RealTime IT News

Blog Archives

Mozilla's Thanksgiving present? Firefox 3.6 Beta 4

By Sean Kerner   |    November 25, 2009

From the 'Still Working Today' files:

While many organizations are winding down for the U.S Thanksgiving holiday, Mozilla is ramping with a new milestone development release of its open source Firefox web browser.

Mozilla is planning on releasing Firefox 3.6 Beta 4 late today or early Thursday. The Beta 4 release follows the Beta 3 release which came out last week fixing at least 83 bugs.

Beta 4 is loaded with fixes too, over 140 of them according to Mike Beltzner, Mozilla's Director of Firefox.

"As discussed in today's development meeting, due to the excellent work on knocking down the Firefox 3.6 Beta topcrash list, we've decided that it would be worthwhile to ship another beta update to our close to half million testers to confirm our expectations," Beltzner wrote in a mailing list posintg. "We'd also like to get as much feedback as possible on the more than 140 fixes we've made since we shipped the update last week."

I've been using Firefox 3.6 as my everyday browser now for a few weeks and it is noticeably faster than Firefox 3.5. Speed isn't the only reason why Firefox 3.6 will be a welcome upgrade for browser users.

DNSSEC under attack?

By Sean Kerner   |    November 25, 2009

From the 'Mission Accomplished?' files:

For more than a year now I've heard lots of people in the Internet industry proclaiming DNSSEC (DNS Security Extensions) as the long-term solution to DNS cache poisoning vulnerabilities.

That may not necessarily be the case.

A new vulnerability is now out that attacks DNS servers  WITH DNSSSEC installed.

In the summer of 2008, security researcher Dan Kaminsky made the whole world aware of potential security issues with DNS, which could have undermined the integrity of the Internet itself. DNSSEC is supposed to be answer, with most of the world's major Internet registries moving to implement the technology.

So what's up with this new attack? For one, it specifically deals with the ISC BIND 9 DNS server which is widely deployed.

"A nameserver with DNSSEC validation enabled may incorrectly add records
to its cache from the additional section of responses received during
resolution of a recursive client query," the security advisory from ISC states. "This behavior only occurs when
processing client queries with checking disabled (CD) at the same time
as requesting DNSSEC records (DO)."

So to recap. DNSSEC, the same tech that is supposed to help prevent DNS cache poisoning could itself be poisoned in certain circumstances.

Mozilla Weave 1.0 hits beta 2 release

By Sean Kerner   |    November 25, 2009

From the 'Sync' files:

Mozilla is out this week with beta 2 of its Weave 1.0 Firefox add-on for user data synchronization. Weave is a really interesting open source technology that synchronizes bookmarks, tabs, passwords and browser history across Firefox browsers.

The beta 2 release follows the beta 1 release by a week, which to me indicates a degree of focus that I personally have not seen from Mozilla's engineering team on Weave in its two years of development to date. Mozilla is serious about getting the 1.0 ready for production release and the beta 2 is proof positive of that fact.

In Weave 1.0 beta 2,  the changes/fixes are really about fit and finish as far as I can tell.

Among the improvements is a really needed UI change for viewing synced tabs. Prior to beta 2 you'd see all the tabs from your other synced machines in one big list.

Now with beta 2 when you see the tabs from other sync'ed computers, you also see the name of the other computer. That's a big organizational help to figure out what's what and where it came from.

Opera 10.10 browser released with built-in web server

By Sean Kerner   |    November 23, 2009

From the 'Browser Wars' files:

Opera today released version 10.10 of its namesake Opera web browser. The key new feature in it is something called Opera Unite, which is essentially a built-in web server.

Opera Unite has been in beta since June and I personally was not keen on the idea when it was announced.  What Opera Unite enables users to do is to share content be it photos, music or otherwise directly from your PC via the browser.

Opera Unite turns the web browser, which by definition is supposed to 'browse' for content into a platform that can share and deliver content as well. It's an idea that has profound implications for how the browser is viewed, used and secured.

"What we are really doing is reinventing how we
as consumers interact with the Web," said Jon von
Tetzchner, CEO, Opera said in a statement. "By giving our devices the ability
to serve content, we become equal citizens on the Web. In an age where
we have ceded control of our personal data to third-parties, Opera
Unite gives us the freedom to choose how we will share the data that
belongs to us."

So where's the problem?

Most U.S businesses not setup for remote workers?

By Sean Kerner   |    November 23, 2009

From the 'Doesn't Make Any Sense To Me' files:

Cisco is out with a report today that makes what I consider to be a totally outrageous claim. According to the study of 502 U.S based IT decision makers, 53 percent reported that less half their employees were currently set up to work remotely.

At this point in 2009, that statistic is shocking to me. Now to be fair, I don't have all the data (I contacted Cisco earlier today, but so far haven't been able to get any answers), so there could be some underlying disclaimers or assumptions that I'm not aware off.

I've written about Cisco's remote worker studies in the past (going back as far as 2006) as this is a common and frequent area for Cisco to investigate. Cisco does have a solid business selling remote access (VPN and other networking technologies) gear, so it makes sense for them to try and understand the market as fully as possible.

For the current study, in terms of why remote access technology wasn't available to more of the respondent base, the answer is quite revealing.

"Asked why more employees did not have access to the technology that would enable them to work outside the office, 38 percent said that business requirements did not necessitate it," Cisco stated in a press release."

That's interesting. Personally I see remote access as being critical, but I suppose if I worked in a career where being on-site was critical, then remote access might not seem as important.

