Originally posted here: 
Chrome, Chrome OS Updated With First “Elite” Bug Squashed

See original here: 
So Google, You’ll Be Dropping Support For Flash Next, Right?

Read the original here: 
Why I’m Having Second Thoughts About The Wisdom Of The Cloud

BOSTON (Reuters) – Microsoft Corp issued its biggest-ever security fix on Tuesday, including repairs to its ubiquitous Windows operating system and Internet browser for flaws that could let hackers take control of a PC.

The new patches aim to fix a number of vulnerabilities including the notorious Stuxnet virus that attacked an Iranian nuclear power plant and other industrial control systems around the world.

Microsoft said four of the new patches — software updates that write over glitches — were of the highest priority and should be deployed immediately to protect users from potential criminal attacks on the Windows operating systems.

Microsoft said it also repaired other less serious security weaknesses in Windows, along with security problems in its widely used Office software for PCs and Microsoft Server software for business computers.

Microsoft released 16 security patches to address 49 problems in its products, many of which were discovered by outside researchers who seek out such vulnerabilities to win cash bounties as well as notoriety for their technical prowess.

“This is a huge jump,” said Amol Sarwate, a research manager with computer security provider Qualys Inc. “I think the reason for it is that more and more people are out there looking for vulnerabilities.”

The geeks who report such vulnerabilities to software makers are known as “white hat” hackers. Sarwate warned that there are also plenty of “black hats,” or criminal hackers who look for vulnerabilities in software that they can exploit to launch attacks on computer systems.

Indeed, the world’s biggest software maker said that the patches released on Tuesday include software to fix a vulnerability exploited by the Stuxnet virus — a malicious program that attacks PCs used to run power plants and other infrastructure running Siemens industrial control systems.

The virus, which infected computers at Iran’s Bushehr nuclear power plant, was discovered over the summer. Security research Symantec said that it detected the highest concentration of the virus on computer systems in Iran, though it was also spotted in Indonesia, India, the United States, Australia, Britain, Malaysia and Pakistan.

So far Microsoft has patched three of the four vulnerabilities exploited by Stuxnet’s unknown creators.

The total of 49 vulnerabilities exceeds the previous record of 34, which was set in October 2009 and matched in June and August of this year.

The constant patching of PCs is a time-consuming process for corporate users, who need to test the fixes before they deploy them to make sure they do not cause machines to crash because of compatibility problems with existing software.

Source” Yahoo!

A 17-year-old boy from Australia claims he inadvertently triggered a chain of events that led to thousands of people being affected by a Twitter security flaw yesterday. But it all may have been started by a Japanese developer a couple of hours earlier.

Pearce Delphin, or @zzap on Twitter (Twitter), says he exposed the security flaw by tweeting a piece of code with an onMouseOver JavaScript function, which caused a pop-up to appear when a user merely moves his mouse cursor over the message.

Very soon, the code was modified to do other sorts of things – perform auto retweets, open pornographic websites and generally create havoc on Twitter, which lasted a couple of hours until Twitter admins patched the vulnerability.

“I did it merely to see if it could be done … that JavaScript really could be executed within a tweet. At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn’t even considered it,” Delphin told AFP via e-mail.

“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal,” Delphin said. He hopes he won’t get into trouble, but he very well could – the proper course of action in situations like these is reporting such a vulnerability to Twitter. Exposing a security flaw like he did, even inadvertently, is at the very least an error in judgment.

However, in this case, the flaw was so elementary and spread so fast that it’s hard to point at Delphin and consider him solely responsible for the damage it caused (which, according to Twitter, was not very big, despite the fact that the flaw was potentially extremely dangerous). Delphin (together with several others, for example Scandinavian developer Magnus Holm) claims he merely modified the idea from another user who had used the code to make his tweets colored, meaning he was not the first to expose the flaw.

The “other user” was probably a Japanese developer called Masato Kinugawa said he reported the XSS vulnerability to Twitter on August 14, which was subsequently patched, but he later discovered that the vulnerability was exploitable again. He then created a Twitter account called RainbowTwtr, which he used to prove that the flaw could be used to create colored tweets.

This is in line with Twitter’s account of the incident. From Twitter’s official blog: “We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.”

One thing about the entire incident causes concern: the vulnerability was too easy to exploit, and it spread amazingly fast. Twitter should take a good look at its security before an attack similar to this one causes a lot more damage.

Source: Mashable

Internet service providers often tell their clients that they offer “bullet-proof hosting.” Whistle-blower organization Wikileaks, it seems, will settle for nothing less than “bomb-proof.”

Some portion of Wikileaks’ servers have been moved to the “Pionen” White Mountains data center owned by Swedish broadband provider Bahnhof, as first reported by Norwegian news site VG Nett last Friday. That data center will store Wikileaks’ data 30 meters below ground inside a Cold-War-era nuclear bunker carved out of a large rock hill in downtown Stockholm. The server farm has a single entrance and is protected by half-meter thick metal doors–fitting safeguards, perhaps, for an organization that raised the ire of several powerful military forces last month when it released thousands of classified Afghanistan war documents.

