Chrome 21 arrives with new API for video and audio communication

new-chrome-logoh-online: With the release of Chrome 21, web applications can now directly access the local system’s built-in camera and microphone. Instead of requiring a special plugin, the major stable update to the WebKit-based web browser includes a new HTML5 getUserMedia API – currently a W3C Editor’s Draft – to provide web apps with access to the camera and microphone. For security purposes, users will be prompted to grant apps permission to access the hardware.

Google Software Engineer Shijing Xian says that the new release is Chrome’s “first step” towards implementing the Web Real Time Communication (WebRTC) standard, which enables browsers to use JavaScript to control real-time communications. The addition of the getUserMedia API support also enables functionality such as motion detection and real-time video effects – one demo, from StinkDigital, lets users play a xylophone by waving their hands, while another web app called HTML5 Webcam Toy uses WebGL fragment shaders (GLSL) to apply real-time special effects to a live camera video feed.

chrome-permissionBefore accessing a user’s built-in camera and microphone in Chrome, web apps must first get the user’s permission

Other changes include the addition of a Gamepad JavaScript API that enables game controllers to be used with web-based games, and improvements to Google’s Cloud Print technology, which lets users to print over the web from PCs, smartphones and tablets. On Mac OS X systems, Chrome 21 now supports the new Retina display (HiDPI) in Apple’s latest MacBook Pro laptop.

Version 21 of Chrome also closes a total of 26 security holes in the browser. These include integer overflows, use-after-free errors and out-of-bounds writes in the PDF viewer, as well as a use-after-free problem in CSS DOM, and a buffer overflow in the WebP image format decoder, all of which are rated as “high severity” by the company. A critical vulnerability in tab handling and a medium-severity cross-process interference problem in renderers that affect Linux systems have also been corrected.

A full list of security fixes can be found in a post on the Google Chrome Releases blog. Chrome 21 is available to download from google.com/chrome for Windows, Mac OS X and Linux; existing users can upgrade using the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.

http://h-online.com/-1657169

Why Google or Facebook Buying Your Favorite Startup

Time Techland wrote:

wpid-photo-jul-20-2012-405-pm

When I learned this morning, via Twitter, that the small company behind Mac/iOS e-mail app Sparrow was being bought by Google, I almost didn’t need to read the startup’s announcement to know the upshot.

Google and Facebook buy itty-bitty web companies all the time. And the acquired businesses typically convey what’s happening in an eerily consistent five-step ritual:

  1. Announcement of thrilling acquisition
  2. Reiteration of startup’s wildly ambitious founding notion
  3. Explanation that either Google or Facebook is the best place to change the world
  4. Acknowledgement (or sometimes non-acknowledgement) that the startup’s product is being discontinued or is going into limbo
  5. Expression of heartfelt gratitude to various supporters, usually including the consumers who are losing their something they liked

So it seems to be going with Sparrow: Its five-person team will be working on Gmail henceforth; the existing Sparrow apps aren’t being discontinued, but they apparently won’t get any updates, either.

…[SNIP]…

Why does this keep happening? There are several related factors at work:

Google and Facebook are already pursuing ginormous dreams of their own and don’t need new ones. They’ve got the resources they need to turn them into reality, and hundreds of millions of users who are already on board. Which is why they’re rarely all that interested in the actual products produced by the companies they snap up, especially if they cater to relatively specific needs and small user bases, such as Sparrow’s signature creation, its Gmail app for OS X.

Tiny startups are full of smart, ambitious people. To keep growing, Google and Facebook need to hire armies of  smart, ambitious people–and the most efficient way to do so is often to buy small companies and thereby acquire their teams.

Large, well-established companies are envious of small, young companies. Both Google and Facebook remain more intrepid and innovative than your average great big company. But when you’re huge, you obsess over the the possibility of becoming bloated, lethargic  and bureaucratic. You also get paranoid that some little-known upstart will create the next big thing. Buying startups is a way to address all these fears–or at least seems like one.

Getting bought by Google or Facebook is a viable business model. Many startups with cool products don’t have a clear idea of how they’re going to make money with them. Cashing a check for a few million dollars is an expedient way to do it.

Working for a powerful web giant probably does sound appealing. I don’t think the startup founders are fibbing when they say that joining a huge company will help them fulfill their founding missions. Still,the scrappy renegades who found startups and invent new things rarely seem to be content at bigger companies forever. One example that springs to mind involves Twitter rather than Google or Facebook: Loren Brichter, creator of the amazing app Tweetie, left Twitter only 19 months after he joined it.