Google Chrome gets Silverlight support on Macs

By Sean Kerner   |    November 23, 2009

From the 'It's Not Just an OS' files:

Google's Chrome, that's Chrome the browser, not the OS (which is really just the browser with a Linux shim) has been updated to version for its dev-channel release.

And no, that's not the same build in that was in the public milestone Chromium OS last week. On the surface the new Chrome looks like a typical Chrome bug fix release, which occur (nearly) every week.

Digging into the actual release, reveals at least one key bug fix for an item that could also show the future Chrome OS as being a haven for all media plug-ins, even those from rival Microsoft.

Chrome addresses at least three different issues related to Microsoft Silverlight support in Chrome running on a Mac. Silverlight is Microsoft's media framework for rich media content delivery.

That's interesting for a number of reasons.

Blue Coat securing local networks with the Cloud

By Sean Kerner   |    November 20, 2009

From the 'Faster' files:

A big emerging trend in enterprise IT this year has been the move to the Cloud, for almost everything. One particular area where I'm seeing a strong use of a hybrid cloud/on-premise model is for security and one of the chief proponents of that model is enterprise IT vendor Blue Coat (NASDAQ: BCSI).

This week Blue Coat announced the release of new ProxySG and ProxyAV web gateway appliances and the Web Pulse cloud service that complements them both. 

The Blue Coat ProxySG network gateway appliances now support up to 60,000 users in a single appliance
which is a whole lot of power and overall they're claiming a 5x performance gain over their previous generation. The bulk of the improvements in speed come by way of multi-core related threading and optimizations.

I spoke with Blue Coat's Chief Scientist Mikko Valimaki about the new releases and he was keen on pointing out how important the cloud element is to the overall solution.

Blue Coat has a cloud security service called WebPulse which does some interesting real time threat analysis. In addition to being part of Blue Coat's enterprise products, it's is also freely accessible by home users by way of Blue Coat's K9 security service.

What's inside Google Chrome OS? Linux 2.6.30

By Sean Kerner   |    November 20, 2009

From the 'Most Hyped OS Ever' files:

For an operating system that is basically just a browser, Google's Chrome OS has got a lot of attention over the last 36 hours.

Looking under the hood of the actual code as part of the Chromium OS project (no need to do a full download just check out git) reveals some interesting insights into what actually makes it work and leaves me with some big questions on where it's headed.

At the top level, Chrome OS is now powered by a Linux 2.6.30 kernel which came out in June. So no it's not (right now at least) the more recent 2.6.31 kernel which came out in September. Which is kind of curious.

Why wouldn't Google use the most recent Linux kernel? After all this is a development operating system, it's not yet for production use so might as well use the leading edge of development right?

And yes, Chromium uses a bunch of items from Ubuntu and there is a direct connection between Google and Ubuntu. But take a look at Ubuntu 9.10 Karmic Koala, it uses the 2.6.31 kernel and not 2.6.30.

PHP 5.3.1 released for 5 security flaws, 113 bugs

By Sean Kerner   |    November 20, 2009

From the 'Yum/Apt-Get Update' files:

The first update to PHP 5.3 is now available providing 5 security fixes in addition a long list of bug fixes to the popular open source dynamic language.

PHP 5.3 was released at the end of June, so the 5.3.1 point update has been in the works for five months at this point.

On the security fix front two of the bug fixes are for safe mode items which could have left a PHP system at risk:

  • Fixed a safe_mode bypass in tempnam().
  • Fixed bug #50063 (safe_mode_include_dir fails).

The three other fixes are a collection of different issues.

Among them is a new "max_file_uploads" INI directive, which according to the PHP 5.3.1 release notes, "...can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion."

Sanity check are added to exif processing and there is a fix for an open_basedir bypass in posix_mkfifo().

While the security fixes are obviously an important reason for PHP users to migrate immediately, the long list of non-security items is also noteworthy.

Fedora 12 updates package installation policy

By Sean Kerner   |    November 20, 2009

From the 'Error Correction' files:

The public milestone release of Fedora 12 this week had one big flaw in it that is now set to be corrected.

One key standard practice on nearly every Linux system I have ever seen or used is the separation of root and user roles. New software installation that affects an entire system typically can only be installed by the root user. That's a behavior that was modified with the Fedora 12 release such that a local user could install signed applications without root authorization.

Now Fedora is reversing that policy.

"After more discussion and thought, though, the package maintainers
have posted to the fedora-devel-list mailing list agreeing to provide
an update to Fedora 12's PackageKit," Fedora Project Leader Paul Frields wrote. "The update will require local
console users to enter the root password to install new software

Makes sense to me. What doesn't make sense is why the new policy was put into Fedora 12 in the first place.

Fedora developer Owen Taylor though has put together a lengthy post about the developer rationale for the initial policy change and I can kinda/sorta see why at first it might have made sense for some people (but not all).

"In Fedora 9, 10, and 11, the first time a user tried to install a package from the Fedora repositories, they would be prompted for a root password, with a checkbox to remember that permission for the future. (Before Fedora 9, you had to enter the root password every time.)," Taylor wrote.

Mozilla earned $78.6 million in 2008

By Sean Kerner   |    November 19, 2009

From the 'Free Software Making $$' files:

Mozilla gives its software away for free, yet year after year they keep making money. For the 2008 year, Mozilla is just now disclosing how much revenue it generated and it was another growth year for the open source group.

