Google issues last-minute Chrome fixes before Pwn2Own

Day before hacking contest starts, fixes 25 flaws and pays out $16K in bounties
Google patched 25 vulnerabilities in Chrome today in one last update before the Pwn2Own hacking contest starts Wednesday in Canada.
The company has a lot on the line at Pwn2Own, which runs March 9-11 at the CanSecWest security conference in Vancouver, British Columbia.
The first researcher to hack Chrome on Wednesday will be paid $20,000 by Google. If no one breaks the browser that day, the rules change and Google will fork over $10,000 for a successful exploit on Thursday or Friday, with Pwn2Own sponsor HP TippingPoint ponying up another $10,000.
Other browsers that researchers will tackle at Pwn2Own include Apple's Safari 5, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.
Tuesday's 25-patch update fixed 15 vulnerabilities rated "high," the second-most-severe ranking in Google's scoring; three labeled "medium"; and seven pegged as only "low."
None of the vulnerabilities was ranked "critical," the category essentially reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google has patched two sandbox-escape bugs this year.
Today's Chrome update was the second in the last eight days: Google patched 19 browser bugs on Feb. 28.
Three of the vulnerabilities were identified as "stale pointer" bugs, a term that describes flaws in an application's -- in this case, Chrome's -- memory allocation code. Google has patched numerous stale pointer bugs in the last two months.
Other flaws fixed today were credited to a wide range of the browser's components, including its V8 JavaScript engine, the code that processes video, and WebKit, the open-source browser engine that both Chrome and Apple's Safari use as their foundations.
As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.
Google paid out a record $16,174 in bounties for finding and reporting 15 of the vulnerabilities patched today. Five different researchers received checks, with frequent-contributor Sergey Glazunov taking home $6,500 and Daniel Divricean earning $3,174.
So far this year, Google has spent nearly $50,000 on bug bounties.
Along with the security update, Google also upped Chrome's stable channel -- the browser comes in three editions, stable, beta and dev -- to version 10. The upgrade to Chrome 10 came less than five weeks after Google boosted the stable channel to version 9.
Chrome 10 includes a new JavaScript optimization technology, dubbed "Crankshaft," that boosts the browser's JavaScript rendering engine's speed in some benchmarks. Google debuted Crankshaft in the dev channel last December, and in the beta line last month.
According to Computerworld's tests, Crankshaft increases Chrome's score on Google's own V8 JavaScript benchmarks by 64%, but doesn't improve the browser's score on the more widely used SunSpider test suite.
Other additions to Chrome 10 include site password synchronization, and the first appearance in a stable build of an anti-exploit "sandbox" to isolate the integrated copy of Adobe's Flash Player.
Google has been releasing rougher versions of Chrome with a Flash sandbox since early December 2010.
Chrome 10 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

