Uberdownloads Blog
Google pays first top-end bounty for Chrome vulnerability
Google Chrome logo
(Credit: Google)

If there’s a competition to uncover security holes in Google’s browser, Sergey Glazunov is winning it.

Yesterday Google awarded him $3,133.70 (“eleet”) for finding a critical vulnerability that Google patched with a new release of Chrome yesterday.

It’s the first time Google paid out this top bounty, but not the first time it’s paid Glazunov. He’s also been paid $1,337 four times for the “leet” level of vulnerabilities, eleven times for the $1,000-level, and once at the $500 level.

The critical vulnerability relates to a “stale pointer in speech handling,” Google said, but hasn’t published further details. Critical vulnerabilities let an attacker run arbitrary software on a person’s computer just by visiting a Web site.

Google issues Chrome updates automatically, so restarting the browser installs the new version.

Originally posted at Deep Tech

Adobe tackling ‘Flash cookie’ privacy issue

Adobe Systems is offering assurances that it’s adapting Flash Player to make it easier for people to protect their identities online.

Since time immemorial, browsers have been able to store small text files called cookies that Web sites have been able to use to track people’s identity online–for example when Amazon wants to present product suggestions.

That’s always raised hackles among those who’d rather not register their identities with any number of servers on the Internet, so for years people have been able to manage cookies, including rejecting them in the first place or deleting them at will.

The cookie, though, was only the beginning of a much larger trend toward storing data on a browser’s computer. Nowadays, we have or soon will get standards for Application Cache, Local Storage, Indexed DB–and Adobe Systems’ Flash Player.

Individually, these technologies are useful for various Web chores including identity tracking. Collectively, they make it possible for Web site operators to track identity in a more sophisticated fashion: unless people delete all forms of locally stored data, a Web server could reconstitute a regular cookie with, say, data stored using Flash or the other mechanisms. This idea is known as the “supercookie” for its relative tenaciousness and sometimes a “Flash cookie” for the involvement of Flash.

Browser makers are expanding their data-wiping abilities beyond just regular cookies, and at least in some browsers, some new storage technologies ask users’ permission before storing data. Now Adobe’s Emmy Huang published a blog pointing to progress in getting browsers to be able to control information stored by Flash through a new aspect of the browser plug-in application programming interface (API).

“Representatives from several key companies, including Adobe, Mozilla and Google have been working together to define a new browser API (NPAPI ClearSiteData) for clearing local data, which was approved for implementation on January 5, 2011,” Huang said. “Any browser that implements the API will be able to clear local storage for any plug-in that also implements the API,” Huang said.

Huang also pointed to support added to Flash Player 10.1 for private-browsing features of Internet Explorer, Safari, Firefox, and Chrome. With that support, Flash Player deletes locally stored information when a private-browsing session ends.

More changes are coming, she added:

We know the Flash Player Settings Manager could be easier to use, and we’re working on a redesign coming in a future release of Flash Player, which will bring together feedback from our users and external privacy advocates. Focused on usability, this redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we’ll enable you to access the Flash Player Settings Manager directly from your computer’s Control Panels or System Preferences on Windows, Mac and Linux, so that they’re even easier to locate and use. We expect users will see these enhancements in the first half of the year and we look forward to getting feedback as we continue to improve the Flash Player Settings Manager.

Originally posted at Deep Tech

Microsoft mocks Google’s Web video decision

The parody likens Google’s WebM video codec to the failed Esperanto language.

(Credit: Tim Sneath)

A Microsoft evangelist has mocked Google’s decision to remove H.264 video support from Chrome, implying that Google is trying to impose an edict on an industry that’s already made up its mind to the contrary.

In a blog post, Tim Sneath, who runs Windows and Web evangelism for Microsoft, likens Google’s WebM video codec to the utopian but unsuccessful Esperanto language. The blog post rewrites Google’s original announcement that the company is removing support for the widely used H.264 codec to advance its own WebM.

Both technologies can be used with the nascent HTML5 standard to embed video directly into Web pages without using a plug-in such as Adobe Systems’ Flash Player. But Microsoft’s Internet Explorer 9 beta and Apple’s Safari support H.264, while Opera and Mozilla’s Firefox support WebM and the earlier, largely unsuccessful Ogg Theora technology for encoding and decoding video. Sneath wrote:

The Esperanto language was invented last century as a politically neutral language that would foster peace and international understanding…We are supporting the Esperanto and Klingon languages, and will consider adding support for other high-quality constructed languages in the future. Though English plays an important role in speech today, as our goal is to enable open innovation, its further use as a form of communication in this country will be prohibited and our resources directed towards languages that are untainted by real-world usage.

Sneath hyperlinks “Esperanto” references to the WebM Project, “Klingon” to Theora, and “English” to the Wikipedia entry for H.264. (He doesn’t attempt to draw any parallels between the difficulties of learning English and the expense of licensing H.264 patents.)

The post is titled “An Open Letter from the President of the United States of Google.” And in a tweet, Sneath referred to Google’s decision as “despotism.”

Clearly, the post is snarky and jocular. But it still can be included as an example of the backlash against Google’s H.264 move.

Microsoft is among the patent holders that receives payments when the MPEG LA licenses the H.264 pool of patents, but Microsoft said it pays more to the licensing group for including H.264 support in Windows 7 than it receives in royalty payments from the group.

Originally posted at Deep Tech

Firefox beta getting new database standard
Firefox logo width="270" height="270"/>

The ninth beta version of Firefox, due imminently, is set to get support for a standard called IndexedDB that provides a database interface useful for offline data storage and other tasks needing information on a browser’s computer.

IndexedDB allows Web apps to store large amounts of data on your local system (with your explicit permission, of course) for fast offline retrieval at a later time. We’re hoping that Web mail, TV listings, and online purchase history will one day be as convenient to access offline as they are online,” Ben Turner, who develops IndexedDB for Mozilla’s browser, said yesterday in a blog post.

Firefox 4 beta 9 has been built, is being tested, and should become available soon. After that Mozilla presently plans to ship a 10th beta, release candidates, and a final Firefox 4 version in February.

One of the primary uses of IndexedDB is offline access to data used by Web applications. Google has offered such access to Gmail and Google Docs, for example, using a now-discontinued technology called Gears; it’s likely the promised re-emergence of that technology in early 2011 will use IndexedDB.

Mozilla and Microsoft backed IndexedDB, which originated with an Oracle engineer, after raising concerns about a rival technology called Web SQL. Although Web SQL is built into Apple’s Safari, Google’s Chrome, and Opera (and Gears used the same approach), the
World Wide Web Consortium (W3C) dropped Web SQL standardization work. Even though the SQL technology for database interaction is well known among many programmers, Web SQL standardization was hampered by the fact that its implementation was tied to a specific program, SQLite, not to a standard interface.

Google is building IndexedDB support into Chrome, and Microsoft looks likely to follow suit once the standard settles down. Currently Microsoft offers an experimental IE extension for developers.

Originally posted at Deep Tech