Revenue at Mozilla was reported at $78.6 for 2008 which is a 5 percent increase over the $75.1 million reported in 2007. The revenue growth rate appears to have slowed somewhat in my opinion. Back in 2005, Mozilla's revenues were only $53 million.

As has been the case over the last several year the bulk of Mozilla's revenue is driven by search revenues generated from Firefox by Google, Yahoo, Amazon and eBay. So whenever you search using the default start page in Firefox, you're actually helping to support Mozilla.

Digging deeper into Mozilla's financial report shows some other interesting tidbits of information.

For example, Mozilla actually lost $7.8 million (which is taken into account as part of the revenue calculation) from its investments. As well Mozilla's expenses in 2008 skyrocketed by 48 percent to $49.4 million up from $33.3 million in 2007.

Google Chrome OS goes open source in Chromium OS

By Sean Kerner   |    November 19, 2009

From the 'Browser Operating System' files:

Google today has officially open sourced its under-development Chrome OS operating system under the Chromium OS project.

The code is available now at: http://www.chromium.org/chromium-os/building-chromium-os - I'm currently in the process of trying to build a full system now (so more to come from me soon).  Right now the gziped Tarball is 232 MB (pretty small for an OS) and the official build milestone number is

Google is working with Canonical, the lead sponsor behind the Ubuntu Linux project on part of the underlying OS. Chris Kenyon VP of OEM services at Canonical blogged today Canonical is
contributing engineering to Google under contract. So, that means that
there IS a link between Ubuntu and Chrome OS! That's a surprise.
  But hey it's still all open source.

By making the project fully open source,Google is opening the project up to participation and comment from interested developers. It also means that they'll be contributing code back to the open source community, which ultimately means that other vendors could benefit as well.

Aside from the Chromium OS announcement today, Google has provided a whole lot of interesting information about Chrome OS.

During a live event (that was also webcast) today Google detailed what we should all look for in their new ChromeOS.

Basically it's all about the web. Apps are in the cloud as well as users' data. Sundar Pichai, VP of Product Management at Google explained that the local hard drive in Chrome OS should just be thought of as a local cache for syncing with the cloud. That's cool.

Going a step further, by design Chrome OS will specify a reference hardware architecture which will require Solid State Drives (SSDs) instead of regular hard drives. The idea is to provide for a faster overall user experience.

"Every application is a web application so users don't have to install program," Pichai said.


Pichai also showed off how Chrome OS would have a new apps tab to make it easier to load and access apps.

The screenshot (left) gives us a glimpse of how that new apps tab may look. Those apps are basically just url shortcuts, organized in a window.

There is also an Mac OS  'fish-eye' type of interface for scrolling between open windows which looked pretty interesting as well.

Google Chrome Frame security flaw discovered by Microsoft

By Sean Kerner   |    November 19, 2009

From the 'I Told You So' files:

Back in September, Google launched Chrome Frame which embeds a Chrome-type browser inside of a Microsoft Internet Explorer(IE) browser. At the time, Microsoft claimed that Chrome Frame could make IE less secure.

Guess what? Turns out Microsoft was right.

Late Wednesday, Google issued an update to Chrome Frame with version for a cross-origin bypass security vulnerability.

"An attacker could have bypassed cross-origin protections," Google warned in its advisory. "Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue."

What's also particularly interesting about this Chrome Frame vulnerability is that it was not discovered by Google itself. It was discovered by Microsoft.

So to recap, Microsoft was worried months ago that Google Chrome Frame put IE at risk and now they've proven it.

Mozilla Firefox 3.6 Beta 3 released with 83 bug fixes

By Sean Kerner   |    November 18, 2009

From the 'Coming Soon, Very Soon' files:

The third beta of Mozilla's open source Firefox 3.6 browser is now adding fixing 83 bugs and adding several new features.

Of the 83 bugs fixed, 13 have been tagged as being critical. It looks to me like the majority of those critical flaws are crash related items.

One particularly interesting critical bug fix is one for the crash reporter itself. According to Mozilla".., the updater crashes when trying to update with crash reporter open."

One of the key goals overall for the Firefox 3.6 release is to increase performance. To that end, there is at least one new feature in Firefox 3.6 Beta 3 that will help to support that goal. From a technical perspective, Firefox 3.6 Beta 3 now implements the async attribute of script elements. Basically its a way run scripts asynchronously  to improve overall page load times.

Another new change is the component directory lock-down for add-ons.

"In addition to the standard mechanism for extending the browser via
add-ons and plugins, though, there has historically been another way to
do it," Mozilla developer Johnathan Nightingale wrote. "Third-party applications installed on your machine would
sometimes try extend Firefox by just adding their own code directly to
the "components" directory, where much of Firefox's own code is stored."

That's a problem for a number of potential stability and security reasons, but it's a problem that is being eliminated with Firefox 3.6 Beta 3.

Google Chrome OS: What to look for this week

By Sean Kerner   |    November 18, 2009

From the 'It's Not Vaporware' files:

Google is holding an event on Thursday to discuss its Chrome OS open source operating system. Details are sparse at this point, though the official media invitation gives us some clues that we'll get some real technical insights.

"This event is a follow-up to the announcement we made in July, and Sundar Pichai, Vice President of Product Management will be speaking along with Matthew Papakipos, Engineering Director for Google Chrome OS," the Google media invite states.

Though the official briefing is tomorrow, there is a whole lot that we know today about Chrome OS. There are also a few items that we can speculate on, (which is always good fun in the absence of the official specs).

