Researcher locates HTML 5 exploit, floods hard drive with cat images in proof of concept video

Posted by:
Date: Monday, March 4th, 2013, 07:32
Category: News, security, Software

HTML5_Logo_256

In as much as Java and Adobe Flash Player have taken recent beatings where security is concerned, apparently no platform is safe.

Per the BBC, a recently discovered flaw in the HTML 5 coding language could allow websites to bombard users with gigabytes of junk data, with a number of popular browsers being open to the vulnerability.

According to developer Feross Aboukhadijeh, who uncovered the bug this week and posted it to his blog, data dumps can be performed on most major Web browsers, including Apple’s Safari, Google’s Chrome, Microsoft’s Internet Explorer and Opera, the BBC reported. The only browser to stop data dump tests was Mozilla’s Firefox, which capped storage at 5MB.

If in doubt, this proof of concept video sorta says it all…:



The problem is rooted in how HTML 5 handles local data storage. While each browser has different storage parameters, many of which support user-definable limits, all provide for at least 2.5 megabytes of data to be stored on a user’s computer.

Aboukhadijeh discovered a loophole that bypasses the imposed data cap by creating numerous temporary websites that are linked to a user-visited site. Because most browsers don’t account for the contingency, the secondary sites were allowed local storage provisions in amounts equal to the primary site’s limit. By generating a multitude of linked websites, the bug can dump enormous amounts of data onto affected computers.

In testing the flaw, Aboukhadijeh was able to dump 1GB of data every 16 seconds on his SSD-equipped MacBook Pro with Retina display. He noted that 32-bit browsers like Chrome may crash before a disk is filled.

“Cleverly coded websites have effectively unlimited storage space on visitor’s computers,” Aboukhadijeh wrote in a blogpost.

The developer has released code to exploit the bug and has created a dedicated website called Filldisk to highlight the flaw. In true internet meme fashion, the site dumps images of cats on to an affected machine’s hard drive.

Bug reports have already been sent to makers of the affected Web browsers, and Aboukhadijeh said malicious use of his code has yet to been seen in the wild.

Stay tuned for additional details as they become available.

Google opens Maps API to entire developer base

Posted by:
Date: Friday, February 22nd, 2013, 08:04
Category: News, Software

Google-Maps-Logo

Well, this is one pretty definite way to win the GPS app war…

Per The Unofficial Apple Weblog, Google has expanded its Google maps SDK for iOS developers. The SDK, which was quietly launched back in December, allowed developers to do two things: first, they can embed Google Maps in their apps instead of Apple Maps, and second, they could specify in their apps if an address or directions should be opened in Apple Maps, or the Google Maps app. However, in order to access the SDK, iOS developers had to register their interest and wait in line to be approved, which led to a limited amount of third-party apps bringing Google maps back.

Google has now released version 1.1 of Google Maps SDK for iOS. Not only does the updated SDK include support for ground overlays, gesture control and geodesic polylines, it makes the Google Maps API immediately available to all developers that want it. Now a developer simply needs to grab their keys from the Google API Console.

With the release of Google Maps SDK for iOS version 1.1 users can expect to see a quick uptick in the number of iOS apps that are using Google Maps again.

If you’ve had a chance to play with the new SDK, please let us know.

Google Chrome updated to 25.0.1364.99

Posted by:
Date: Friday, February 22nd, 2013, 07:59
Category: News, Software

google-chrome-logo

Ya can’t knock a regular update.

On Thursday, Google released version 25.0.1364.99 of its Chrome web browser. The update, a 46.8 megabyte download, adds the following fixes and changes:
- Improvements in managing and securing your extensions.

- Better support for HTML5 time/date inputs.

- Javascript speech API support.

- Better WebGL error handling.

- And lots of other features for developers.

Google Chrome 25.0.1364.99 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Google Chrome updated to 24.0.1312.57

Posted by:
Date: Thursday, January 31st, 2013, 07:25
Category: News, Software

google-chrome-logo

An update’s an update.

Late Wednesday, Google released version 24.0.1312.57 of its Chrome web browser. The update, a 46.8 megabyte download, adds the following fixes and changes:
- Mac: r177690 Fix renderer crashes when using certain IMEs. (Issue 152566)

- Mac: r178517 Fix microphone input dropout with Pepper Flash. (Issue 168859)

- Chrome Frame: r178591 Fix renderer exiting in certain cases when opening a new Window from Chrome Frame. (Issue 171877)

Google Chrome 24.0.1312.57 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Microsoft announces Office 365 Home Premium for Macs, PCs and Windows tablets, points to February 27th release date

Posted by:
Date: Tuesday, January 29th, 2013, 08:05
Category: News, Software

microsoftlogo.jpg

If you were wondering when Office 2013 would find its way to the Mac, it’s on its way come February 27th.

And in a subscription model.

Per CNET, after existing in preview form since last summer, Office 2013, the next version of Microsoft’s productivity software, is now available for download.

The company has begun offering users Office Home and Student 2013 with all the familiar apps like Word and Excel for a one-time fee of US$139. Since this stand-alone package won’t entitle you to any subsequent upgrades, Microsoft is also offering a more complete subscription model for US$99 per year that delivers the various updates over the coming months and years.