Microsoft patches critical Windows drive-by bug

But leaves IE vulnerable at Pwn2Own, says unexpected update would be disruptive
Microsoft today shipped three security updates that patched four vulnerabilities in Windows and Office.
And, as expected, Microsoft did not release patches for Internet Explorer (IE) to bolster the browser's chances of surviving Pwn2Own, the hacking contest that begins tomorrow.
Even the company called today's Patch Tuesday an easy ride for customers. "It's a light month," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), the team responsible for investigating, patching and issuing fixes.
Microsoft has fallen into the practice of shipping fewer patches during odd-numbered months. In January, for example, it patched just three vulnerabilities, while last month it fixed 22 flaws.
Only one of the three updates -- Microsoft calls them "bulletins" -- was rated "critical," the company's top-level threat ranking. The other two were labeled "important," the second-most dire warning.
The MS11-015 bulletin was the single critical update.
"That's the one we would worry about most," said Wolfgang Kandek, CTO of Qualys.
The update patches a pair of vulnerabilities, including one in the Windows Media Center and Windows Media Player components found in almost all versions of Windows. The flaw resides in Digital Video Recording (DVR-MS) files, which are created by the Stream Buffer Engine (SBE) and stored with the ".dvr-ms" file extension.
"This is a browse and own vulnerability," said Bryant, talking about the kind of bug attackers could exploit simply by convincing users to visit a malicious site.
"It's a drive-by bug," echoed Andrew Storms, director of security operations at nCircle Security. "There are two exploit methods, the first in an IFRAME, which would be a typical drive-by. The other is as an e-mail attachment, which it appears that users would have to actually open, not just preview [in their e-mail client]."
All client editions of Windows, including Windows XP, Vista and Windows 7, are vulnerable until patched. The sole exception: Windows XP Home Edition, which does not support the flawed codec, said Angela Gunn, a senior communications response manager with MSRC.
The second vulnerability in MS11-015, and the two others patched in MS11-016 and MS11-017, are classified as "DLL load hijacking" flaws, sometimes called "binary planting" bugs.
Researchers first revealed significant DLL load hijacking issues in Windows, Microsoft's software and a wide range of third-party Windows applications last August. Microsoft started patching DLL load hijacking bugs in its own programs last November.
In December, Bryant said that Microsoft believed it had wrapped up its work on DLL load hijacking. But in January and February, the company issued additional fixes for the problem.
"This is kind of an ongoing investigation for us," Bryant said today. "[Although] we think we've found all the ones in IE, we're still going through the rest of our product base."
Kandek and Storms both said that it was likely Microsoft would continue to roll out DLL load hijacking fixes for some time. "This will continue for years to come, not only from Microsoft, but also from third-party vendors," said Kandek.
Even though the alarm was raised in August and Microsoft rushed out a tool to block potential attacks, hackers have not used the technique to compromise Windows computers, or if they have, the efforts have gone undetected.
Storms wasn't surprised.
"These are very difficult to exploit," he said. "Last year, it was 'Oh my gosh,' but it turned out to be not so easy to exploit these because it required users to browse to the malicious location and open the file, and the attacker to plant a [malicious] DLL and a bad file. That's quite a few steps."
HD Moore, the chief security officer at Rapid7 and the creator of the popular Metasploit open-source hacking toolkit, today reminded enterprises that they can make it more difficult for attackers to exploit any DLL load hijacking bug by disabling the WebDAV client service on all Windows PCs, and blocking outbound ports 139 and 445.
Moore was one of the first to reveal the new class of DLL load hijacking vulnerabilities last year.
Microsoft did not patch IE before the Pwn2Own hacking challenge that kicks off Wednesday, however.
Pwn2Own, which pits security researchers against four browsers, including IE, Apple's Safari, Google's Chrome and Mozilla's Firefox, runs March 9-11 in Vancouver, British Columbia, at the CanSecWest security conference. The first researcher to take down IE, Safari or Firefox will receive a $15,000 prize, while $20,000 is at stake for Chrome.
Today, Bryant said it wasn't worth disrupting customers' patching schedules with an unexpected security update to boost IE's chance of surviving Pwn2Own.
"We don't see a reason to disrupt customers just for the contest," Bryant said. "Going out-of-band is a potential disruption, and we don't do that unless [a vulnerability] is actively being attacked."
Microsoft's declining to patch IE prior to Pwn2Own wasn't a surprise: The company now delivers IE updates in even-numbered months, and last patched the browser on Feb. 8.
In any case, Bryant added, there's no danger of any vulnerability exploited at Pwn2Own escaping into the wild. "Pwn2Own bugs are reported to vendors in a coordinated way," Bryant said.
HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program sponsors Pwn2Own and pays out the vast majority of the cash prizes, buys the rights to the bugs exploited at the contest, then hands them over to the vendors. ZDI gives developers six months to patch any bug it buys before it publicly releases information.
Both Google and Mozilla have recently patched their browsers -- Google did again earlier today -- and Apple is expected to update Safari before Pwn2Own begins.
Microsoft's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

Researcher blows $15K by reporting bug to Google

Reported an Android Market flaw that would have won him top-dollar at Pwn2Own
A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market.
"I missed out money wise," said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software. "But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty."
Google, which pays bounties for bugs reported in its software, cut a check to Oberheide for $1,337.
But Oberheide could have used the same bug to walk off with a $15,000 cash prize at Pwn2Own, the hacking challenge that starts Wednesday in Vancouver, British Columbia as part of the CanSecWest security conference.
Oberheide was slated as the first in line to tackle the Samsung Nexus S phone and its Android mobile operating system. Because Pwn2Own is a winner-take-all contest -- the first to hack each of the four smartphones receives $15,000 -- and because Oberheide had a working exploit, he was almost guaranteed the money.
"It was a plain-vanilla and unsophisticated XSS [cross-site scripting] bug, as simple as simple can be," said Oberheide in an interview Monday. "But while the vulnerability was trivial, the impact was fairly significant."
Oberheide had uncovered a bug in Google's Android Market that allowed attackers to force Android phones to download and install malicious software. All that criminals needed to do was to dupe users into clicking a malicious link, either on their desktop or phone.
According to Oberheide, the Android Market -- Google's official app store -- contained an XSS vulnerability in the e-mart's Web site. The site lets Android users not only view and select apps for the smartphones, but also allows them to install new apps directly to their phones while browsing the Market on their desktop.
"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector," Oberheide explained in a detailed blog entry posted Monday. "An attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone."
An attack would have to add an app -- perhaps just a non-functional placeholder -- to exploit the bug. But that's easy.
"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."
Although Oberheide was slated to try his hand at Pwn2Own for the first time, he has experience finding flaws in Android Market. Last June, he published a pair of apps to the e-store as part of his research into vulnerabilities that let attackers push malware to Android phones.
Then, Google yanked the apps from the Market and triggered its "kill switch" that automatically uninstalled the programs from users' phones, saying that Oberheide had "intentionally misrepresented their purpose in order to encourage user downloads."
Google threw the kill switch for only the second time last weekend when it started to delete more than 50 malware-infected apps from Android phones.
Oberheide immediately reported his newest XSS bug to Google, a move he now has cause to regret. "I didn't think it would qualify for Pwn2Own...and even if it did qualify, it was such low-hanging fruit it probably wouldn't survive until the contest," he said.
Turns out, neither assumption was correct.
"I should have waited until I heard from Pwn2Own whether it qualified for the contest," he said Monday. "If I had just waited 24 hours before reporting it to Google.... So yeah, I killed my own Pwn2Own bug."
Google patched the XSS vulnerability in Android Market a week ago.
Yesterday, Oberheide said he had tentatively canceled his participation at Pwn2Own. "Unless I can dig up a new XSS in the Android Market, I won't be playing," he said. He's been unsuccessful so far in his hunt for a new vulnerability.
Pwn2Own, which is sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, runs March 9-11, and offers $125,000 in cash prizes to researchers who hack into the four biggest browsers and four smartphones, each of the latter running a different mobile operating system.
Oberheide's final word to researchers who want to learn a lesson from his experience?
"Don't be stupid with your disclosures," he said.