We know that Chrome OS uses the Chrome Browser, most likely built from the dev-channel for Linux Chromium build. I use Chrome for Linux everyday now and it is a solid, capable and fast browser.

We know that Chrome OS will be Linux based.  We don't know which distro (if any) it will be based on. Chromium is available in the .deb packaging format (used by Debian based distribution including Ubuntu), so one obvious guess would be that Chrome OS will in some way shape or form be Debian based as well. 

That said, Android (Google's other open source operating system) is not Debian based, so perhaps Google will just build their own Linux distro from the kernel up for Chrome OS.  Personally, I think that's the better route for Chrome OS, though they really should stick with a common packaging format (.deb or .rpm) in order to enable some degree of easy packaging for applications.

Mozilla Weave nears release

By Sean Kerner   |    November 17, 2009

From the 'Open Source Sync' files:

Mozilla this week released the first beta for its browser data synchronization service, Weave 1.0.

I've been tracking Weave for nearly two years now and it sure has been a long and winding road for this interesting project to get close to it's 1.0 release.

At its core, Weave is services backend. Initially the services are all about basic browser data synchronization with support for bookmarks, history, passwords, tabs, add-one and preferences.

So yeah, it's more than just a del.icio.us knockoff.

With the Weave 1.0 beta, Mozilla developers note that the new release, "...marks a significant step towards making Weave Sync a production quality add-on."

Aside from being more stable and usable (in my own limited usage so far), the 1.0 beta includes some functional improvements as well. For one, data is now backed up via an incremental sync behavior. Basically that means the system can sync data more intelligently and in chunks instead of sucking up all of your local system resources.

From my perspective it is critical that Mozilla gets Weave 1.0 up to full release status sooner rather than later at this point. Looking at the competitive landscape, bookmark sync is part of latest Google Chrome builds and it is a compelling feature to have.

Right now Weave is an add-on to Firefox, but I would also hope that sooner rather than later it gets baked into the mainline of Firefox development. Having an add-on directly integrated into Firefox will no doubt increase the adoption and perhaps the practical utility of Weave.

SSL at risk (again), this time Twitter is the first target

By Sean Kerner   |    November 17, 2009

From the 'Not a Hoax' files:

SSL is of critical importance to all web users as the most commonly used method for securing websites. There is now a new publicly posted exploit technique available for SSL that takes advantage of a renegotiation flaw with TLS <DEFINE:TLS>.

As a proof of concept, security researcher Anil Kurmas has blogged about how TLS/SSL renegotiation can be used to exploit Twitter's HTTPS (that is SSL secured) API.

"All in all, a man in the middle is able to steal the credentials of a
user authenticating himself through HTTPS to a trusted website, and
CSRF protections do not apply here," Kurmas wrote.

This is extremely serious and in my opinion represents perhaps the single biggest threat to the integrity of the Internet today. Without SSL, ecommerce becomes insecure and the vast majority of the web's population cannot login securely to any website.

Sure there have been SSL threats before.

Most notably, I've seen security researcher Moxie Marlinspike present his ideas at Black Hat on SSLstrip in February, then again in July. Marlinspike however wasn't directly attacking SSL itself, though.  His attacks involved a man in the middle type attack as well, but where a regular HTTP user is tricked into thinking they are actually on an HTTPS (SSL) protected site.

The new attack (if I understand it correctly) actually intercepts legitimate HTTPS traffic. It's a subtle but very significant difference.

Linux dominates top 500 supercomputer list

By Sean Kerner   |    November 16, 2009

From the 'Beefy Penguin' files:

The latest Top 500 Supercomputer list is now out (see my colleague Andy Patrizio's story on InternetNews.com), with the top rig doubling its performance to 1.75 petaflops.

Of particular interest to me is the fact that while multi-core CPU's are the hardware components enabling the fastest computers, it is Linux as the operating system the powers the software.

Just over 78 percent of the top 500 supercomputers run some type of Linux.  The official Top 500 Supercomputer site lists 391 of the top 500 supercomputers as using 'Linux'.

Digging a little deeper, there are 32 additional machines that identify themselves as running some version of Novell's SUSE Linux Enterprise Server. There are some 16 that identify Red Hat Linux or one of its derivatives including CentOS.

So doing a little bit of math, at least 88 percent of the list is using some form of Linux, generic or otherwise.

That's astounding. The only other operating system that is even noteworthy beyond Linux is IBM's AIX Unix at 22 systems (or just over 4 percent).

It's also interesting to see how the list has changed over the past nine years.

Cisco blinks and increases Tandberg offer

By Sean Kerner   |    November 16, 2009

From the 'Kroner, Corona' files:

Over the last several weeks, Cisco executives have publicly said on a number of occasions that their offer $3 billion for Tandberg was a fair and that they'd walk if they didn't get it. To me it looked like a high-stakes game of chicken as Tandberg shareholders held out for more to see who would blink first.

Cisco blinked.

Today Cisco upped their offer to $3.4 billion.

That's right, a $400 million increase on a bid that CEO John Chambers had previously said was already fair. The problem is that under Norwegian law, 90 percent of shareholders need to approve the deal and Cisco didn't have the required percentage.

With the $3.4 billion bid, Cisco said it now has 40 percent of shares agreeing to the bid, which still leaves a big outstanding amount.

