Mozilla Delays Touch Browser

Mozilla has again delayed the release date for a touch-enabled version of Firefox that will run in Windows 8′s “Modern” user interface (UI), with the new target in mid-March.

Ship estimates for the browser have been fluid, to put it mildly. In August, the open-source developer pegged December 2013 as the target for the “Metro-ized” version of Firefox. In September, Mozilla said it was hoping to bundle Firefox Metro with the Windows edition of Firefox 27, slated for release on Feb. 4.

Metro was the name Microsoft once applied to the radical UI of Windows 8, but the company ditched the moniker in 2012 over a trademark dispute with a German retailer.

The newest information from Mozilla, however, has tapped March 18, when Firefox 28 is to ship, as the projected release of the browser.

Although a preview of Firefox Metro was bundled with the Aurora build of Firefox more than three months ago — and is currently in Aurora for Firefox 28 — it has not yet been promoted to the next channel, Beta, which is the precursor to Release. Mozilla has set a Jan. 31 deadline for deciding whether the touch browser is ready to add to Firefox 28 Beta.

Mozilla started work on a Metro edition of Firefox in March 2012. It shipped a rough preview in October 2012, several weeks before Microsoft launched Windows 8. At that time, Mozilla’s schedule said the Firefox app might appear as early as January 2013. In May 2013, however, the company said its developers would complete Firefox for Modern between Oct. 2, 2013, and March 20, 2014, with mid-November the likeliest date.

If Mozilla makes the targeted March 18 release, it will have spent two years crafting the browser, which will have shipped 17 months after the retail debut of Windows 8.

Although Mozilla has said it’s important that it have a Metro-ready browser to remain competitive — and Windows 8′s and Windows 8.1′s user share has climbed above the 10% mark– it’s unclear what percentage of those PC and tablet owners spend serious time in the UI, as opposed to the traditional Windows desktop.

Mozilla is also discussing a name for the browser, which was code named “Firefox Metro” during development and later was saddled with the label “Windows 8-style Firefox.”

One suggestion, forwarded by a Mozilla user experience designer, has been “Firefox Touch,” which got nods of approval from others in a Mozilla planning message forum.

“‘Windows 8-style Firefox’ is too long and already doesn’t make perfect sense with Windows 8.1 released, but will make less sense when Windows 9 comes out,” noted Brian Bondy, a Firefox platform engineer who has led the work on the Metro version. “I like Firefox Touch and I think we should go with that. It’s a product designed above all else for touch.”

Some, however, objected to labeling the browser as “Firefox Touch,” pointing out that that would downplay the Android browser Mozilla maintains, which is also touch-enabled.

“I agree with Jim that it should be simply Firefox, and that differentiation happens at the point of download,” countered Peter Scanlon, Mozilla’s acting chief marketing officer, in another message to the same discussion forum.

Source

Google Expands Malware Blocker

Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.

Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.

Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.

Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.

Chrome is now at version 30.

Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.

“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.

In Canary, there is no way for the user to contradict the malware blocking.

That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.

As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a  blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.

Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.

In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.

Source

Will Skype 3RD Party API’s End?

Angry Developers, a breed not unlike Angry Birds but without the desire to fling themselves at naughty pigs, have started a petition asking Microsoft to withdraw its plan to switch off the desktop API for Skype.

The news follows Microsoft’s announcement that support for third party applications will end in December. The change.org petition explains, “The decision to discontinue Skype’s Desktop API impacts our ability to use Skype within my normal Skype calling activities.” It goes on to request that, “Skype/Microsoft provide continued support for third party Skype utilities that have become mission critical to Skype’s users.”

The API runs a range of services, including call recording clients, and in some cases third party hardware including certain headsets. Its discontinuation will most likely see problems for third party instant messaging (IM) services that rely on the API to aggregate IM services, as Skype does not use the Jabber protocol.

Microsoft’s explanation of this was fairly straightforward. It said, “The Desktop API was created in 2004 and it doesn’t support mobile application development. We have, therefore, decided to retire the Desktop API in December 2013.”

However, many developers who receive income from their products using the Skype API are unsatisfied with this.

