Mozilla patches Firefox 4

Closes eight holes in new browser, including ASLR oversight

Mozilla on Thursday patched Firefox 4 for the first time, fixing eight flaws, including a major programming oversight that left the browser as vulnerable to attack on Windows 7 as on the 10-year-old Windows XP.
The company also plugged 15 holes in the still-supported Firefox 3.6, and issued its last security update for Firefox 3, which debuted in mid-2008.
Mozilla patched a total of 20 bugs in all versions of Firefox, 17 of them rated "critical," the company's top-most threat warning in its four-step scoring system.
Firefox 4.0.1, the first update to that browser since its March 22 launch, fixed seven critical flaws and one rated "low."
The most important of the bugs was a programming lapse that left Firefox 4 open to less-sophisticated attacks.
"The WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection," stated the advisory labeled MSFA 2011-17. "An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms."
The WebGLES graphics libraries support WebGL, an open-source extension to JavaScript that lets developers render interactive 3-D graphics content.
WebGL is supported in shipping versions of Firefox and Google's Chrome, in a preview build of Opera Software's Opera, and will be backed by Safari in its next upgrade.
The Khronos Group, an industry consortium whose members include Mozilla, Google, Opera and Apple, released the final specification of WebGL 1.0 just last month.
ASLR, or address space layout randomization, is one of the security underpinnings of Windows Vista and Windows 7. It's designed to make it more difficult for attackers to locate addressable memory space that can be used to execute exploits.
"The WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions," Mozilla acknowledged. "WebGL was introduced in Firefox 4; older versions are not affected by these issues."
Mozilla credited a researcher who goes only by his first name, "Nils," for reporting the ASLR oversight. Nils may be best known for his work at the annual Pwn2Own hacking contest, where in 2009 he exploited Internet Explorer, Firefox and Safari in short order to win $15,000 in cash awards.
At 2010's Pwn2Own, Nils won $10,000 by sidestepping ASLR and DEP (data execution prevention), another anti-exploit technology found in Windows, to hack Firefox 3.6.
Mozilla also upgraded older editions of Firefox to 3.6.17 and 3.5.19, noting that the latter was the last security update for the aged browser.
"This is the last planned security and stability release for Firefox 3.5," said Christian Legnitto, who overseas Firefox releases. "All users are encouraged to upgrade to Firefox 4."
The support expiration for Firefox 3.5 will affect a minority of Mozilla's users: As of the end of March, just 1.7% of all users worldwide were running the browser, according to statistics from Web metrics company Net Application.
Users can update to Firefox 4.0.1 by downloading the new edition -- which runs on Windows, Mac and Linux -- or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.6 and 3.5 users can obtain their newest versions with the update tool.

Apple acquires 'icloud.com' domain

Adds to speculation that a new cloud-based music and storage service is coming

Apple has purchased the domain "icloud.com," which it will use as the name of its new online music and storage locker service, several reports have claimed.
GigaOM first reported on the transaction late Wednesday when it cited an unnamed source who claimed Apple had paid Swedish company Xcerion $4.5 million for icloud.com.
Xcerion's online file-storage service, formerly known as iCloud, changed its name to CloudMe earlier this month. Xcerion registered cloudme.com just three weeks ago.
Since GigaOM's report, others have said Apple bought the URL. Today, the Digital Daily blog -- part of the Wall Street Journal's All Things Digital site, also cited anonymous sources to say that the deal went down.
Xcerion has not replied to questions about its domain name change.
The icloud.com domain continues to redirect to Xcerion's CloudMe site, and the WHOIS registration record for icloud.com still shows the Swedish firm as the owner of the domain.
If the talk about Apple's purchase is accurate, it would follow the same line as rumors in 2008 that preceded the launch of MobileMe, Apple's current online storage and synchronization service.
Just weeks before Apple debuted MobileMe -- a refresh and rename of its .Mac service -- bloggers noticed that the company had registered me.com with MarkMonitor, a domain management service used by large companies to protect their brands.
Last month, Amazon introduced a digital music storage service called Cloud Drive that prompted renewed speculation that both Apple and Google would soon launch their own locker services. Analysts believe that both of those companies have been negotiating with the major record labels to finalize their plans for subscription-based music services, which would presumably be part of, or in addition, to their online storage services.
In late February, Apple pulled the retail version of MobileMe from its online store, another clue analysts read as pointing to the a change in the service. Users have been able to sign up for a free 60-day trial of MobileMe since then, however.
Apple also owns a number of domains that start with its trademark letter "i", including imac.com, itunes.com, ipod.com and iphone.com.

YouTube founder buys Delicious- social bookmarking site

According to IDG News Service, Delicious, a social bookmarking site and one of the many companies of Yahoo which Yahoo was going to close will live as a new Internet company run by YouTube founders Chad Hurley and Steve Chen.
Delicious future was in question when Yahoo announced its intention to divest itself from it last year, now Delicious will become part of Avos, a company launched by YouTube founders.
Delicious founded by Joshua Schachter in 2003 lets users save, share and tag website links. It also helped users save bookmarks locally in web browsers within PCs.
Yahoo has acquired Delicious in 2005 and was seeking buyers for it from last year after realizing that it didn’t fit with the company’s.current strategy.
Delicious will be moving to its new home but older bookmarks will be maintained. Delicious users will also have a chance to open new account with Avos.