"Cisco believes that this revised offer remains consistent with the
principles of prudence and financial fairness," Cisco said in a statement. "If Cisco does not
achieve the desired level of acceptances, the company will withdraw the
offer and evaluate alternative ways to expand our activities in the
video communications market.
As a result of the revised offer, Cisco has extended the acceptance period until December 1, 2009."

Once again Cisco is making this a take it or leave it offer, but seeing
as they have already blinked once, who is to say they won't do it again.

Does Mozilla's Jetpack gallery spell the end of add-ons?

By Sean Kerner   |    November 13, 2009

From the 'Future of Browsing' files:

I've been a fan of Mozilla's open source Jetpack since it publicly launched this past May. Like millions of other people, I use browser add-ons, and like millions of people I suffer with their numerous shortcomings.

Jetpack represents a new way to do add-ons, they're easier to develop and easier for users to consume. They update on their own and they don't require a browser restart to work. But until this week there was no easy way to actually find Jetpack extensions.

That has now changed with the launch of Jetpack Gallery which is kinda/sorta like the add-ons Mozilla site already has for its (soon to be) legacy add-ons.

"The gallery makes it easy for developers to host and promote their Firefox Jetpack add-ons, and makes it even easier for users to find those great new features," Mozilla developers wrote in a blog post."For developers, the Jetpack gallery makes it easy to host and promote Jetpacks."

I agree with Mozilla, but I still think there is one MAJOR element missing. Jetpack is still not directly integrated into the mainline for Firefox browser development.

Google patches Chrome for Apple WebKit flaw

By Sean Kerner   |    November 13, 2009

From the 'Shared Security Risk' files:

Yesterday morning I blogged about the Safari 4.0.4 update commenting that WebKit is used by both Apple and Google for their respective browsers. I also wondered if Google's Chrome was vulnerable to the same WebKit issue that Apple patched.

Turns out I was right.

Late Thursday, Google released Chrome stable which fixes the same Cross Site Request Forgery (CSRF) issue that Safari 4.0.4 fixed. In fact, Google doesn't even have its own specific advisory on the Apple WebKit issue, they just point to Apple's support notice.

Does this mean that Chrome users were potentially at risk for a period of time longer than their Safari cousins? Well yes, but for a very slim amount of time and for a flaw that Google says has a very low risk.

That said, as I wrote yesterday, it's still very interesting to take note of the shared WebKit flaws between Apple and Google. While both vendors actively contribute to WebKit development they both also share its risks.

Google to make the web SPDY with new web protocol

By Sean Kerner   |    November 12, 2009

From the 'More Google Goodness' files:

Google is trying to speed up web pages with a new open source application layer protocol called SPDY (pronounced speedy).

Regular HTTP connections suffer from protocol overhead and latency -- which is why after all there is big business in WAN optimization from vendors like Citrix, Cisco, Juniper, Blue Coat and Riverbed.

With SPDY, Google is aiming to provide web optimization for all with a target reduction of 50 percent in web page load times.

That's a very tall order in my view, especially if they hope to do it in some kind of standardized way.

But wait, Google is big enough that they don't have to wait for standards.

Google can bake SPDY into their own Chrome web browser and then make Google servers optimized for SPDY. Google has already done some lab tests with a SPDY enabled Chrome browser and they achieved a 64 percent reduction in page load times.

Apple Safari 4.0.4 updated for 7 security flaws

By Sean Kerner   |    November 12, 2009

From the 'WebKit Flaws' files:

Apple is updating its Safari web browser to version 4.0.4 to fix 7 identified CVE's (Common Vulnerabilities and Exposures) spread across both Mac and Windows versions of the software.

Three of the fixes are for Safari's core WebKit rendering engine and in my opinion they're critical issues. What's particularly interesting is how the issues were identified in one case by Google and in the other by Apple. Both Google and Apple rely on WebKit as the key rendering infrastructure for their respective browsers.

One of the issues is a Cross Site Request Forgery (CSRF) flaw in how WebKit enables a page from one location to access a resource in another place.

"WebKit sends a preflight request to the latter server
for access to the resource," Apple's advisory states. "WebKit includes custom HTTP headers
specified by the requesting page in the preflight request. This can
facilitate cross-site request forgery."

That's pretty serious and in my opinion, not terribly difficult to execute either. What makes this vulnerability even more ominous is the fact that it's in WebKit, it could potentially have found its way into the iPhone or Google's Chrome too. This particular vulnerability was discovered by Apple's own security researchers.

Mozilla Firefox 3.6 Beta 2 fixes 186 bugs

By Sean Kerner   |    November 11, 2009


From the 'Bug Swatting' files:

Mozilla is now out with its second beta for its upcoming Firefox 3.6 open source browser release.

The new 3.6 beta fixes at least 186 bugs from the first 3.6 beta which came out last week. That's right folks, two betas in two weeks.

Mozilla is serious about getting Firefox 3.6 finished and out the door as rapidly as possible. I personally don't remember Mozilla ever patching as many bugs as fast as they have with this new Firefox 3.6 Beta 2 release.

While 186 bugs sounds like a big number, drilling down into the bugzilla database, there are some 13 critical bugs patched in the beta 2 release. Ten of those critical bugs were items that triggered a crash condition.

Among the less critical but still annoying bugs fixed in Firefox 3.6 beta 2 is one where beta 1 users were unable to tag a bookmark through the star panel. Another bug fix is one where the bottom of fonts were cut off in dialogs.

Google Go - Do we really need another language?

By Sean Kerner   |    November 11, 2009


From the 'Yet Another Language to Learn' files:

Google is now open sourcing a new experimental programming language called - Go.