Continue Reading: http://techland.time.com/2012/07/20/why-google-or-facebook-buying-your-favorite-startup-means-its-probably-toast/

Marissa Mayer and Future Relationship of Yahoo!, Google and Facebook

Eric Jackson in Forbes Wrote:

Marissa_MayerThere are so many intriguing aspects of Marissa Mayer‘s hiring at Yahoo! (YHOO).

However, what intrigues me the most is the what the future strategic direction of Yahoo! will be under her watch and what this means for the company’s future relationships with Google (GOOG) and Facebook(FB) (not to mention Microsoft(MSFT)).

Presumably, Marissa already has the start of a strategic vision.  And she said as much in a leaked memo yesterday:

The company has been through a lot of change in the past few months, leaving many open questions around strategy and how to move forward. I am sensitive to this. While I have some ideas, I need to develop a more informed perspective before making strategy or direction changes.

Continue Reading: http://www.forbes.com/sites/ericjackson/2012/07/20/predicting-the-strange-future-relationship-of-yahoo-google-and-facebook/

Longtime Google Exec Marissa Mayer Is Yahoo’s New CEO

marissa-mayerTechChurch: Marissa Mayer, the technology executive who has worked at Google since the search company’s earliest days, has been appointed CEO of Yahoo.

The news was first reported by the New York Times. The company has confirmed the appointment in a press release, which is embedded in full below.

Mayer’s first day will be tomorrow, which is also when Yahoo’s next quarterly earnings call is slated to take place.

Continue Reading Here: http://techcrunch.com/2012/07/16/yahoo-marissa-mayer-ceo/

Fake Skype app on Android is malware

ZDNet Wrote:

skypelogoA new piece of malware is trying to take advantage of Skype’s increasing popularity, especially on mobile devices. Cybercriminals have created a fake version of the Skype for Android app, designed to earn money from unsuspecting users. Trend Micro, which first discovered the malware, is calling this particular threat JAVA_SMSSEND.AB.

The Java in the name should not surprise you, given that Android apps are primarily developed in a custom version of the programming language. Thankfully, this is not a very good fake. The app in question only runs on older (pre Software Installation Script) Symbian phones or Android devices that allow execution of Java MIDlet.

The cybercriminals behind this scheme have set up fake websites advertising fake Skype apps. Most of the sites are hosted on Russian domains (.ru) but the fake apps themselves are hosted on Nigerien domains (.ne).

The reason this is not a good fake is that instead of an .apk file (the expected package file for Android apps), users are served up with a .jar (Java MIDlet). While the app poses as an installer for Skype, what it really does is install a piece of malware. The devil is in the details: in the background, the malicious app sends expensive international text messages to earn its creators revenue.

Android lets you download and install apps from anywhere. If you want the official version of an app, however, get it from the official Google Play store. Here is the official Skype link: play.google.com/store/apps/details?id=com.skype.raider.

Chrome 20 update fixes high-risk security vulnerabilities

Google_Chrome_LogoGoogle has published a new update to the stable 20.x branch of Chrome to close a number of security holes in the WebKit-based web browser. Version 20.0.1132.57 of Chrome addresses a total of three vulnerabilities, all of which are rated as “high severity” by the company.

These include two use-after-free errors in counter handling and in layout height tracking that were discovered by a security researcher by the name of “miaubiz”. As part of its Chromium Security Vulnerability Rewards program, Google paid the researcher, who is number three in the company’s Security Hall of Fame, $1,000 for discovering and reporting each of the holes. A third high-risk problem related to object access with JavaScript in PDFs has also been corrected. As usual, further details about the vulnerabilities are being withheld until “a majority of users are up-to-date with the fix”. Other changes include stability improvements, and updates to the V8 JavaScript engine and the built-in Flash player plug-in.

Google also updated the Stable Channel of its ChromeOS operating system, currently available only on Samsung and Acer’s Chromebook notebooks, to version 20, just over two weeks after Google released the Chrome 20 browser on 26 June. ChromeOS 20.0.1322.54, based on the open source Chromium OS project, includes the security and stability improvements from Chrome, while also adding support for Google Drive, using Google Docs offline and other enhancements.

Chrome 20.0.1132.57 is available to download for Windows, Mac OS X and Linux from google.com/chrome; existing users can upgrade via the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.

Chrome 20 closes 23 security holes

new-chrome-logoGoogle has closed a total of 23 vulnerabilities with the release of Chrome 20. Of those vulnerabilities, 14 are rated critical, enabling attackers to execute code in the browser’s sandbox, among other things. Integer overflow vulnerabilities in the code for processing PDF files and Matroska containers (.mkv) have also been fixed. Chrome 20 also includes the latest version of Adobe’s Flash Player on Linux, using the new cross-platform Pepper API. In testing at The H, it was confirmed that the Flash Player support also works on 64-bit Linux systems.