The package offers the following:
- The latest and most complete set of Office applications: Word, Excel, PowerPoint, OneNote, Outlook, Publisher and Access.

- One license for the entire household to use Office on up to five devices, including Windows tablets, PCs or Macs, and Office on Demand available from any Internet-connected PC.

- An additional 20 GB of SkyDrive cloud storage, nearly three times the amount available with a free SkyDrive account.

- 60 free Skype world calling minutes per month to call mobile phones, landlines or PCs around the world.

- Future upgrades, so you always use the latest time-saving technology.

Microsoft also announced today the cloud-connected Microsoft Office Home and Business, though you won’t be able to snatch it up until February 27. You can get it for a one-time fee of US$219 or as a subscription for US$150 per year.

And along with the new software, Microsoft’s Office.com Web site has received a refresh in both look and functionality. The Web site lets you manage your account, set up and check the status of your subscription, and download the Office software to your computer.

Office 365 Home Premium for the Mac requires the following specs to install and run:
-1 GHz or faster x86 or 64-bit processor with SSE2 instruction set (PC); Intel processor (Mac).

-1 GB RAM (32-bit or Mac) /2 GB RAM (64-bit).

-3.0 GB of available disk space (PC); 2.5 GB HFS+ hard disk format (Mac).

-1024×576 or higher resolution monitor.

- Windows 7, Windows 8, Windows 2008 R2 with .NET 3.5 or later (PC); Mac OS X 10.5.8 or later (Mac).

- Graphics hardware acceleration requires DirectX10 graphics card with 1024 x 576 resolution.

- Microsoft Internet Explorer 8, 9, or 10; Mozilla Firefox 10.x or later; Apple Safari 5; or Google Chrome 17.x.

A full 30 day trial can be found and downloaded from here.

If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Google Chrome updated to 24.0.1312.56

Posted by:
Date: Wednesday, January 23rd, 2013, 07:07
Category: News, Software

google-chrome-logo

You can’t knock a decent web browser update.

Late Tuesday, Google released version 24.0.1312.56 of its Chrome web browser. The update, a 46.8 megabyte download, adds the following fixes and changes:
- Fixed performance of mouse wheel scrolling. [Issue: 160122]

- Fixed visited links regression. [Issue: 160025]

Google Chrome 24.0.1312.56 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Opera demos “Ice” web browser for iOS, Android devices

Posted by:
Date: Monday, January 21st, 2013, 08:59
Category: iPad, iPhone, News, Software

Opera-642x401

It never hurts to have a wider array of web browser choices for your iOS device.

Per Pocket Lint and AppleInsider, Opera Software on Friday unveiled its latest project, a WebKit-based mobile browser called “Opera Ice” that is specifically designed for screen formats seen on popular smartphones and tablets, including the iPhone and iPad.

In an internal video released on Friday, Opera gave a brief look at a beta of the new app, which features an icon-based interface much like the optional homescreens seen on desktop versions of Apple’s Safari and Google’s Chrome browsers.



According to the developers, the app was designed to hide the usual clutter seen with modern web browsers, including the ubiquitous URL bar, that takes up limited screen real estate on mobile devices. The so-called “full touch browser” does away with buttons and menus to create a spartan user interface driven by screen taps and gestures.

Instead of the Presto rendering engine that Opera has used for years, Ice is based on WebKit, the same engine used by both Apple and Google. The move is meant to keep Opera in the fast-changing mobile market.

“We need to focus on getting strong products out on iOS and Android,” said Opera CEO Lars Boilesen.

As for the company’s current mobile solution, Opera mini, Boilesen said that it won’t be replaced by Ice. Instead, the platform will be leveraged to generate users that will eventually be migrated over to new mobile apps. Opera Ice is expected to debut sometime in February, while a new unannounced desktop browser is slated for a March release.

Stay tuned for additional details as they become available.

Google Chrome updated to 24.0.1312.52

Posted by:
Date: Friday, January 11th, 2013, 07:43
Category: News, Software

google-chrome-logo

If you love Google Chrome, it’s your lucky day.

Late Thursday, Google released version 24.0.1312.52 of its Chrome web browser. The update, a 46.8 megabyte download, adds the following fixes and changes:

- [$1000] [162494] High CVE-2012-5145: Use-after-free in SVG layout. Credit to Atte Kettunen of OUSPG.

- [$4000] [165622] High CVE-2012-5146: Same origin policy bypass with malformed URL. Credit to Erling A Ellingsen and Subodh Iyenger, both of Facebook.

- [$1000] [165864] High CVE-2012-5147: Use-after-free in DOM handling. Credit to José A. Vázquez.

- [167122] Medium CVE-2012-5148: Missing filename sanitization in hyphenation support. Credit to Google Chrome Security Team (Justin Schuh).

- [166795] High CVE-2012-5149: Integer overflow in audio IPC handling. Credit to Google Chrome Security Team (Chris Evans).

- [165601] High CVE-2012-5150: Use-after-free when seeking video. Credit to Google Chrome Security Team (Inferno).

