The Mozilla Foundation has published a fix for a "critical" JavaScript vulnerability in the Firefox browser and the SeaMonkey application suite.
The fix, released Monday, targets Firefox versions 2.0.0.2 and 1.5.0.10, as well as SeaMonkey versions 1.1.1 and 1.0.8. An earlier fix for a JavaScript problem allowed scripts from Web content to execute arbitrary code, the Mozilla Foundation said in a security update.
The vulnerability allowed uniform resource identifiers, or URIs, in image tags to be executed even if JavaScript was disabled in the program preferences, Mozilla said. Disabling JavaScript does not protect against the flaw, so the foundation recommended that users upgrade the applications to new versions.
Mozilla's Thunderbird e-mail client was not affected by the vulnerability, it said.
Wednesday, March 07, 2007
Mozilla Issues Fixes for Firefox, SeaMonkey Flaws
Bagle Worm Still Swarming over the Net
The Bagle worm continues to plague the Internet over three years after it first appeared, with many anti-virus engines unable to keep up, a security vendor has claimed.
In an analysis of the phenomenon released this week, Commtouch Software said its virus outbreak detection research Labs (VRDL) were still finding an average of 625 new variants of the mass-mailing worm per day, or up to 1,000 on peak days. The total number of new variants -- defined as versions giving differing MD5 checksums -- now stood at over 30,000 since the beginning of 2007 alone.
According to the company, the sheer volume of new variants means that traditional anti-virus and heuristic scanners were now unable to cope with the malware flood. That Bagle (or ‘Bagel’ as it is sometimes named) was now exploiting “stealth outbreaks”, whereby small numbers of a new variant were distributed in such a way as to exploit a window of opportunity before being spotted, had only made matters even worse.
Commtouch doesn’t offer any evidence that rival security products can’t detect the large number of polymorphic variants, though it seems likely that even these occurrences have common features that make them stand out.
The ultimate purpose of the vast Bagle family is, as ever, the distribution of spam, which goes a long way to explaining its continued popularity. It could even be the most successful piece of malware in computing history.
Having first appeared in January 2004, it has continued to appear in large volumes though at low risk levels. Since then, it has continued to make a nuisance of itself at regular intervals.
Apple Update Patches QuickTime Bugs
Apple Inc. has released an update to deal with multiple vulnerabilities in QuickTime, its multimedia architecture. QuickTime is designed to enable a computer to work with real-time movies, audio, and high-quality compressed images.
The QuickTime 7.1.5 Update patches eight security bugs. According to several advisories on the U.S.-CERT Web site, the vulnerabilities include three buffer overflow bugs and three integer overflow bugs. The U.S.-CERT warns users to download the updates as soon as possible.
The CERT made information about the vulnerabilities available in the Vulnerability Notes Database.
Bojan Zdrnja, a handler at the SANS' Internet Storm Center, wrote in a diary entry that it has received messages saying Apple's auto updater in older versions of QuickTime does not find and download the new release. "In other words, if you click on the "Update now" button, it will tell you that you have the latest version running," says Zdrnja. "So, at this point in time, if you want to run the latest (patched) version, you'll have to go there and download the installation file and install it manually."
The update can be manually downloaded from Apple's Web site.
Feds Investigating Wal-Mart Tech Who Was Fired For Spying
By Sharon Gaudin
InformationWeek
Federal prosecutors are trying to determine if a Wal-Mart systems technician who was fired for spying on fellow employees broke any federal laws.
The world's largest retailer announced on Monday that executives there had fired a technician for intercepting text messages and recording telephone conversations without authorization. The employee's termination came after an internal investigation that started after one of the employee's colleagues "expressed concerns" about the recordings, according to a release from Wal-Mart.
Now the U.S. Attorney's Office in the Western District of Arkansas is investigating, says First Assistant U.S. Attorney Deborah Groom. Investigators are looking into whether the employee's actions violated federal law and, if so, if it was within her office's jurisdiction.
Groom wouldn't discuss federal laws regarding intercepting and recording communications.
"The company believes that these pager intercepts and the recordings of these telephone calls were wrong and has taken a number of actions to further strengthen our policies and controls," said Mona Williams, Wal-Mart's VP of corporate communications, in a written statement. "We reported these matters to the U.S. Attorney and have kept him informed throughout the course of our investigation."
Wal-Mart's internal investigation initially found that the technician had monitored and recorded telephone conversations between Wal-Mart public relations associates and a reporter from The New York Times, the company reports. The recordings were made over a four-month period between September, 2006, and January, 2007.
