Helen Wang, the researcher behind Microsoft’s Gazelle browser, talks to Ina Fried about making the browser more like an operating system

Many people think the browser is starting to replace the operating system as the centre of the personal computer.

Naturally, the view that Windows is on a path to irrelevance is not one generally espoused by Microsoft. That said, at least some inside Microsoft argue that the web browser needs to start acting more like an operating system.

“Some of today’s browser policies are not very safe,” says Microsoft researcher Helen Wang.

Wang, who has been at Microsoft since getting her doctorate from the University of California at Berkeley in 2001, argues that the web browser should act as more than just a file clerk that rubber-stamps each request that comes its way. Rather, it should act more like a traffic cop, keeping things moving smoothly and ensuring the computer’s resources are fairly allocated.

In short, Wang says, the browser needs to act more like Windows does: making sure different web applications are protected from one another — even those running within the same site. So Wang and her team came up with a prototype, called Gazelle, that does just that.

Microsoft first outlined Gazelle earlier this year, but has only recently started to detail its thinking. Wang plans to present a paper on Gazelle at the Usenix security conference next month, and last week Microsoft posted an article on its website explaining more about Gazelle.

Wang is not trying to suggest Windows is going away. Indeed, she says, Gazelle depends on Windows, acting merely as the middleman for web pages seeking to access a computer’s resources.

“We’re really trying to leverage the decades of operating-system experience and apply that in the web and browser setting,” Wang said.

Microsoft is also trying to be clear that Gazelle is not the immediate replacement for Internet Explorer, which has been losing share to rivals, including Mozilla’s Firefox and Apple’s Safari. The company has yet to commit to commercialising Gazelle in any way, meaning it remains just one of scores of projects incubating inside the company’s research labs.

Many outside Microsoft, though, see the browser finally starting to take on the pre-eminence that many had assumed it might back in the early days of Netscape. Google’s decision to offer Chrome, some think, was more about having an engine for running its web applications than it was offering an alternative means for serving up traditional web pages.

Modern browsers, Wang said, have taken a step in the right direction by isolating different browser tabs so that if one tab crashes, the whole browser does not get taken with it. Wang said that Chrome and Microsoft’s IE8 take steps toward increasing the reliability of web browsing, but she argues far more drastic steps are needed.

“I think Gazelle marks a significant departure from all previous browsers, including Chrome and IE8,” Wang said.

For now, Gazelle is very much a prototype. It borrows much of its actual rendering technology from Internet Explorer itself. And although it can display 19 of Alexa’s top 20 websites, there are still plenty of things it can’t do. It also runs more slowly than Internet Explorer, particularly when opening new websites.

But Wang said it offers Microsoft — and the industry — a road map for how the browser should evolve.

“I think this is the right way to go and I think this can be practical,” Wang said. “It will also take a lot of work.”

Story URL: http://news.zdnet.co.uk/internet/0,1000000097,39671921,00.htm

In a rare move outside its monthly patch cycle, the company on Tuesday will release a fix for a critical Internet Explorer vulnerability and a moderate Visual Studio one

In a rare move, Microsoft on Friday said it would be releasing security updates on Tuesday — outside its monthly patch cycle — for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.

The two security bulletins will address one overall issue and are being released separately “to provide the broadest protections possible to customers”, Microsoft said in a statement.

The vulnerabilities affect Windows 2000, Windows XP, Vista, Windows Server 2003 and 2008, Internet Explorer 6, 7 and 8, Microsoft Visual Studio .NET 2003, Visual Studio 2005 and 2008 and Visual C++ 2005 and 2008, according to the security bulletin advance notification.

“While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications,” the statement said. “The Internet Explorer bulletin will provide defence-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin.”

“The Internet Explorer update will also address vulnerabilities rated as critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported,” Microsoft said.

Customers who are current with their security updates are protected from known attacks related to the updates, the company said. The updates will be released through the Microsoft Update, Windows Update and Windows Server Update services.

A webcast to address customer questions is scheduled for Tuesday from 1pm to 2pm PDT.

Microsoft typically releases security patches on a monthly basis, the second Tuesday of every month, and did not say why it is making this rare, out-of-cycle release.

Story URL: http://news.zdnet.co.uk/security/0,1000000189,39696225,00.htm

Researchers from Carnegie Mellon university have found that web users often ignore warnings in browsers about the validity of a website’s digital certificate.

Digital certificate warnings in web browsers are not an effective security measure, according to Carnegie Mellon researchers.

The researchers, who plan to present their findings on 14 August at the Usenix Security Symposium in Montreal, found over the course of two experiments that certificate warnings were ineffectual. The warnings appear when a browser detects a problem with a website’s certificate and arrive as a pop-up with a message such as: ‘There is a problem with this website’s security certificate.’

In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found.

