Indiana University researcher Christopher Soghoian has discovered an unusual vulnerability that affects several widely-used Firefox extensions including the Google Toolbar, Facebook Toolbar, and Anti-Phishing Toolbar. According to Soghoian, a man-in-the-middle attack can be used on a public wireless network to trick browser extensions into downloading malicious code instead of legitimate updates. The solution to this problem, says Soghoian, is to use SSL to deploy extension updates. Since the official addons.mozilla.org server uses SSL, extensions that update from that location aren’t affected.
DNS-based man-in-the-middle attacks are futile with SSL-enabled web servers, according to Sogholan, because the browser will reject the connection to the false update server. This is because the IP address returned by the DNS server will not match the IP in the SSL certificate.
Although this security issues doesn’t necessarily represent a Firefox problem, Soghoian points out that the limitations of Firefox’s code-signing functionality certainly don’t help. “The code signing functionality in Firefox is fairly limited,” says Sogholan. “The main difference is that a signed extension will show the signer’s name when the user is prompted to install the extension, while an unsigned extension will list ‘un-signed’ next to the extension name. The availability of an update without signatures for extensions that previously had a valid signature does not raise any kind of error. Furthermore, the signature is thrown away as soon as the new extension update is installed.” continue reading…
Archive
Archive for May, 2007Perpetual Entertainment announced today that people can sign up for their chance to enter the closed beta playtest for the upcoming Gods & Heroes: Rome Rising. The game is an upcoming MMOG that let’s you be a son or daughter of an Olympian god. Players will come face to face with greek myth legends like Cyclops, Minotaur, and Medusa.
You can sign up here:www.godsandheroes.com/betasignup for a chance to get in.
EDIT: I just got time to check email and was about to remove this link as per an email from KohnkeComm.com informing us that the information pertaining to the beta was retracted but I see that the link is now active so I guess we’ll leave it up for now unless I hear otherwise from either the game provider or publishing company.
EDIT-2: I just received word from Jesse Henning with KohnkeComm.com, who was kind enough to forward a press release with updated links and full information. To read more about Gods and Heroes: Rome Rising, click the “Do You Want to Know More?” link below:
Dreamworks co-founder Jeffrey Katzenberg has announced that there will be a Shrek 4 (2010) and Shrek 5, but THAT IS IT!
“It’s a finite story, has been from the beginning and I think that’s part of its integrity, part of its strength, that we’re not thinking this up as we go,” he told The Age. “Ultimately we will come back to understand how Shrek arrived in that swamp. We will reveal his story.”
So there you have it. We have a prequel story to look forward to, and who knows what else. Oh yeah, and there is that Christmas special, and the theme park ride and… okay, realistically, the Shrek franchise will never truly end – will it?
Valve has Informed us about their plans to deliver free games to all owners of ATI RadeonT graphics cards via Steam, a popular platform for the distribution and management of digital content.
Effective immediately, all owners of ATI Radeon graphics cards may receive a free copy of Half-Life 2: Lost Coast and Half-Life 2: Deathmatch via Steam, http://www.steampowered.com/ati_offer1a/. Steam will automatically confirm the presence of ATI RadeonT hardware and then enable immediate access to full versions of the games free of charge.
For added convenience to new purchasers of ATI RadeonT products, Steam will be included in all ATI CatalystT Software and Driver packages through early 2008.
And, as recently announced by AMD, customers who purchase the new ATI RadeonT HD 2900 XT will also receive, upon release via Steam, the highly anticipated trio of new games coming from Valve: Team Fortress® 2, PortalT, and Half-Life 2: Episode Two.
That’s a very good deal, we expect to see more Radeon users within the next few weeks.
Online applications are great, but what happens when you can’t get a connection to the internet? Whether it is because you are on an airplane, or in the middle of nowhere camping, and have to get certain emails, calendar items, or files, you are quite possibly out of luck. Its sure a bummer, and one of the reasons why so many people are hesitant about using online applications for their most important information.
Now Imagine being able to take your online applications, offline, and store that data locally in a completely searchable database? Google is making this possible with Gears. Google Gears is an open source browser extension that enables web applications to provide complete offline functionality. Google hopes that developers will use this new toolset to create offline web applications using JavaScript APIs to store and serve the applications resources locally, as well as store data in searchable databases. All of the syncing runs in the background without burning out the browsers memory usage, or slowing anything down.
The Google Gears Beta is currently available for installation on Windows XP,Vista, as well as on Mac and Linux machines. The plug-in works with Firefox 1.5+ and IE 6+. Google’s first stop with Gears is Reader, with JavaScript APIs getting released shortly for data storage for use in applications like Docs and Spreadsheets.
The official Google Gears announcement will be made tomorrow to over 5,000 developers at Google’s Developer Day gathering.
Looks like the rumors were true. Auction site eBay is shelling out $75 million to buy social web discovery service StumbleUpon.
According to the press release, the acquisition gives eBay exposure to StumbleUpon’s growing community of over 2 million users. Still seems like an awkward match to us. In recent years, eBay purchased PayPal, but that was a no-brainer, and Skype, which has an obvious commercial aspect.
The company hardly needed StumbleUpon to build its brand recognition. And if they just start injecting eBay auctions willy nilly into stumble results, they’ll pretty much break the community they bought as members begin to evacuate the spam-laden sinking ship. Still, a separate “stumble to find books, computer parts, or hummels” section could make a lot of sense.
eBay senior director Michael Buhr assumes the post of general manager of StumbleUpon, while StumbleUpon’s current management team remains in place.
Yes you may be getting music DRM free but that has not stopped Apple from stamping inside the song file the user’s full name and account email embedded in them.
So if you’re dumb enough to drop the file on a P2P sharing site you may get a nice notice from the RIAA. Which brings up a major concern. What happens if your computer gets hacked or your kids sneaker net some of your music over to a friend’s house.
I am going to bet that within a day or two there will be a utility that strips that data out of the file.
Due to the security fixes, we strongly recommend that all Firefox users upgrade to these latest releases.
Note: We anticipate this to be the last release in the Firefox 1.5.0.x series. Mozilla typically maintains support for previous releases for six months after a major release. Mozilla has previously extended the planned end of life for the 1.5.0.x series in order to accommodate some recent changes in update functionality. Firefox 1.5.0.12 is available for download from http://www.mozilla.com/firefox/all-older.html but all users are encouraged to upgrade to Firefox 2.
If you already have Firefox 1.5.0.x or Firefox 2.0.0.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu starting later today.
For a list of changes and more information, please review the Firefox 1.5.0.12 Release Notes and the Firefox 2.0.0.4 Release Notes.
Over the coming weeks, Mozilla will be presenting 1.5.0.12 users with a notification message that will offer users a “major update” to Firefox 2. Upon confirmation, a user’s browser will be upgraded from 1.5.0.12 to 2.0.0.4.
A new study shows that one fourth of human resources people have decided against hiring a job candidate based on information they found online about that person. Luckily, you can have a say in what Google says about you.
It just goes to show that you should be careful what you blog, post, or put up on the web, because you never know who will come along looking for it…