Although Skype has had a mobile client dating back as far as Windows Mobile 5, it has never had parity with the desktop version and there remains some bewilderment as to why Microsoft has made this decision.

At the time of writing shortly after launch on Friday, the petition had 540 signatures and rising, showing that there is a groundswell of support for the initiative.

Source

Java 6 Security Hole Found

Security firms are urging users of Oracle’s Java 6 software to upgrade to Java 7 as soon as possible to avoid becoming the victims of active cyber attacks.

F-secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.

PoC for CVE-2013-2463 was released last week, now it’s exploited in the wild. No patch for JRE6… Uninstall or upgrade to JRE7 update 25.

— Timo Hirvonen (@TimoHirvonen) August 26, 2013

CVE-2013-2463 was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 has the same vulnerability, as Oracle acknowledged in the update, but since Java 6 became unsupported in April 2013, there is no patch for the Java 6 vulnerability.

Cloud security provider Qualys described the bug as an “implicit zero-day vulnerability”. The firm’s CTO Wolfgang Kandek said he had seen it included in the spreading Neutrino exploit kit threat, which “guarantees that it will find widespread adoption”.

“We know about its existence, but do not have a patch at hand,” Kandek said in a blog post. “This happens each time a software package loses support and we track these instances in Qualysguard with our ‘EOL/Obsolete’ detections, in this case.

“In addition, we still see very high rates of Java 6 installed, a bit over 50 percent, which means many organisations are vulnerable.”

Like F-secure, Kandek recommended that any users with Java 6 upgrade to Java 7 as soon as they can.

“Without doubt, organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their vendors if an upgrade path exists,” he added.

Source

Google Updates It’s SSL Certificate

Google has announced plans to upgrade its Secure Sockets Layer (SSL) certificates to 2048-bit keys by the end of 2013 to strengthen its SSL implementation.

Announcing the news on a blog post today, Google’s director of information security engineering Stephen McHenry said it will begin switching to the new 2048-bit certificates on 1 August to ensure adequate time for a careful rollout before the end of the year.

“We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key,” McHenry said.

“Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.”

McHenry advised that for a smooth upgrade, client software that makes SSL connections to Google, for example, HTTPS must: “perform normal validation of the certificate chain; include a properly extensive set of root certificates contained […]; and support Subject Alternative Names (SANs)”.

He also recommended that clients support the Server Name Indication (SNI) extension because they might need to make an extra API call to set the hostname on an SSL connection.

He pointed out some of the problems that the change might trigger, and pointed to a FAQ addressing certificate changes, as well as instructions for developers on how to adapt to certificate changes.

F-secure’s security researcher Sean Sullivan advised, “By updating its SSL standards, Google will make it easier to spot forged certificates.

“Certificate authorities have been abused and/or hacked in the past. I imagine it will be more difficult to forge one of these upgraded certs. Therefore, users can have more confidence.”

Source

Mozilla Touts WebRTC

Mozilla has shown off WebRTC integration in its Firefox web browser, demonstrating real-time video conferencing and file transfer capabilities.

All major web browser developers have started to integrate the WebRTC protocol and now Mozilla has shown off how far its integration has come. The firm demonstrated working video conferencing, file transfer and sharing capabilities through the Firefox web browser.

Mozilla was keen to push its implementation of the Datachannels API that is part of WebRTC to allow instant messaging and file transfer. The firm’s impressive demonstration shows off seamless sharing between two clients that had initiated a video conversation, with tabs and files being sent and viewed with little user interaction.

Mozilla’s demonstration does highlight the need for tight sandboxing within the web browser, however as a peer-to-peer protocol that automatically encrypts communications between two hosts, WebRTC could challenge some existing closed communication protocols such as Skype.

Maire Reavy, product lead for Firefox Platform Media at Mozilla said, “WebRTC is a powerful new tool that enables web app developers to include real-time video calling and data sharing capabilities in their products. While many of us are excited about WebRTC because it will enable several cool gaming applications and improve the performance and availability of video conferencing apps, WebRTC is proving to be a great tool for social apps.”

Mozilla didn’t say when its WebRTC implementation will enter the stable release channel, however given the outfit’s rapid release schedule, it should be a matter of weeks rather than months.