Apple reduces prices of the Indian iPad

The Apple iPad 2 is going to hit shelves in select regions in a few days, but Apple is still retailing the original iPad, for a $100 less back in the U.S. Correspondingly, and surprisingly punctually, the Indian iPad’s prices have been dropped as well.
The Indian iPad was launched in late January, with prices starting at Rs. 27,900 for the base model. New prices as follows:
16 GB: Wi-Fi - Rs. 24,500; 3G - Rs. 31,900
32 GB: Wi-Fi - Rs. 29,500; 3G - Rs. 36,900
64 GB: Wi-Fi - Rs. 34,500; 3G - Rs. 41,900
Note however, this does not guarantee we will be seeing the iPad 2 in India anytime soon, in fact, it might even be next January, just like last time.

Adobe releases "Wallaby" a Flash to HTML conversion tool

Adobe has been demonstrating the technology for converting Flash animations to HTML from quite some time, and have over time added greater support for HTML5 to their products through addons, and extensions.
They have now released a preview of the tool on Adobe labs that anyone can download. The tool is code-named "Wallaby", and is about as simple as it can get:

You merely browse for and select your .fla file, select a output file, and click on convert.
The tool is currently limited to converting Flash animations to HTML, and cannot handle ActionScript code. This tool is not intended to convert an entire Flash application project to its HTML counterpart, but rather as a way to convert your Flash animation assets to HTML such that they can be used in your HTML-only projects. This also paves the way for using Flash Professional as a tool for creating pure HTML animations.
The HTML files generated by the Wallaby tool can be edited using any HTML tool, and seem to be using the popular jQuery library. Although currently it seems that the HTML files generated using the tool are currently "aimed" at WebKit-based browsers such as Google Chrome and Apple Safari.

airtel brings its 3G services to Mumbai, four cities to go

Looks like airtel is set to meet its target of rolling out 3G services in all 13 of its allocated cities by the end of March, with a press release officially announcing the launch of 3G services in Mumbai today. Mumbai joins the 8 cities that have already got their third generation mobile wireless connecivity from the operator - Delhi NCR, Jaipur, Udipi, Manipal, Mysore, Coimbatore, Chennai, and Bengaluru. Four cities remain across six regions, according to the 3G auction spectrum allocation, from Bihar to West Bengal, Himachl Pradesh to U.P (West), the North East to Jammu & Kashmir.
Speaking on the launch of 3G services in Mumbai, Atul Bindal, President - Mobile Services, Bharti airtel said:
“Mumbai is the commercial and entertainment capital of India – and therefore at the leading edge of driving a paradigm shift from voice to data services. With the highest data penetration in India of over 20%, the city of Mumbai truly represents the data revolution story that our country is currently witnessing. As we bring the power of 3G to Mumbai today, we are confident that this launch will add impetus to the expansion of data services in India. Whether stuck in office, or on the move - all Mumbaikars can now experience airtel 3G services and enjoy high speed internet access and a host of other exciting services on their mobile devices.”

Intel releases Core vPro business processors

When Intel released its new consumer-oriented second-generation Core (AKA "Sandy Bridge") CPUs in January, it seemed likely that the "professional" version would be just around the bend. Today Intel has introduced just that, with its new second-generation Core vPro family of processors.

Though based on the same microarchitecture as the consumer chips, and utilizing technologies such improved media handling, Advanced Vector Extensions, Quick Sync Video for energizing media manipulation, and the enhanced Turbo Boost for increasing performance when not all processing cores are being utilized, vPro processors also include a number of extras that are geared specifically towards business users.