Earlier in August the copyright-flouting Swedish Pirate Party began hosting Wikileaks’ IT operations, and it’s not clear exactly why it’s chosen to move Wikileaks’ servers to the Pionen facility. The threat of law enforcement physically seizing the organization’s equipment, after all, is much less likely than a legal attempt to gain direct access to Wikileaks’ data. Last year the Swedish government put a crack in the country’s strong free speech protections when it passed a controversial law allowing surveillance of Internet traffic by the FRA, a law enforcement agency.

But Stockholm-based Bahnhof executive Jon Karlung tells me in an interview that the company’s data center is “a kind of metaphor” for Bahnhof’s commitment to resist any sort of intrusion, physical or legal. “We’re proud to have clients like these,” he says. “The Internet should be an open source for freedom of speech, and the role of an ISP is to be a neutral technological tool of access, not an instrument for collecting information from customers.”

Karlung says Bahnhof has not yet complied with Sweden’s new FRA surveillance law. “We have an unbroken chain of fiber-optic cables that cover 2,300 kilometers,” says Karlung. “We’re positive that [government agencies] haven’t installed any equipment yet. That day will come, and when it does we’ll inform all clients that they’re surveilled by the Swedish government.”

Wikileaks has likely spread its servers well beyond any single data center, including other facilities in Sweden and Iceland, and it’s also posted an encrypted file labeled “insurance” on its site, potentially to be used as a threat of further data spillage aimed at preventing attacks on the site or its volunteer staff.

In the coming weeks, Wikileaks has said it will release another 15,000 documents related to the war in Afghanistan. As the controversy around the site mounts, it may need every protection it can find.

Assange and Falkvinge sign the hosting agreement

After releasing more than 90,000 government documents last month related to the war in Afghanistan, Wikileaks was labeled a serious threat by the U.S. Government. With more leaks coming up, Wikileaks can use all the support it can get, especially from political movements around the globe.

One of the political parties that has shown interest in helping Wikileaks is the Swedish Pirate Party. Two weeks ago they offered to host the whistleblower site, and during a visit to Sweden Wikileaks’ Julian Assange accepted this offer and signed a deal.

“I’m delighted that we’re able to help WikiLeaks,” Pirate Party leader Rick Falkvinge told TorrentFreak in a response to the news that was made public today.

“I love opportunities to demonstrate that one of the biggest differences between us and the other parties is that we positively leap at any and all changes to take real responsibility for changing the world, rather than just commission reports and avoiding blame like the archetypal politician,” Falkvinge added.

For Wikileaks, support from the Swedish Pirate Party is a significant win. If the Party is voted into Parliament next month it could use Parliamentary immunity to run the site from inside the Swedish Government, making it impossible to take it offline through legal procedures.

“We welcome the help provided by the Pirate Party,” Wikileaks spokesman Julian Assange said commenting on the agreement. “Our organisations share many values and I am looking forward to future ways we can help each other improve the world.”

Aside from hosting, Assange also hopes that the new Swedish Parliament will assist the site in other ways. Passing legislation that guarantees press freedom so Wikileaks and similar operations can do their work freely, is high on his wish list.

“We hope that the new Parliament will give serious consideration to further strengthening Sweden’s press protection legislation. Western democracies are not always as free as one might think, and freedom of the press needs constant vigilance,” Assange said.

“In particular, we would welcome Sweden copying Iceland’s Modern Media Initiative, something that the Pirate Party also desires.”

Pirate Party leader Falkvinge further stressed the importance of Wikileaks’ work, which has been sabotaged by corrupt or abusive organizations that try to conceal the truth from the public. “We desire to contribute to any effort that increases transparency and accountability of power in the world,” he said.

Assange on his turn recognized that his organization is fighting for much of the same ideals as the Pirate Party, and said that there might be more joint projects between the two outfits in the future. “We see more opportunities down the road in cooperating with the Pirate Party and look forward to exploring those options,” Assange noted.

Source: TorrentFreak

TechCrunch

Popular technology blog Techcrunch has been hacked and is currently down with all but a message noting that the site has indeed been compromised.

The blog has experienced frequent downtime of late but as have other blogs who host on Rackspace including, Mashable and The Inquisitr – we fortunately aren’t (we’re with Slicehost, owned by Rackspace interestingly enough).

This case appears different however with other blogs remaining live and Techcrunch admitting they had been targeted with a message that reads:

Earlier tonight techcrunch.com was compromised by a security exploit.
We’re working to identify the exploit and will bring the site back online shortly.

Earlier, presumably when the initial hack took place, text with a link to a rapid share download site was posted:

Oddly enough, sister blog CrunchGear is running smoothly, which indicates that TechCrunch in particular rather than its network was targeted.

The irony here of course, as it would be for us, is TechCrunch is a reliable source for information on site downtime.