According to Google, "Go combines the development speed of working in a dynamic language like
Python with the performance and safety of a compiled language like C or

Google also notes in its introductory Go blog post that the Go compiled code, "..runs close to the speed of C." Ummm ok, so that means it's slower than C?

It's an interesting idea to try and have a language that promises rapid development, but you also need to remember that this also adds to developer and user confusion.

Google already backs Python and uses Java. Then of course there is PHP, Ruby and for Microsoft developers out there .NET framework languages too.

Go isn't the first time Google has tried to launch its own open source language either.

MontaVista Linux acquired by Cavium for $50 million

By Sean Kerner   |    November 10, 2009

From the 'Embedded Linux' files:

MontaVista Software, the pioneer of the modern embedded Linux market is set to be acquired by Cavium Networks in a deal valued at $50 million.

The deal which was just announced, includes $34 million in Cavium Networks (NASDAQ: CAVM) common stock and $16 million in cash. The deal is expected to close in December 2009.

With this deal, the two major embedded Linux vendors, Wind River and now MontaVista will be owned by semiconductor vendors. Wind River was acquired by Intel for $884 million earlier this year.

From a personal viewpoint, the trend of semi-conductor vendors owning the embedded Linux market worries me a great deal.

MontaVista this year made a big splash about supporting multiple market vertical and chips with its MontaVista 6 release. Will MontaVista now become a Cavium-only vendor?

Likely not, just like Wind River is not an Intel specific vendor. But still, it makes you wonder.

Sun/Oracle deal fail shows EU doesn't get open source

By Sean Kerner   |    November 10, 2009

From the 'Monty Doesn't Know Best' files:

At long last, the European Commission has come out against Oracle's proposed acquisition of Sun. My colleague Andy Patrizo wrote about this yesterday and he forecast that this would happen last week on our podcast too.

The deal breaker is Oracle's ownership of the open source MySQL database, which to me makes no sense whatsoever and is proof positive that the EC/EU doesn't understand the open source model at all.

The EU objection in my opinion will do more harm than good to both Oracle and Sun, as well as the MySQL database that the EU is trying to protect.

I also think that if the objection stands and the deal is blocked, it will also be a very bad omen for the entire open source market.

What company in their right mind will want to acquire an open source vendor knowing that they could run into an EU objection? Who wants that kind of grief?

Cisco playing chicken with Tandberg?

By Sean Kerner   |    November 09, 2009

From the 'High Stakes' files:

Cisco is now giving Tandberg shareholders another 9 days, until November 18th to accept (or decline), a $3 billion takeover bid.

When Cisco made its bid on Oct 1st for Tandberg, execs on both sides of the table were all smiles (at least it looked that way over TelePresence/webcast). Cisco's offer is a decent 38 percent premium over the value of Tandberg's shares prior to the effort, yet some Tandberg shareholders want more.

They're not going to get more. Instead they've got a take it or leave it offer on the table.

During Cisco's first quarter fiscal 2010 investor conference call last week, CEO John Chambers made his position clear.

"I believe that we will get this transaction closed," Chambers said.
"But at the same time, as you also know, that we have already walked
away from a couple of deals this year where we could not get the right

If Tandberg shareholders do manage to scuttle the deal, I'd wager that Tandberg's business will suffer.

Microsoft gets Agile with its Security Dev Lifecycle

By Sean Kerner   |    November 09, 2009

From the 'Defense in Depth' files:

Microsoft is rethinking how to do security in an Agile (as in Agile development) world.

They have now issued new guidance for the Security Development Lifecycle (SDL) process that outlines how Microsoft thinks about and implements secure coding practices.

The new document, officially carries the version number 4.1a and is a 130 page behemoth that is hardly light reading. Of its 130 page heft, pages 45 to 53 are the news ones on Agile (no it's not much, but it might be enough).

 "There is a perception today that Agile methods do not create secure code, and, on further analysis, the perception is reality," the new Microsoft guidelines state. "There is very little "secure Agile" expertise available in the market today. This needs to change."

The whole idea behind Agile is to rapidly iterate and release code. It is a core process used by most (if not all) open source developers where nightly builds are commonplace.

I would be the last person to state that Agile leads to insecure code, though I can see where the idea comes from.

Mozilla Firefox turns 5 as the Netscape legacy continues

By Sean Kerner   |    November 09, 2009

From the 'Happy Birthday' files:

Five years ago today, I published a story on InternetNews.com about the release of Firefox 1.0. It really doesn't seem that long ago to me...

The Firefox 1.0 release was the culmination of months of effort that ultimately spell the end of the Mozilla Suite (now SeaMonkey) as the main Mozilla browser. Firefox was supposed to be a revolution for the browser world, a browser that cut out the bloat and made things faster.

Five years later, it's clear that Mozilla's Firefox promise has come true.

Firefox introduced the concept of tabbed browsing to millions, easily developed add-ons and a host of other feature and performance improvements.

Beyond what Firefox has done on its own, with its users base of over 300 million, is its impact on the broader browser market and by extension every person on Earth that uses the Internet.

Five years ago Microsoft's Internet Explorer development was stalled and there was little (if any) innovation from the browser market share leader. Since 2004, Microsoft has responded to Mozilla's challenge with IE 7 and 8 and continues to ramp its own competitive efforts.

Google decided over a year ago that it wanted in on the action with its Chrome browser. Chrome is set in 2010 to be the cornerstone of an entire operating system for Google.