SSL certificates are designed to provide the user with a degree of confidence about the authenticity of a website they are visiting. As a technical security mechanism, the certificate allows the browser to validate the authentication chain for the website server. While SSL certificates often expire for benign reasons, an expired certificate can also indicate that the user could be the victim of a man-in-the-middle attack

The Carnegie Mellon researchers found that a high percentage of users were willing to ignore warnings about certificates that were out of date. For example, of the 50 percent of Firefox 2 users polled who could identify the term ‘expired security certificate’, 71 percent said they would ignore the warning.

“Far too many participants exhibited dangerous behaviour in all warning conditions,” wrote the researchers in their paper, entitled Crying Wolf: An Empirical Study of SSL Warning Effectiveness.

Respondents were able to identify other risks indicated by browser certificate notifications. Of the 59 percent of Firefox 2 users who understood the significance of a ‘domain mismatch’ warning, 19 percent said they would ignore the hazard. A domain mismatch, where the URL displayed does not match the URL of the destination site, indicates the user may be the victim of a phishing attack.

The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. Online businesses can pay to have authorities vouch for the digital certificate on their websites, and browsers keep a list of these ‘trusted authorities’ for checking when a site is visited. To spoof a phishing site, the researchers removed these certificate authorities from the trusted authorities list in each of the browsers used in the study, which were iterations of Firefox 2, Firefox 3 and Internet Explorer 7. As a consequence, the participants were shown an invalid certificate warning when they navigated to a bank website.

Again, high percentages of users ignored the warnings. For example, of the technologically savvy Firefox 2 users, 69 percent ignored an expired certificate warning from their bank.

There has been some debate as to whether browser warnings could be so onerous they make people simply switch to a different browser. This behaviour was observed by the researchers, who noted that a small percentage of participants asked the researchers if they could switch to using a different browser when presented with a certificate warning.

The findings for the second study are also presented in the Crying Wolf paper.

The Carnegie Mellon team advocated scrapping certificate-validity warnings, saying that a better approach may be to block users from making unsafe connections and get rid of warnings in benign situations.

The latest version of the Android mobile OS does not have multitouch support, according to a Google developer.

Google has released the latest version of code for the ‘Donut’ branch of its Android mobile operating system, without the hoped-for multitouch capability.

Donut is a repository of code that will be fed into the next version of the open-source Android platform. It follows in the footsteps of ‘Cupcake’, which was merged with the main body of code in April. The current version of the OS is Android 1.5.

Google, which oversees Android development, issued the new code for ‘Donut’ on Saturday. Developers on an XDA forum reacted to the launch by suggesting that the new Donut code would support multitouch. Multitouch, found in Apple’s iPhone and other devices, enables users to use multiple fingers for zooming and rotating actions when interacting with applications.

However, Google Android framework developer Romain Guy has rebutted the multitouch claims, and has underlined that Donut is not a release candidate for the next update to the mobile OS.

“Donut is not Android 2.0, and there’s no multitouch support in Donut,” he wrote in a blog posted on Sunday on to the Android Developers Google group.

As Donut is a development branch, its code is there as a testbed and is not guaranteed to appear in the main Android OS.

The Android developers have not issued a list of changes that are in the new Donut code. However, developers on the XDA forum speculated that features include universal search and CDMA support.

A native application development kit was released for Android coders in June.

The company’s new hardware significantly shrinks the storage-capacity gap between notebook and desktop drives
Western Digital on Monday announced two laptop drives that offer “extreme” amounts of storage: the Scorpio Blue 1TB and the Scorpio Blue 750GB. Prior to this announcement, the largest laptop hard drive available was 500GB.

The largest desktop hard drive currently on the market is 2TB. The Scorpio Blue 1TB drive, though half the capacity, is still impressive considering a 2.5-inch laptop drive is much smaller than a 3.5-inch desktop drive.

The new WD laptop drives are the first that use 333GB per platter technology.

The Scorpio Blue hard drives support the Sata 2 (3Gbps) standard but have a thickness of 12.5mm, as opposed to 9.5mm in other 2.5-inch drives. This means the new drives will not fit in all 2.5-inch slots in laptops.

For this reason, WD designates them as a perfect fit for portable storage solutions, and they will be used in WD’s new My Passport Essential SE Portable USB drive.

Other than capacity, the new Scorpio Blue drives also feature a set of advanced storage technologies, including the following:

•WhisperDrive, which is WD’s technology that uses seeking algorithms to produce one of the quietest 2.5-inch drives available.
•ShockGuard, which helps the drive better withstand shock, such as accidental drops and vibrations.
•SecurePark, which is a mechanism that parks the recording heads off the disk surface during spin up and spin down and when the drive is off. This ensures that the recording head never touches the disk surface to improve long-term reliability.