Wal-Mart notified The New York Times on Monday.
The company also reported that executives took disciplinary action against two management associates for failure to carry out their management duties.
Laws generally state that a telephone conversation may be recorded if one party has given his or her consent.
"Since Wal-Mart policies state that all electronic communications of associates using Wal-Mart communication systems are subject to monitoring and recording, Wal-Mart associates give their consent to the monitoring and recording of their calls," the company states in a written release. "Therefore, the unauthorized recording of telephone conversations by the systems technician did not violate any laws However, it is Wal-Mart's practice to record associate phone calls only in compelling circumstances and with written permission from the legal department. The threshold for this permission is high and limited to cases of high risk to the company or its associates, such as suspected criminal fraud or security issues."
Wal-Mart's release states that these recordings weren't authorized by the company and were in "direct violation of the established operational policy that forbids such activity without prior written approval from the legal department." The statement adds that the now-terminated employee didn't seek approval.
During Wal-Mart's investigation, the company also discovered that, in separate instances, the same technician had intercepted text messages and pages, including communications that didn't involve Wal-Mart associates, according to the company's release. "The interception of text messages and pages that do not involve Wal-Mart associates is not authorized by company policies under any circumstances," the company states.
Biofuels power 'clean energy' boom
The amount of money spent on so-called clean energy--already growing at a torrid pace--is poised to quadruple in the next decade, according to a report published Tuesday by research firm Clean Edge.
The spending boom is being fueled by a confluence of factors, including broader recognition of global warming, an influx in venture capital, and growing interest in energy among corporations and politicians.
Clean Edge said that in the overall market for fossil fuel alternatives, biofuels represent the largest portion, at $20.5 billion in 2006 spending. Wind and solar power saw $17.9 billion and $15.6 billion in spending, respectively, while $1.4 billion in funding went into fuel cell technology last year.
Those four energy technologies grew in aggregate by 39 percent in 2006, year over year, to $55.4 billion. Clean Edge forecasts that the rapid growth rate will continue for the next decade, making clean technology a $226 billion market globally.
Led by the projected use of ethanol for transportation, biofuels are projected to grow to more than $80 billion in 2016. Solar power will grow more rapidly than wind, as solar manufacturers scale up their operations, Clean Edge said. The solar market, representing both products and services, will expand to nearly $70 billion, and wind will be a $60 billion market in 2016, the research group forecast.
Amid the boom, Clean Edge detailed a number of factors that potentially could slow adoption of these different energy technologies.
The rising costs of manufacturing solar photovoltaic systems and building biofuel refineries could slow anticipated price drops relative to other fuel sources, said Ron Pernick, one of the report's authors.
Due to the high cost of materials, the cost to install a megawatt of wind and solar power has gone up since 2004, and profit margins for ethanol in the U.S. "all but collapsed" in 2006.
Also, it's unclear whether the high investment rates from venture capitalists will continue, said Rodrigo Prudencio, a partner at venture firm Nth Power, which participated in the report. Venture capital in energy technology more than doubled last year to $2.4 billion, which is 9.4 percent of all venture dollars invested in the United States. By comparison, energy represented only 0.8 percent of total venture investments in 1999.
Prudencio noted that investments in biofuels, in particular, is something of a departure for venture capitalists because much of the equity is spent on the construction of physical plants rather than on intellectual property. He added, though, that these "low tech" biofuel investments have relatively few risks.
In a conference call on Tuesday, analyst Joel Makower singled out five trends that will shape clean energy during the coming years.
Those he noted were anticipated government regulations designed to put a price on carbon emissions; biorefineries that improve the overall energy output by using animal wastes or plant byproducts during production; improved battery technology for vehicles; retail giant Wal-Mart's energy efficiency and renewable-energy programs; and utilities such as Duke Energy and Pacific Gas and Electric starting to embrace initiatives like carbon limits.
New iTunes version still not fully Vista-ready
A new version of Apple's iTunes software released Monday addresses a number of compatibility issues with Microsoft's Windows Vista, but a few problems remain.
The updated version supports the upcoming Apple TV product and includes an improved album-sorting feature, but still does not fully support Windows Vista. The new download, iTunes 7.1, is available on Apple's Web site.
When Vista arrived at the end of January, Apple told Windows users that iTunes was not yet ready for Vista because of compatibility issues. In the most dire scenario outlined by Apple, users could corrupt their iPod simply by plugging it into a Vista PC running iTunes. Problems were also reported with playing back content purchased from the iTunes Store on Vista PCs, Apple said in early February.The new version fixes several of those issues, but a few outstanding issues remain and Apple is working with Microsoft to finish the job, said Derick Mains, an Apple spokesman.