Would any of that have happened were it not for the success of Firefox?

Google's Chrome browser updated for security fixes

By Sean Kerner   |    November 06, 2009

From the 'Auto-Update' files:

Google is updating the stable version of its Chrome browser to version

The new release fixes two security issues and addresses a number of stability issues including a top crash condition and a bug that could have consumed 100 percent of a user's CPU.

On the security side, one of the fixed flaws deals with executable JavaScript warnings, or rather a lack thereof.

"The user was not warned about certain possibly dangerous file types such as SVG, MHT and XML files," Anthony Laforge Google Chrome Program Manager wrote in a blog post. "In some browsers, JavaScript can execute within these types of files. Because the JavaScript runs in the local context, it may be able to access local resources."

The other security issue fixed in Chrome is a memory corruption condition in the Gears plugin. Gears (formerly known as Google Gears) is Google's attempt at providing offline storage for website information.

Chrome also fixes what I consider to be a very serious bug that could have eaten up 100 percent of a user's CPU.

Mozilla updates Firefox 3.5.5 for 'annoying' bug

By Sean Kerner   |    November 06, 2009

From the 'Quick Fix' files:

For the most part, Mozilla issues updates to its open source Firefox browser for both security and stability related issues. That's not the case with the new 3.5.5 update out today.

Firefox 3.5.5 has no listed security fixes and is all about fixing a few key stability bugs.

The official list of bugs fixed in the 3.5.5 update actually only includes 5 fixed items of which three are labeled by Mozilla as being critical.

One of the critical bugs in the fixed liste deals with crashes in Firefox's GIF image decoder. The flaw was introduced in the Firefox 3.5.4 release which came out on October 28th.  The GIF flaw was reported in Mozilla bugzilla bug tracking system by Toronto staffer Joe Drew (JOE DREW!!) on October 29th.

"We're seeing lots of crashes in the GIF decoder, involving
nsGIFDecoder2::ProcessData calling GifWrite(), then a null dereference," Drew wrote in the bugzilla entry. "Right
now, this is showing up in the noted crash site, but this is a
Windows-specific, 3.5.4-specific crash site, since the offset in xul.dll will
change with every build, and obviously xul.dll has no meaning on OS X or Linux."

Google brings Closure to open source JavaScript devs

By Sean Kerner   |    November 05, 2009


From the 'Open Source Development' files:

Google builds a lot of its own tools as part of its development efforts. Sometimes we get all 'get lucky' and the tools become open source and available too.

That's what has happened today with the Google Closure tools which are a set of JavaScript optimization tools.  Considering the extreme importance of JavaScript in all modern web applications and browsers, it makes sense in my opinion for Google and everyone else to have the best JavaScript code possible.

Among the tools released by Google is the Closure Compiler which aims to compile web apps down into compact, JavaScript code.

"The compiler removes dead code, then rewrites and minimizes what's left so that it will run fast on browsers' JavaScript engines," Google stated. "The compiler also checks syntax, variable references, and types, and warns about other common JavaScript pitfalls."

That's kinda cool, but what's even more impressive in my opinion are the usage mechanisms that Google is making available for the Closure Compiler. In addition to the command-line they've also got a Firefox extension that works with their Page Speed optimization tool.

What that means to me is I can easily check JavaScript on any page and see how the JavaScript can be improved.

That's one heck of a powerful tool to have.

Cisco's Chambers & EMC's Tucci: Buddies in Bad Times

By Sean Kerner   |    November 05, 2009


From the 'Former Wang Employees'  files:

Sometimes is not what you know that's important, it's who you know -- right?

This week, Cisco, EMC and VMware entered into a partnership for delivering integrated virtual data center solutions.

Aside from the news itself, one of the most interesting pieces of drama in the whole event was the extreme chumminess between Cisco CEO John Chambers and EMC CEO Joe Tucci.

During the event there were a few back slaps (and the pic left from Cisco shows one of them, that's Chambers on the left and Tucci on the right) and many friendly words shared and said between the two CEOs.

Chambers said at multiple points during the launch press conference how his 20 years of friendship with Tucci helped to make the deal possible. Chambers actually worked for Tucci at one point, when both men were at the now-defunct Wang Labs.

Adobe updates Shockwave for 5 critical vulnerabilities

By Sean Kerner   |    November 04, 2009


From the 'Shocking Updates' files:

Adobe Shockwave users, it's time to update.

Adobe has issued an updated version of its Shockwave Player to address 5 critical vulnerabilities. The flaws affect  Adobe Shockwave Player and prior versions. The new version is numbered

"The vulnerabilities could allow an
attacker, who successfully exploits the vulnerabilities, to run
malicious code on the affected system," Adobe stated in its

Two of the vulnerabilities deal with invalid pointer issues that could lead to arbitrary code execution.

Arbitrary code execution is also the potential end result for two of the other flaws fixed by Adobe in this new Shockwave update. There is an invalid index issue that could also lead to code execution vulnerabilities. As well there is an invalid string length vulnerability
that has now been addressed.

A potential Denial of Service (DoS) attack vector is fixed in the Shockwave Player release thanks to a fix for a boundary condition issue.

The  Shockwave Player is the third security update for the Adobe product this year.

In June, Adobe issued the update fixing a critical zero day flaw. That update was followed in July with the update which was related to Microsoft's Active Template Library (ATL) fixes made at the same time.

