows update and installed drivers from the HP website. I’ve experienced the havoc a corrupted driver can cause, but Device Manager told me everything looked fine.
As I considered my options, (tossing the laptop into my neighbors yard was on the list as was taking a baseball bat to it) I tweeted my dilemma. I’ve installed Windows 7 on several older systems, and each time, they came to life and performed at a much higher level than when they had XP or Vista installed. Windows 7 powers our three workstations at home, and we’ve had no major issues. Say what you will about Vista, but Microsoft came through in a big way with a solid product in 7. I could not figure why I could not get this laptop running smoothly.
Several of my followers on Twitter suggested installing Ubuntu Linux. My first thought was they must be drunk or incredibly geeky. Given that Kim is the primary user of the laptop, installing any version of Linux sounded like a recipe for marital problems. Kim is very tech savvy, but installing Linux on her laptop might just might push her into the Apple store. I’ve run various distributions of Linux for many years, but not on the desktop. I manage several blogs that run on Linux so my experience is on the server side of the house. Kim has been a life-long Windows user. I must be crazy. But I had nothing to lose. Even if Ubuntu didn’t work out, I’ve heard good things about and have wanted to try it out for a while. At the very least, maybe I’ll learn something.
So I decided to check out the Ubuntu website. I’ve heard that Ubuntu is user friendly. But compared to what? FreeBSD? The price was right (free) and the screenshots looked promising so I decided to give it a shot. I downloaded the desktop version and burned an ISO to a USB stick. From there, I installed Ubuntu in about 40 minutes. Like Windows, it has a built in software/drive update feature that worked incredibly well. It found my video card and my wireless adapter on the first pass. Impressive.
When the installation finished, Ubuntu suggested I reboot. I turned back to my computer for what seemed like 15 seconds and was absolutely shocked at how fast the laptop returned to the login screen. I didn’t believe it. So I held the power button down for a few seconds to force a cold reboot. Again, the login screen popped up in about 15 seconds. Stunning. I’ve never seen this type of performance on this old HP.
The speed! The speed! That’s been the theme from the first full day living with Linux on the laptop. I am keeping my fingers crossed it lasts. I installed Google Chrome for Linux, and it felt faster than the version of Firefox that installed with Ubuntu. Kim primarily needs access to a web browser for email, Facebook, and browsing. This resurrected HP handles those tasks with aplomb. I didn’t have time to show Kim around the UI this morning. But when I came home, she already had a number of Chrome tabs open while searching for recipes. Off to a good start.
If you’ve never seen the Ubuntu user interface, I think you’ll be surprised at how user friendly and polished it is. Even life-long Windows users should feel right at home. Yes, it’s different. But it’s certainly not difficult. I even found it fun to use while I discovered new ways of looking at an operating system.
Let’s hope it continues. Maybe I’ll look back and wonder why I didn’t try Ubuntu sooner. So far, it appears to be a great solution for older computers.
The take away to remember is that there was nothing wrong with this user’s hardware. The software being used at the time was the “true” culprit for his problems. People constantly seem to think it is a hardware problem, when the truth be told that Windows is the “source” of the problem to begin with.
Google is pushing their new cloud computing effort, Chrome OS, as the future of computing. It is getting a lot of attention everywhere – more so probably because of the CR-48. However one person is unconvinced with the concept – in fact he is against this developement. And that person is none other than Richard Stallman, the main proponent of free software.
According to Stallman, Chrome OS means users losing control of their data. Although Chrome OS is based on GNU/Linux, it is quite different from other distributions in the sense that it does not allow users to install software and stores as much data as possible in the cloud – which are essentially servers located somewhere.
According to Stallman, if the data is stored in someone else’s server, users looses even legal rights over the data.
In the US, you even lose legal rights if you store your data in a company’s machines instead of your own. The police need to present you with a search warrant to get your data from you; but if they are stored in a company’s server, the police can get it without showing you anything. They may not even have to give the company a search warrant.
In fact, it is not just Chrome OS that Stallman is against – he is against the concept of Cloud Computing. He even mentioned that a better name for Cloud Computing would be “Careless Computing”.
This is what Stallman said about Cloud Computing:
I think that marketers like “cloud computing” because it is devoid of substantive meaning. The term’s meaning is not substance, it’s an attitude: ‘Let any Tom, Dick and Harry hold your data, let any Tom, Dick and Harry do your computing for you (and control it).’ Perhaps the term ‘careless computing’ would suit it better.
However the question now is do people really care? In fact many of us already have a lot of data in the cloud. All our emails are stored not with us but with Google, Microsoft, Yahoo! etc. Most of our browsing history is already online, millions of photos are with Facebook, Flickr etc. And with online storage services like Dropbox, Ubuntu One, our files are increasingly getting to the cloud. In fact even this website is located in a server we have never seen hundreds of kilometers away.
It is still possible for people to host their own email servers, their own websites, their own online storage service. But no one does it because not everyone has the expertise to do it and many who can do it, do not consider it worth the trouble.
I agree with Stallman’s observation about Cloud Computing. However, unless there is a major goof-up by one of these companies, like misusing user’s data, people will simply not care about it.
On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. So PC’s running Windows XP will be vulnerable to security threats.