One problem that needs to be resolved is that ejecting an iPod using the "Safely Remove Hardware" icon in the system tray could result in a corrupt iPod; Apple recommends that users always eject their iPods within the iTunes software. Also, iTunes is not supported on the 64-bit versions of Vista, and contacts from the Windows Address Book may not sync properly to iPods.
More information about the remaining problems, as well as tips for getting iTunes to work properly with Vista, can be found in this document on the Apple site. Apple does not have an exact time frame for when the remaining issues will be corrected, Mains said.
Microsoft's deployment of Windows Vista has run into problems with application compatibility and driver availability, frustrating some users who have made the early move to the new operating system. Businesses aren't expected to do so until much later, after they've made sure all of their internal applications will play well with Vista.
Microsoft chastises Google on copyrights
news analysis Google's narrow view of the protections that copyright law offers creators has famously made enemies of book publishers, news organizations and professional photographers over the last few years.
Now Microsoft, which is increasingly competing with Google in business software and other areas, is piling on its rival as well. Thomas Rubin, Microsoft's associate general counsel, told an audience of book publishers on Tuesday that Google "systematically violates copyright" law. Rubin singled out Google Book Search and YouTube for specific criticism, saying the services take a "cavalier approach to copyright."
The audience was an unusually receptive one: the Association of American Publishers, which filed a lawsuit against Google in October 2005 claiming that the search giant violated copyright law by scanning and distributing books protected under copyright law. A trial will not take place before next year.
Google's very business model invites clashes over copyright, of course. As the company becomes more deeply interested in books and video, and expands its search domain beyond Web pages, it has found itself increasingly at odds with established content industries. In addition, its keyword advertising has antagonized some trademark holders, and last month drew allegations of profiting from movie piracy.
So far, Google's intellectual property foes have been scattered throughout industries and without any prominent allies among technology companies. Their complaints about the limits of copyright law being stretched or exceeded have attracted more derision than applause in Silicon Valley. And Google has been winning far more of its legal battles over intellectual property than it has lost.
What Rubin's speech seemed designed to do was compile and air many of the complaints about Google and copyright law--a criticism that has some additional heft because Microsoft itself operates the MSN.com search engine and benefits from legal flexibility when capturing and indexing Web content.
"Google's chosen path would no doubt allow it to make more books searchable online more quickly and more cheaply than others, and in the short term this will benefit Google and its users," Rubin said. "But the question is, at what long-term cost? In my view, Google has chosen the wrong path for the longer term, because it systematically violates copyright and deprives authors and publishers of an important avenue for monetizing their works. In doing so, it undermines critical incentives to create." That kind of pointed attack may help to erect the scaffolding for a kind of anti-Google coalition. In addition to the book publishers and the Authors Guild, there's Agence France-Presse and its lawsuit over Google News, and Perfect 10 and its allegations over Google indexing its adult images. The American Society of Media Photographers, the Motion Picture Association of America, the Recording Industry Association of America, and the National Music Publishers Association have already filed friend-of-the-court briefs before the 9th Circuit Court of Appeals--siding with the adult photo site and against Google. (Listen to CNET News.com's podcast discussing whether Congress will take aim at video-swapping sites.)
What's remarkable is that the RIAA and MPAA had taken those positions in mid-2006, months before Google acquired YouTube and the vast numbers of video clips of dubious legality that appear on the service. Since then, big media companies as varied as News Corp. and NBC Universal have taken swings at YouTube for not taking adequate steps to block pirated content. In February, Viacom demanded that YouTube remove pirated clips from properties including MTV, Comedy Central, and VH-1.
For its part, Google denies any wrongdoing. The company circulated a statement on Tuesday from David Drummond, its chief legal officer, that said: "The goal of search engines, and of products like Google Book Search and YouTube, is to help users find information from content producers of every size. We do this by complying with international copyright laws, and the result has been more exposure and in many cases more revenue for authors, publishers and producers of content."
This week's potshots at Google over copyright invites comparisons to Microsoft's criticism of free software six years ago, which led company co-founder Bill Gates to characterize the GPL (the GNU General Public License) as having a "Pac-Man-like nature" that consumes other software. Other Microsoft efforts called GPL-released software "viral," and the so-called Halloween documents warned that Linux poses a serious threat to Windows' hegemony.