More info over at Inquisitr and and Technologizer.

Update:

TechCrunch is now back up, interestingly all comments gone. Stay tuned for more info as to what happened.

Update 2:

A statement now on the blog reads:
“As some people noticed, at approximately 10:30 pm PST on Monday evening the main site in the TechCrunch Network – techcrunch.com – was hacked and redirected. The site was back up briefly at 11:30 pm but shortly went down again. As of 2:00 am, the site is back up and appears to be stable.

At this point we’re still gathering information on how the site was compromised, and will update this post with additional information.”

Source: thenextweb

Microsoft Learned of IE Zero-Day Flaw Last September

Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole until Thursday.

The software giant had intended to release a patch for the flaw in February — more than four months after learning about it — but had to speed up that plan and roll it out this week in the wake of news that Google and others had been hacked through the flaw, the world’s largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according tosecurity firm Kaspersky.

Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The flaw, which primarily affected IE6, allowed hackers to download malware to employee computers to gain access to intellectual property at Google, as well as information connected to Gmail users. It’s unknown what the hackers obtained from some 33 other companies — hi-tech, financial and defense — that were also targeted in the attack.

Although Microsoft recognized the severity of the flaw at the time Sellen reported it, the company held off releasing a patch so it could be included in a cumulative update for IE planned next month, the company said.

A zero-day flaw is a vulnerability for which there is currently no patch. It’s also a flaw that is generally unknown to the software vendor, which gives hackers who may be aware of the flaw a jump on developing malware to exploit it.

It’s unknown if other companies were breached through the flaw prior to the high-profile hacks disclosed last week. Most companies are unwilling to acknowledge a breach, let alone provide public details about how they were hacked.

Google disclosed last week it discovered in mid-December that it had been hacked in an attack originating from China, about three months after Microsoft learned of the vulnerability. Adobe followed Google, announcing it, too, was hacked. Security firm iDefense said it had information that at least 34 companies were breached in the coordinated attack.

On Thursday, meanwhile, Microsoft released a cumulative security update for Internet Explorer that fixes the flaw, as well as seven other security vulnerabilities that would allow an attacker to remotely execute code on a victim’s computer.

“Our investigation into this responsibly reported vulnerability began early September,” Jerry Bryant, senior security program manager for Microsoft, said in a statement. “As part of this investigation we began working on an update to help protect customers. We became aware of the recent attacks in mid-January and as part of our investigation determined the vulnerability being used in these attacks was similar to the one investigated in September.

Source: wired

Component Directory Lockdown – New in Firefox 3.6

We hate crashes. When Firefox crashes, we try to get you back on your feet as quickly as possible, but we’d much rather you not crash in the first place. In Firefox 3.6, we are changing the way that some third party software hooks into Firefox which should eliminate a good chunk of those crashes without sacrificing our extensibility in any way. In the process, we’ll also be giving you greater control over the code that runs in your browser.

Background

Firefox is built around the idea of extensibility – it’s part of our soul. Users can install extensions that modify the way their browser looks, the way it works, or the things it’s capable of doing. Our add-ons community is an amazing part of the Mozilla ecosystem, one we work hard to grow and improve.

In addition to the standard mechanism for extending the browser via add-ons and plugins, though, there has historically been another way to do it. Third-party applications installed on your machine would sometimes try extend Firefox by just adding their own code directly to the “components” directory, where much of Firefox’s own code is stored.

There are no special abilities that come from doing things this way, but there are some significant disadvantages.  For one thing, components installed in this way aren’t user-visible, meaning that users can’t manage them through the add-ons manager, or disable them if they’re encountering difficulties. What’s worse, components dropped blindly into Firefox in this way don’t carry version information with them, which means that when users upgrade Firefox and these components become incompatible, there’s no way to tell Firefox to disable them. This can lead to all kinds of unfortunate behaviour: lost functionality, performance woes, and outright crashing – often immediately on startup.

In Firefox 3.6 (including upcoming beta refreshes), we’re closing this door. Third party applications can still extend Firefox via add-ons and plugins the way they always could, but the components directory will be for Firefox only.

What Does This Mean For Me?

If you’re a Firefox user, this should be 100% positive. You don’t have to change anything, your regular add-ons should continue to work properly – you just might notice fewer crashes or odd bugs. If you do notice that something has stopped working, particularly a third party addition to Firefox, you might want to contact the producer of that addition to ensure they know about the change.

If you’re a Firefox component developer, this shouldn’t be a big change, either. If you’re already packaging your additions as an XPI, installed as an add-on it’s business as usual. If you have been dropping components directly, though, you’ll need to change to an XPI-based approach. Our migration document on the Mozilla Developer Connection outlines the changes you’ll need to make, and should be pretty straightforward. The good news is that once you’ve done this, your add-on will actually be visible to users and will support proper version information so that our shared users are guaranteed a more positive experience.

If you haven’t downloaded the new Firefox beta yet, and want to give it a spin, you can find a copy here.

Source: mozilla developer center