Google has also embedded the “Chrome to Mobile” feature that was previously available as an extension; if the Google account that is registered with Chrome is also linked with an Android phone, the current web page can be forwarded to the smartphone by clicking on the mobile phone symbol in the address bar. This feature only works with a phone running the beta of Chrome for Android, which requires Android 4.0 or higher.

Chrome usually updates automatically in the background. Users can find out whether the current version has already been installed by clicking on the wrench icon and selecting “About Google Chrome”. If required, a manual update can be triggered this way.

http://h-online.com/-1627112

Google closes persistent XSS holes in Gmail

gmail-logo200The H-online: Google has closed several cross-site scripting (XSS) holes in its Gmail email service – which has more than 350 million active users – that could have allowed an attacker to inject a malicious client-side script into a victim’s system. Security researcher Nils Juenemann discovered the three different XSS vulnerabilities in Gmail and disclosed them to Google’s Security Team as part the company’s Vulnerability Reward Program, in which researchers are rewarded with up to $20,000 for reporting qualifying bugs in its web-based services.

The worst of these was a persistent XSS vulnerability exploitable via a specially crafted URL; persistent XSS flaws are considered to be more dangerous than normal XSS problems as data provided by an attacker is saved by the server, possibly leading to the execution of arbitrary code. For an attack to be successful, an attacker first needed to obtain key information including the user’s static ID and the message ID. However, Juenemann says that the needed values were easy to get through referrer leaking: by sending an HTML-encoded email to victims with additional content, the required information is leaked when the message is opened and a link is clicked.

The other XSS flaws were a persistent DOM-based (Document Object Model) XSS bug and a reflective DOM XSS bug in the mobile view for Gmail used on, for example, tablets such as the iPad. Juenemann says that the Google Security Team was quick to fix the bugs after he reported them. Further details about these can be found in Juenemann’s blog post, in which he also recommends that users enable 2-step verification on their accounts.

http://h-online.com/-1617159

Google’s reCAPTCHA briefly cracked

recaptchaH-Online: Hackers developed a script which was able to crack Google’s reCAPTCHA system with a success rate of better than 99 per cent. They presented the results of their research at the LayerOne security conference in Los Angeles last weekend; however, their demonstration was somewhat frustrated as, just an hour before the presentation, Google made improvements to its CAPTCHA system.

Of the various CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems, Google’s reCAPTCHA is considered to be one of the most reliable for differentiating man from machine. By requiring users to enter visually distorted alphanumeric sequences, web service providers can, for example, ensure that their registration forms are not flooded by spam bots. Rather than trying to analyze these distorted characters, the script, code-named “Stiltwalker”, analyzed the audio version of the CAPTCHAs, which Google provides for individuals who are visually impaired.

Stiltwalker makes use of various techniques, including machine learning, but it also exploits the fact that the computer voice has a very limited vocabulary. While text CAPTCHAs are highly complex, relying on a large pool of words in a variety of fonts, Google’s audio CAPTCHAs use just 58 different English words.

<\/param><\/embed><\/object><\/div>“;” alt=””>
Slightly frustrated, Defcon Group 949 presented their research results just as Google had fixed the problem

To make automated analysis more difficult, Google adds a background murmur which computers usually have a hard time filtering out. The hackers discovered that the background was composed of a limited number of recordings of radio programmes. The changes that Google made to reCAPTCHA shortly before the presentation render Stiltwalker impotent, but the three-man team of hackers did not let that affect the entertainment value of their presentation.

Google releases security update for Chrome 19

new-chrome-logoH-Online: Google has announced an update to the stable version of Chrome, which brings the browser version to 19.0.1084.52 on Windows, Mac OS X and Linux. The update is a pure security update that does not include any new features – it closes nine vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating of “High” and fixes two problems labelled “Critical” as well as two “Medium” level issues.

Many of the vulnerabilities are due to bugs in Chrome’s memory handling, such as out-of-bounds reads and use-after-free conditions, and Google points out that several of them were detected with their AddressSanitizer tool. Other bugs were fixed in Chrome’s PDF handling code and its V8 JavaScript rendering engine.

Further details about the security vulnerabilities have not yet been released; this is to give the updates time to roll out to all affected users. Google did announce that it has paid out its signature amount of $1337 to a researcher who reported one of the critical vulnerabilities. Three $1000 bounties and one of $500 were also paid to three other individuals as part of Google’s bounty program for Chrome security vulnerabilities. The company has recently published a detailed account of exactly how these types of vulnerabilities are discovered and how they reward the researchers who report security issues in a responsible manner.