These include a new Host-Based Configuration feature that automates the process of setting up vPro functions on new PCs. According to Intel, "thousands of computers can be configured simultaneously in a couple of minutes." Also present is a new Keyboard-Video-Mouse Remote Control feature that lets a remote technician assist a user—now in higher definitions than ever before, compensating for jobs requiring use of HD video and larger screen sizes.

For users who rely on laptops to be their system at and away from the office, Intel has introduced Anti-Theft Technology Version 3.0, which introduces three new ways to protect systems. It lets authorized IT or service technicians completely disable a lost or stolen computer and prevent access to its valuable data, and then reactivate it later, all by using an encrypted and authenticated SMS message. The new Locator Beacon function helps authorities determine the precise location of a missing laptop using GPS technology on select 3G modems. And standby protection can require an encrypted login, so that if a laptop goes missing while it's in standby, it's still guarded by an extra layer of security.

Some vPro processors will also incorporate Identity Protection Technology, which reduces phishing attacks and instances of unlawful access by generating a six-digit numerical password every 30 seconds that only the proper target knows.

Intel claims that a new Core vPro i5 CPU can speed business applications by 60 percent, multitasking by 100 percent, and data encryption by 300 percent. Among the first new processor families to take advantage of these updates is the Xeon E3-1200, which Intel is calling the first entry-level workstation platform that integrates "professional-level graphics onto the processor."

New Samsung hard drives hit one terabyte areal density

Heise Online is reporting that Samsung has broken the barrier on storage capacity for hard drives, pushing up to a one-terabyte-per-platter areal density in a new line of drives being shown off at this year's CeBIT convention in Hanover, Germany.

The company plans to use this technology to create two-terabyte hard drives that use just two platters, which the company was demonstrating at the convention. Future releases also include three- and four-terabyte hard drives, or nearly double the two-terabyte limit of consumer hard drives in the present-day.

Samsung's two-terabyte, two-platter disc—otherwise known by its model name, HN-D201RAE—will launch as part of the company's Spinpoint EcoGreen series of drives. These 5,400-RPM hard disks use slower rotational speeds to achieve greater power savings (and less heat and noise) then their conventional 7,200-RPM brethren. The sacrifice, of course, is that a 5,400-RPM drive can't beat the write and read speeds of a similarly configured 7,200-RPM device.

In addition, Samsung plans to pack 32-megabytes of cache within the drive itself. That's not uncommon on today's market by any means, but Samsung's switch to the SATA 6.0 Gbps is at least a head-nod toward future proofing. Without a RAID array, however, a typical consumer will see little to no benefit in using the third-generation interface.

Samsung hasn't indicated when the launch date for said drive might be; it's expected to hit later this year, at least. The company was also keen to show off new terabyte notebook drives at CeBIT—although consumers can buy at terabyte notebook drive right now, they're stuck doing so in a 12.5-milimeter form factor. Depending on the model of one's laptop, this slightly-larger-than-standard size might not fit.

The HN-M101MBB, coming as part of Samsung's Spinpoint M8 family of drives, could hit the market as early as April—in a 9.5-milimeter form factor to boot. The 5,400-RPM drive will use two 500-gigabyte platters to reach its full terabyte capacity, feature eight megabytes of drive cache, and should use a standard SATA 3.0 Gbps interface.

Google update adds automatic traffic info to Maps Navigation

Beta Google application gives users historic and real-time traffic data for trip planning
Google on Monday announced a beta traffic update to its Maps Navigation software. The update can automatically route drivers around high traffic areas as determined by an analysis of current conditions and historical traffic patterns.
The update, disclosed in a Google blog post on Monday, builds on previous Google Maps Navigation capabilities that allowed users to choose the fastest route or an alternate one based on their preference to, for example, use back roads instead of highways.
Nearly three years ago, Google announced that the navigation tool set could let users see typical traffic conditions for a given day and time, as well as whether accidents and/or construction was slowing traffic at the time of travel.
The latest update, explained in the blog posted by Roy Williams, a software engineer on the company's Google Maps team, includes an example of a recent trip to New York where he used Navigation to route him around traffic.
"I didn't even have to know that there was a traffic jam on I-495 and I got to enjoy a much faster trip on I-278 instead," he wrote. Using the I-278 route added about a mile to the trip -- but it was 12 minutes faster due to the constriction delays on I-495, he added.
While the new traffic software is automatic, that does not prevent a user from turning on a traffic layer capability in Google Maps to see current traffic conditions. The update targets users looking for driving directions. Alternate routes are also available.
Google Maps Navigation, first introduced in October 2009 and updated many times, works on Android devices and is still technically in beta. It is now an Internet-connected GPS navigation system with voice guidance.