Scriam de Google Chrome , cel mai nou browser web iesit pe piata. Iata ca in scurt timp au inceput sa apara si gaurile de securitate.
Attackers can combine the months-old “carpet bomb” bug with another flaw disclosed last month to trick people running Google’s brand-new Chromebrowser into downloading and launching malicious code, a security researcher has warned.
The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also powers Apple’s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.
Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new “blended threat” - so-named because it relies on multiple vulnerabilities - to attack Chrome.
“This is different from the Safari/IE blended threat,” said Raff in an interview conducted via instant messaging. “It’s a different blend with one similar component. It uses the auto-download vulnerability (aka ‘Carpet Bomb’) in combination with a [user interface] design flaw and an issue with Java that doesn’t display a warning on execution of JAR files downloaded from the Internet.” Raff’s reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple’s Safari browser could be paired with an unpatched vulnerability in Microsoft’s Internet Explorer (IE) to compromise Windows PCs.
The “carpet bomb” bug, revealed by researcher Nitesh Dhanjani in May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user’s permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.
After first balking - for a time it refused the classify the flaw as a security vulnerability - Apple patched the bug in mid-June by updating Safari to 3.1.2.
Raff combined the still-there carpet bomb bug with another reported by UK-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user. Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser’s frame. “One click on this button will execute the file,” Raff said. Attackers could place malware on a malicious site, then wait for - or better yet, draw in - users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.
Users can set an option in Chrome that will thwart Raff’s exploit by popping up a warning asking for a filename and location for any downloaded file. To change Chrome, select Options under the “Customize and control GoogleChrome” menu; the menu is at the far right, near the top, and although not named, looks like a small wrench. Next, click the “Minor Tweaks” tab in the Options window, then check the box that reads “Ask where to save each file before downloading.”
The blended threat, Raff argued, illustrates a bigger problem for Chrome, which has borrowed components from both Safari - via WebKit - as well as unspecified pieces of Mozilla’s open-source Firefox.
Calling the approach “problematic” from a security standpoint, Raff wondered how quickly Google will be able to patch problems in Chrome.
“They’ll have to track all security vulnerabilities in those [borrowed] features, and fix them in Chrome too,” Raff said in the blog post that spelled out more detail of the Chrome/Java blended threat. “This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time.”
Stati ca GMAIL nu face diferenta intre o adresa cu punct si una fara? Adica, o adresa de genul: costel.popescu@gmail este vazuta de GoogleMail ca fiind costelpopescu@gmail.com . Avantaje sunt
destule, iar sistemul nu permite inregistrarea si adresei cu punct si fara punct. Deci, cel ce detine adresa de e-mail, fara punct, o detine si pe cea cu punct.
Deci Google s-a hotarat sa se arce pe o piata care este deja plina. Zeci de web brosere ne fac cu ochiul, dar noi folosim doar cateva: IExplore 6 sau 7, Mozilla Firefox, Opera, Safari, Flock. Google a auncat pe piata Chrome .
Singurul avantaj evident, (in acest moment ne aflam in fata unei versiuni beta) sunt resursele putine
ocupate. Intrebarea ar fi: daca instalarea unor add-on-uri ( care momentan nu exista ) si altor skin-uri - themes ( care momentan nu exista ) ar fi la fel de “light”.
Si sa nu uitam ca Google are si alte proiecte lasata in faza beta. Googlemail a fost vreo 2 ani bete, iar Gtalk, desii are vreo 3 ani de cand este pe piata, tot beta a ramas… si din pacate nici nu a prins asa de mult.
Urmatorul pas in saga Need for Speed este: Need For SpeedUndercover. Din trailer-uri si promo-uri suna bine. Dar sa nu uitam ca si precedentul NFS ( ProStreet ) arata bine in trailer si a fost destul de dezamagitor.
Cred ca producatorii nu mai au probleme cu calitatea grafica cat cu story line-ul jocului. Mai jos aveti un prim trailer pentru joc, care este anuntat undeva in noiembrie. Asta daca nu se intampla ca si in cazul Prostreet-ului… sa se amane cu vreo 4 luni.
Pentru cei ce nu au vazut ceremonia de deschidere a Jocurilor Olimpice 2008, am 2 cuvinte: Fantastic si uimitor.
Cateva exemple:
Deja au inceput sa apara comentarii rautacioase gen: o manifestare mult prea fastuoasa in pentru China, e multa poluare, etc.
O singura concluzie am: noi, romanii, suntem cu 50 de ani in urma lor ( cel putin ), in conditiile in care noi traim in “libertate” si “democratie”, iar ei nu.
Vizionati mai multe imagini de la Beijing in continuare topicului.
Cei de la Ubisoft s-au gandit sa ne anunte din timp de resursele necesare pentru a putea juca viitorul Far Cry 2. Si hai sa vedem de ce avem nevoie:
Minim recomandat:
CPU: Pentium 4 3.2 GHz, Pentium D 2.66 GHz, AMD Athlon 64 3500+ sau mai bun Video card: NVIDIA 6800 or ATIX1650 sau mai buna; Shader Model 3 ; 256 MB
Ram: 1 GB
Recomandat:
CPU: Intel Core 2 Duo Family, AMD64 X2 5200+, AMD Phenom sau mai bun Video card: NVIDIA 8600 GTS sau mai buna, ATIX1900 sau mai buna, 512 MB
Ram: 2 GB
Sunet: placa de sunet 5.1 recomdata
Si lista cu placi video despre care se stie ca pot rula acest joc: NVIDIA 6800, NVIDIA 7000 series, 8000 series, 9000 series, 200 series. 8800M and 8700M supported for laptops. ATI X1650 - 1950 series , HD2000 series , HD3000 series , HD4000 series.
Deci, treceti la treaba si actualizati-va pc-urile.. asta daca vreti sa jucati Far Cry 2, joc anuntat pentru apartie in toamna acestui an.
Se pare ca unele banci sunt mai expuse atacurilor de tip phishing . Cel putin in ultima saptama am primit e-mail-uri de la Raiffeisen in care, cica, dau sfaturi despre securitate si iti dau si un fisier atasat care contine o pagina in flash care imita pagina de logare a serviciului de internet banking al Raiffeisen . Mesajul este de genul:
Iar fisierul atasat se numeste Raiffeisen Online Security Click.exe . Fisierul este parolat, astfel incat antivirusul nu-l va putea scana.
In concluzie, nu deschideti atasamentul, nu instalati programele care va vin pe e-mail chiar daca vin de la adresa corecta. Intotdeauna cand vreti sa va conetati la serviciul de internet banking tastati voi adresa in Internet explorer sau Firefox.
Se zvoneste in “targ” ca se pregateste un nou PR update. Anumite tool-uri, de verificare, arata PR 0 oricarui site verificat. Se pare ca s-a umplat deja la Back links. In plus e posibil ca anumiote site-uri care pana acum erau sub penalizare de la Google, sa scape de probleme.
