Scriam de Google Chrome , cel mai nou browser web iesit pe piata. Iata ca in scurt timp au inceput sa apara si gaurile de securitate.
Attackers can combine the months-old “carpet bomb” bug with another flaw disclosed last month to trick people running Google’s brand-new Chromebrowser into downloading and launching malicious code, a security researcher has warned.
The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also powers Apple’s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.
Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new “blended threat” - so-named because it relies on multiple vulnerabilities - to attack Chrome.
“This is different from the Safari/IE blended threat,” said Raff in an interview conducted via instant messaging. “It’s a different blend with one similar component. It uses the auto-download vulnerability (aka ‘Carpet Bomb’) in combination with a [user interface] design flaw and an issue with Java that doesn’t display a warning on execution of JAR files downloaded from the Internet.” Raff’s reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple’s Safari browser could be paired with an unpatched vulnerability in Microsoft’s Internet Explorer (IE) to compromise Windows PCs.
The “carpet bomb” bug, revealed by researcher Nitesh Dhanjani in May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user’s permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.
After first balking - for a time it refused the classify the flaw as a security vulnerability - Apple patched the bug in mid-June by updating Safari to 3.1.2.
Raff combined the still-there carpet bomb bug with another reported by UK-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user. Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser’s frame. “One click on this button will execute the file,” Raff said. Attackers could place malware on a malicious site, then wait for - or better yet, draw in - users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.
Users can set an option in Chrome that will thwart Raff’s exploit by popping up a warning asking for a filename and location for any downloaded file. To change Chrome, select Options under the “Customize and control GoogleChrome” menu; the menu is at the far right, near the top, and although not named, looks like a small wrench. Next, click the “Minor Tweaks” tab in the Options window, then check the box that reads “Ask where to save each file before downloading.”
The blended threat, Raff argued, illustrates a bigger problem for Chrome, which has borrowed components from both Safari - via WebKit - as well as unspecified pieces of Mozilla’s open-source Firefox. WAIT! There is more to read… read on »
Stati ca GMAIL nu face diferenta intre o adresa cu punct si una fara? Adica, o adresa de genul: costel.popescu@gmail este vazuta de GoogleMail ca fiind costelpopescu@gmail.com . Avantaje sunt
destule, iar sistemul nu permite inregistrarea si adresei cu punct si fara punct. Deci, cel ce detine adresa de e-mail, fara punct, o detine si pe cea cu punct.
Nu inceteaza sa ma uimeasca imaginatia oamenilor. Aparatul de care va spun se numeste FlyJumper sau PowerRise si are la baza cateva arcuri si parghii, cu ajutorul carora omul normal se transforma intr-un cangur veritabil. Dupa cum se poate vedea si din imaginile de mai jos, se pot face exercitii si “figuri” complexe… care evident necesita ceva antrenament.
Ne astepam sa-l vedem si pe la noi pe strazi, parcuri.
Deci Google s-a hotarat sa se arce pe o piata care este deja plina. Zeci de web brosere ne fac cu ochiul, dar noi folosim doar cateva: IExplore 6 sau 7, Mozilla Firefox, Opera, Safari, Flock. Google a auncat pe piata Chrome .
Singurul avantaj evident, (in acest moment ne aflam in fata unei versiuni beta) sunt resursele putine
ocupate. Intrebarea ar fi: daca instalarea unor add-on-uri ( care momentan nu exista ) si altor skin-uri - themes ( care momentan nu exista ) ar fi la fel de “light”.
Si sa nu uitam ca Google are si alte proiecte lasata in faza beta. Googlemail a fost vreo 2 ani bete, iar Gtalk, desii are vreo 3 ani de cand este pe piata, tot beta a ramas… si din pacate nici nu a prins asa de mult. WAIT! There is more to read… read on »
Pentru cine inca nu stie, azi se difuzeaza in SUA primele 2 episoade ale Sezonului 4 din serialul Prison Break. Probabil, maine dimineata vor fi disponibile si in Romania.
Gheorghe Zamfir a fost implicat sambata intr-un accident. Dupa cum spune un martor, Zamfir a deschis porbagajul masinii sale si unul din cainii sai a sarit in mijlocul drumului. Zamfir a incercat sa-l recupereze moment in care a fost lovit de o masina care circula regulamentar.
Un accident banal. Mai putin banal este ce urmeaza. Martorul anunta la 112 accidentul, vine ambulanta, vine smurd-ul, si timp de 2 ore nu vine politia ( conform martorului si a soferului implicat in accident ). Duminica, la Realitatea tv, purtatorul de cuvant al Politiei Capitalei ne-a spus ca nu exista un termen in care politia trebuie sa se prezinte la locul accidentului. Adica, dupa caz, poti sa-ti iei si cortul cu tine ca sa astepti pana vine politia.
Soferul ( nu vreau sa ma pronunt in privinta vinovatiei sale ) risca sa fie acuzat si de parasirea locului accidentului, pe langa vatamarea lui Gheorghe Zamfir.
Din cate stiam eu, parasirea locului accidentului inseamna: trosc accident, soferul demareaza in forta si pa.
Purtatorul de cuvant era foarte acuzator la adresa soferului implicat in accident. Ce bine cand vezi atata inversunare a autoritator in rezolvarea unui caz, dar oara in “n” alte cazuri ce s-a intamplat? In cazul Accidentului de pe Kiseleff, cand soferul a fost clar vinovat ca nu a oprit la trecerea de pietoni, ce s-o mai fi intamplat? Au lasat-o sa scape pe soferita vinovata? WAIT! There is more to read… read on »
Stiati ca: daca inhalati un timp indelungat fumul produs de diverse betisoare parfumate, riscati sa va imbolnaviti de cancer? Reuters informeaza ca acesta e rezultatul unui studiu de aproape 12 ani pe ~ 60.000 de chinezi care traiesc in Singapore.
Deci.. inca un lucru pe care nu e recomandat sa-l mai faceti. Life is great.
Urmatorul pas in saga Need for Speed este: Need For SpeedUndercover. Din trailer-uri si promo-uri suna bine. Dar sa nu uitam ca si precedentul NFS ( ProStreet ) arata bine in trailer si a fost destul de dezamagitor.
Cred ca producatorii nu mai au probleme cu calitatea grafica cat cu story line-ul jocului. Mai jos aveti un prim trailer pentru joc, care este anuntat undeva in noiembrie. Asta daca nu se intampla ca si in cazul Prostreet-ului… sa se amane cu vreo 4 luni.