- [165538] High CVE-2012-5151: Integer overflow in PDF JavaScript. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [165430] Medium CVE-2012-5152: Out-of-bounds read when seeking video. Credit to Google Chrome Security Team (Inferno).

- [164565] High CVE-2012-5153: Out-of-bounds stack access in v8. Credit to Andreas Rossberg of the Chromium development community.

- [Windows only] [164490] Low CVE-2012-5154: Integer overflow in shared memory allocation. Credit to Google Chrome Security Team (Chris Evans).

- [Mac only] [163208] Medium CVE-2012-5155: Missing Mac sandbox for worker processes. Credit to Google Chrome Security Team (Julien Tinnes).

- [162778] High CVE-2012-5156: Use-after-free in PDF fields. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [162776] [162156] Medium CVE-2012-5157: Out-of-bounds reads in PDF image handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [162153] High CVE-2013-0828: Bad cast in PDF root handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [162114] High CVE-2013-0829: Corruption of database metadata leading to incorrect file access. Credit to Google Chrome Security Team (Jüri Aedla).

- [Windows only] [162066] Low CVE-2013-0830: Missing NUL termination in IPC. Credit to Google Chrome Security Team (Justin Schuh).

- [161836] Low CVE-2013-0831: Possible path traversal from extension process. Credit to Google Chrome Security Team (Tom Sepez).

- [160380] Medium CVE-2013-0832: Use-after-free with printing. Credit to Google Chrome Security Team (Cris Neckar).

- [154485] Medium CVE-2013-0833: Out-of-bounds read with printing. Credit to Google Chrome Security Team (Cris Neckar).

- [154283] Medium CVE-2013-0834: Out-of-bounds read with glyph handling. Credit to Google Chrome Security Team (Cris Neckar).

- [152921] Low CVE-2013-0835: Browser crash with geolocation. Credit to Arthur Gerkis.

- [150545] High CVE-2013-0836: Crash in v8 garbage collection. Credit to Google Chrome Security Team (Cris Neckar).

- [145363] Medium CVE-2013-0837: Crash in extension tab handling. Credit to Tom Nielsen.

- [Linux only] [143859] Low CVE-2013-0838: Tighten permissions on shared memory segments. Credit to Google Chrome Security Team (Chris Palmer).

Google Chrome 24.0.1312.52 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Google releases Picasa 3.9.13.29 update

Posted by:
Date: Monday, January 7th, 2013, 06:26
Category: News, Software

On Wednesday, software giant Google released Picasa 3.9.13.29, the latest version of its photo organization program for the Mac. Once installed, Picasa imports (without moving or copying) photos from the iPhoto library as well as other folders and external hard drives on your Mac. The program also includes assorted editing tools for straightening, text generation, red eye removal, collage creation and Photoshop-like effects and adjustments. The new version, a 34 megabyte download, offers the following fixes and changes:

Share to your Google+ circles: If you’ve joined Google+, you can use Picasa 3.9 to share directly to the circles you’ve created in Google+. They’ll see your photos and videos in their Google+ stream. People that don’t use Google+ aren’t left out. They’ll get an email to view your album in Google+, and they don’t have to join to do so.

Picasa name tags on Google+: If you’ve joined Google+, you may have noticed that name tags have become more social. With the release of Picasa 3.9, you can now upload and share your name tags on Google+. Note that if you choose not to join Google+, name tags won’t change at all.

New photo editing effects: We’ve added a plethora of new editing effects like Vignette, Duo-tone, Borders and more.

Side by side editing: Compare two different photos side by side. Or compare the original and edited versions versions of the same photo simultaneously as you apply edits in Picasa. Learn how to edit side by side.

Picasa 3.9.13.29 requires an Intel-based Mac running Mac OS X 10.5 or later to install and run.

If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Rumor: Apple in negotiations to purchase Waze map service

Posted by:
Date: Thursday, January 3rd, 2013, 10:16
Category: iOS, Rumor, Software

When in doubt about your own technologies, maybe it’s time to go shopping.

Per TechCrunch and The Mac Observer, Apple is apparently deep in negotiations to buy the online map service Waze. Sources say the Mac, iPhone and iPad maker is willing to pay upwards of US$500 million for the company, although Waze is said to be holding out for US$750 million.

Waze’s twist on the online map and navigation market is social networking. The company gathers map data through users as they drive, and is seen as generally more accurate than some other online map services since users are contributing information daily. In contrast, Google’s Maps relies primarily on its own cars to gather data and street view photos.

Apple found itself with a marketing black eye after the release of iOS 6 in fall 2012 when it replaced Google’s Maps for its own service — a service that suffered from accuracy issues and missing location data. Apple responded with a public apology and a promise to “throw its weight” behind improving its Maps service.

The company also recently approved Google’s own mapping app for the iPhone, which brought back features missing from Apple’s own app such as public transportation information. With Google Maps available, competition in the navigation space ramped up a little, although Waze is apparently the only navigation app that gained serious traction after Apple released its own Maps app.

Apple also already has a working relationship with Waze since the company is providing some of the location data iOS 6 users rely on.

Stay tuned for additional details as they become available.