Both new drives come with 8MB of buffer memory and spin at 5,200rpm, which is slightly slower than the 5,400rpm speed of mainstream laptop drives.

The Scorpio Blue 750GB drive (model WD7500KEVT) is available now and costs $190 (£110). The 1TB version (model WD10TEVT) is, for now, only available configured into the My Passport Essential SE USB drive, but it will be available as an internal hard drive in a few weeks. It will cost $250.

HD Moon Landing

Besides enabling users to see the surface of the moon in close detail, the application allows people to gather lots of information about the history of travel to the moon. Here is a picture of the Apollo 11 spacecraft as seen by astronauts. Behind the photo, you can see the 3D model on Google Earth of the Apollo 11 spacecraft. People can choose to drill down to different views from a map of the general area.

Moon in Google Earth incorporates the data on the surface of the moon from Nasa. The mapping data was used for training astronauts and by mission control during missions.

By selecting ‘Moon’ from the Google Earth menu, people can zoom into different corners of the moon to get high-resolution photos and videos. This video allows you to pan over the surface to see the different formations.

The Moon on Google Earth application is also designed to enable users to find out about the moon missions. From the application, people can get guided video tours from astronauts.

People can visit the locations of each of the Apollo missions. In addition to providing links to panoramic images and YouTube videos, the maps are annotated with little details (and small icons of astronauts). Here, you can see the location where astronauts played golf on the moon.

One of the tabs on Moon in Google Earth allows people to view the location of the spacecraft used to explore the moon. You can zoom in to see three-dimensional models of the the craft from different countries.

When you choose one particular Apollo mission from the left-hand tab, you can get a quick summary of the mission as well as links to additional information on Wikipedia.

< img src="http://news.zdnet.co.uk/i/z5/illo/nw/story_graphics/09july/google_moon_8.jpg" alt="Google Moon" />
A view of the multiple options to zoom in and explore the moon from Google Earth

Symantec researchers find malicious PDF files that exploit a vulnerability in Flash and drop Trojans onto victims’ PCs
On Wednesday, researchers at Symantec announced that they have uncovered attacks where malicious Adobe Acrobat PDF files are exploiting a vulnerability in Flash and dropping Trojans onto computers.

The situation could affect a large number of users, since Flash exists in all popular browsers, is available in PDF files and is largely operating system-independent.

Any software that uses Flash could be vulnerable to an attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a web security services provider.

In a post on its website, Adobe said it “is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information.”

“The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique,” wrote Patrick Fitzgerald on a Symantec security blog post.

“Typically an attacker would entice a user to visit a malicious website or send a malicious PDF via email,” he continued. “Once the unsuspecting user visits the website or opens the PDF, this exploit will allow further malware to be dropped onto the victim’s machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse.”

It appears the exploit was first developed two weeks ago, Royal said. The bug itself has been around since December 2008.

The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.

US-Cert has offered information about workarounds on its website:

•Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files:
“%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and
“%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll”

•Disable Flash Player or selectively enable Flash content as described in the ‘Securing Your Web Browser’ document.

More Information Here.

The software maker says limited attacks have exploited a hole in the ActiveX control, a component of Windows Media Center used for recording and playing television video
Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious website.

There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.

This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.

Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under ‘Fix It For Me’ in the Knowledge Base article for advisory number 972890 on the Microsoft support site.

Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.

Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.

The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.

When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.

Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of websites are hosting the exploit.

Internet Explorer versions 6 and 7 are at risk, but people running IE8 are not vulnerable, Symantec said.

MessageLabs has warned that email spam which includes truncated web addresses has seen a dramatic increase
Email security provider MessageLabs said on Tuesday it saw a dramatic spike in the number of spam emails that include truncated web addresses.

Shortened URLs, which allow spammers to hide the real web address from web surfers, and are commonly used on social media sites such as Twitter where message character length is restricted, began a sharp rise last week and now appear in more than two percent of all spam caught in the company’s spam trap, according to MessageLabs.

“Usually when we see a spike of this nature it tends to indicate that a spammer has found some method of automating the creation of these short URLs,” said Matt Sergeant, a senior antispam technologist at MessageLabs.

The many URL shortening services make it more convenience to post long URLs on sites such as Twitter, but they also make it easy for attackers to lead web surfers to sites hosting malware.

A major spam botnet called Donbot has aggressively moved to using this technique, Sergeant said. Donbot appears to be primarily focused on displaying advertisements, but could be linking to sites that drop malware onto visitors’ computers too, he said.

Spam-filtering software can block spam from getting into inboxes, and programs such as Long URL Please and shortText make it easy to see what the real URL is.

I have been working my best to keep you all updated on the most current Seurity updates, I have been changing the way the site looks to give it a more “home sweet home” feel. The website pcmedicalist.com will be an “all-in-one” to find everything you need!!!