Source…

Mozilla Fixes Major Security Issues

Mozilla has fixed a number of security vulnerabilities in the latest versions of its internet applications, including Firefox 14, Thunderbird 14 and Seamonkey 2.11.

Following the release of its Firefox 14 browser for desktop operating systems on Tuesday, Mozilla said it has removed security holes in the Gecko rendering engine that all the applications run, some of which it rated as “critical”.

The bugs fixed included a code execution problem related to javascript URLs, a JSDependentString::undepend string conversion bug that can be exploited to cause a crash and a same-compartment Security Wrappers bypass issue.

Critical use-after-free problems, an out-of-bounds read bug, and a bad cast in the Gecko engine that could lead to memory corruption have also been addressed, Mozilla said.

These bugs were deemed “critical” due to their vulnerability to being exploited remotely by hackers that could execute arbitrary code on an unsuspecting victim’s system.

Source…

Sprint Will Support Mozilla’s Mobile OS

A new operating system for mobile phones, similar to the Mozilla Firefox internet browser has got the backing of several major telecom companies, turning up the heat on Google and Apple in the smartphone market.

Mozilla said on Monday that mobile network operators Deutsche Telekom, Sprint, Smart, Telecom Italia, Telenor and Etisalat are backing the Firefox platform.

The non-profit organization which evolved from Netscape after the internet browser wars 14 years ago, said phone makers ZTE and TCL Communication Technology will roll out the first Firefox OS phones using Qualcomm’s Snapdragon processors in early 2013.

Mozilla, which fosters the collective development of open-source Web applications, currently generates most of its income from a contract which makes Google the default search provider for Firefox users.

Broad support from telecom companies and handset makers is crucial for any new smartphone platform to take off in a market increasingly dominated by Google’s Android software, which has a market share of around 60 percent, while Apple’s iPhones run on its proprietary iOS software.

Source…

Kindle Fire Raises Privacy Concerns

Amazon told a Massachusetts congressman that the Silk browser in its Kindle Fire tablet doesn’t pose a privacy threat to customers, but the lawmaker wasn’t satisfied with that statement.

U.S. Rep. Ed Markey (D-Mass.), the co-chairman of a congressional caucus on consumer privacy, on Tuesday released the results of questions he had put to Amazon CEO Jeff Bezos in October about Silk and the data it collected.

Markey wasn’t happy with Amazon’s answers.

“Amazon’s responses to my inquiries do not provide enough detail about how the company intends to use customer information, beyond acknowledging that the company uses this valuable information,” said Markey in a statement.

“Amazon states ‘Customer information is an important part of our business,’ but it is also important for customers to know how the company uses their personal information,” Markey continued. “Amazon is collecting a massive amount of information about Kindle Fire users, and it has a responsibility to be transparent with its customers. I plan to follow-up with the company for additional answers on this issue.”

Silk, which is based on the open-source WebKit engine, connects to Amazon’s cloud service and servers by default. The service will handle much of the work of composing Web pages, pre-rendering and pre-fetching content, and squeezing the size of page components, a way, claimed Amazon, to speed up browsing on low-powered devices like the Kindle Fire.

Source….

Apple Has A Hole In MAC OS X

Apple has failed to fix a bug in its Mac OS X operating system that allows processes to bypass the sandbox protection in place.

The flaw was discovered by Anibal Sacco and Matias Eissler from Core Security Technologies. They let Apple know about the problem on 20 September, and while Apple acknowledged their submission, it said that it did not see any security threat, forcing the Core Security Technologies team to publish the report to the public this month.

The problem appears to be with the use of Apple events in several default profiles, including the no-network and no-internet ones. When Apple events are dispatched a process can escape the sandbox, which could be exploited by hackers.

The vulnerability could lead to a compromised application restricted by the use of the no-network profile gaining access to network resources through the use of Apple events to execute other applications that are not restricted by the sandbox, making it a significant security threat.

Only the more recent versions of Mac OS X are vulnerable to this bug, including 10.5.x, 10.6.x, and 10.7.x. Those using 10.4.x are safe from the exploit.

Source…

« Previous Page — Next Page »