Sun updates Java 6 for the 17th time

By Sean Kerner   |    November 04, 2009

From the 'Still Owned by Sun' files:

If you're like 80 percent of all web users, chances are that you're running Java. Have you updated to the latest version yet?

Yesterday, Sun released Java 6 Update 17, fixing multiple vulnerabilities.

Among the issues fixed by Sun is a command execution vulnerability in the Java Runtime Environment
Deployment Toolkit. According to Sun's advisory on the issue, the vulnerability could potentially be leveraged to execute arbitrary code.

There is also critical fix for a vulnerability in the Java Web Start Installer which potentially could enable an untrusted Java app to run as trusted and then run whatever code it wants.

Update 17, also addresses what Sun refers to as, "Multiple buffer and integer overflow vulnerabilities in the Java Runtime
Environment". The overflow vulnerabilities could potentially lead to a privilege escalation attack.

From my perspective, there is one other key vulnerability that Sun is addressing with this update. It has to do with the actual Java update mechanism. Many (if not most) users have their Java installations automatically checking Sun's server periodically for updates. According to Sun, it didn't always work.

Google Chrome 4 Beta debuts including bookmark sync

By Sean Kerner   |    November 03, 2009

From the 'Delicious Feature' files:

Google's Chrome 4 web browser is now in Beta. Chrome 4 has been in the dev-channel cycle since August and has one key differentiating feature over its predecessors in the Chrome 3 browser series, bookmark syncing.

Google has three main releases for Chrome, dev, beta and stable channel. The move into the beta channel for Chrome 4 means it's getting ready for prime time.

Back in August, I had some issue with the bookmarking syncing feature which wasn't really well integrated with either Google's online services or with Chrome itself. That was months ago, and Google has since improved the whole process.

"Once you've activated Google Chrome bookmark sync on each of your computers, any changes you make to your bookmarks will appear on all synced computers in just a few seconds," Google engineers wrote in a blog post.

The synchronization leverages Google's XMPP (that's the same protocol used by Jabber and Google Talk) assets to synchronize bookmarks.

Open Source Skype? Not yet, but soon

By Sean Kerner   |    November 02, 2009

From the 'Codecs, Codecs, Codecs' file:

Is Skype going open source? Apparently so.

"Yes, there's an open source version of Linux client being developed.
This will be a part of larger offering, but we can't tell you much more
about that right now," a Skype developer wrote on Skype list. "Having an open source UI will help us get adopted
in the "multicultural" land of Linux distributions, as well as on other
platforms and will speed up further development. We will update you once
more details are available."

I run Linux and I also run Skype on my Linux desktop today. I also run Adobe's Flash and AIR too. None of them are open source, but all are freely available. As an end-user I'm not sure that it makes a difference.

Sure, open source software is a good thing enabling developers to expand it more easily than closed source. As a developer, I sure would like to get into the internals of Skype and see what I can hack on.

That said, I know full well that the heart of the magic that makes Skype actually work are a number of patented close-sourced proprietary media codecs. The there is also the issue of the network itself which isn't exactly open either.

But there are some real positives from Skype going open source too.

Google Back to Full Speed on Chrome browser dev

By Sean Kerner   |    November 02, 2009

From the 'Code Yellow Alert' Files:

Google Chrome development is moving along full speed ahead. Why is this news? Well let me tell you...

Early last week, Google developer Anthony LaForge (no not Geordi, he's working on the warp core still...) issued a 'Code Yellow' alert halting all Google Chrome release until some critical bugs could be fix.

By the end of the week, not only was the Code Yellow lifted, but Google also managed to issue two dev-channel releases for the Chrome browser. Nice recovery Google, very nice.

The dev-channel release is the most recent release and packs in a few interesting additions to Chrome.  There are numerous bug fixes for all platforms and Mac users finally get printing and the Apple Quicktime plugin.

What's also interesting from my point of view is that Google is now treating its Chrome Frame - the effort to enable Chrome to run inside of a Microsoft Internet Explorer browser - as its own release version, same as Windows, Linux and Mac.

There are 14 seperate fixes for Chrome Frame made by Google in its recent release, and that's significant. It means that Google takes its fight to take over IE from the inside seriously and is putting the full weight of its Chrome engineering expertise into the effort.

Firefox 3.6 Beta 1 doesn't know about:me, but it's fast

By Sean Kerner   |    November 02, 2009

From the 'Where Did the Features Go?' files:

The first official Mozilla Firefox 3.6 Beta release is now available, bringing with it a whole bunch of improvements to the open source web browser. It's also (to my naked eye) missing a few features that I had initially expected to see in Firefox 3.6.

Officially the Firefox 3.6 release is being called a minor upgrade and will be made available to all Firefox 3.5.x users.

While it's called minor by Mozilla, in my own limited tests on both Linux and Windows XP SP 3, the Firefox 3.6 browser starts faster than its Firefox 3.5.x predecessor. According to Mozilla, overall JavaScript performance has been improved as well.

On the security front, Firefox 3.6 includes a built-in plugin detection capability to alert users to out-of-date items.

In previous versions of Firefox users could 'theme' there browsers, but with Firefox 3.6 there is integrated support for Firefox Personas which are complete skins for the browser.

Then there are the under the hood improvements like expanded CSS support and support for the the new Web Open Font Format (WOFF) which builds on Firefox 3.5.x earlier work on expanding Font support and options to developers.

Not a bad list of items and certainly the speed improvements of this release make it worthwhile.

That said, it is missing a number of items that I was looking forward to seeing in this release.

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.