Critical Zero-Day Flaw Opens Holes in IE 6 and 7

A newly discovered threat that doesn't yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted. Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault. According to Vupen's post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware.

Symantec's post says its tests confirm the published exploit works, but that it "exhibits signs of poor reliability," ie. it doesn't always work. There aren't yet any reports of active attacks, but exploit code is publicly available. An additional e-mail from Symantec says that Vista is affected as well, but Microsoft has not yet confirmed the vulnerability. According to Vupen, disabling Active Scripting in the Internet and Local intranet security zones will block attacks against this flaw, but doing so would likely block Web site functionality as well. Zero-days that affect IE are typically major threats, so attackers will likely begin hiding attacks that target this flaw on compromised Web sites, and spewing out e-mails and online comments with links to sites that contain attacks.

Current reports do not list IE 8 as vulnerable, but Symantec warns that "there are possibilities that other versions of IE and Windows may also be affected." Your best bet may be to use an alternate browser such as Firefox until a patch is available.

Is e-mail a perfect cloud application?

In the beginning there was e-mail. The network was devoid of PCs. So all e-mail was accessed via a terminal and a command line interface. And e-mail was run on a Unix server.

E-mail management a mighty struggle for US agencies So, by some current definitions, e-mail began as a "cloud" application. And, since network-based storage was expensive and local storage was inexpensive, thus began a logical move to downloading e-mail from the network and storing it on local devices/media. Then came the PC. And along with the PC, came local storage. Now, many of us use our e-mail archives as a primary record-keeping mechanism, and our historical e-mail files are perhaps our most precious resource. Whether your primary e-mail is a part of a corporate network or simply your personal copy, odds are darn good that you have your e-mail set to delete the messages from the server as soon as they are downloaded to the PC. And even a copy of the e-mails may still exist somewhere in the bowels of the IT department, recovering these e-mails is a major issue.

But what happens if the e-mail files are not backed up regularly? This issue hit really close to home this week when one of our associates had a crashed hard drive on an almost-new notebook. At this point, we could start yet another rant about how we all need to have current backups, and how corporate networking departments need to somehow enforce a policy of regular backups for all materials on the users' notebooks. And, of course, all of the e-mail archives were on that disk – with no recent backup. But that would simply be "preaching to the choir." Instead, we would like to offer a different solution. This has the advantage of potentially recovering not only the correspondence itself, but also the vast majority of important files.

Had our associate been using a network-based service, such as Gmail, then all of the e-mail would be "safe." In fact, this is exactly how our associate is now rebuilding everything. After all, virtually every file of any import is sent and/or received via e-mail. In the meantime, we invite you to join the discussion of this topic at TECHNOtorials. In the next newsletter, we'll look at some of the advantages and disadvantages of the use of public and/or private "cloud" services for e-mail. Com.

Mac News Briefs: PDFpen has new OCR engine

SmileOnMyMac Software has updated PDFpen, incorporating Nuance Communications' OmniPage OCR engine into the PDF editing program. SmileOnMyMac lauded the OmniPage OCR engine for its accuracy. PDFpen 4.5 uses version 15.5 of the OmniPage OCR, replacing the Tesseract open-source OCR engine in PDFpen on Intel-based Macs. Beside the new OCR engine, PDFpen 4.5 lets Snow Leopard users scan directly into the application from Image Capture or TWAIN scanners.

The 4.5 update is free for registered users of PDFpen 4.x. The PDF editing application costs $50, with a Pro version available for $100. Both PDFpen and PDFpenPro run on Mac OS X 10.4 and later.-Philip Michaels Typinator features DropBox syncing Ergonis Software released a new version of Typinator, its text-replacement utility. There's also a new text highlighting tool that selects and highlights text in a single action. Typinator 3.6 features automatic syncing with DropBox, a tool for syncing files across multiple machines (and online). Taking advantage of the new capability is as simple as modifying Typinator's preferences to store its settings folder within the DropBox folder. Typinator 3.6 is available now from the company's web site, for €19.95 per single-computer license, or €34.99 for a two-machine license. The updated Typinator also allows abbreviations that begin with a space, features a simplified registration interface, and offers numerous speed and memory usage improvements. The update is free to anyone who bought the application in the last two years.-Rob Griffiths Real Software updates development applications RealBasic and Real Studio 2009, Release 4 shipped Tuesday, adding 97 enhancements and 39 new features to the cross-platform software development tools, according to developer Real Software.

The report editor lets developers visually create a layout for printing by dragging and dropping labels, fields, images, and more. Leading the changes to this latest version of RealBasic is a new report editor, which Real Software says will be included in all RealBasic versions. The editor creates both single- and multi-page reports. The feature lets developers automate the most common functions of building applications without having to write IDE scripts. Real Studio also gets a new build animation feature for its Project Editor. A complete list of what's new in Release 4 is available on Real Software's downloads page.

It supports many formats including AVI, WMV, MOV, MPG, ASF, and DivX. The application automatically provides ideal default settings and offers the flexibility to crop video, set duration, adjust quality, and control many other audio and video preferences. The software maker also provides a video highlighting new features in RealBasic and Real Studio.-PM Macvide announces VideoFlash Converter 2.9 Macvide has announced VideoFlash Converter 2.9, an update of its video-to-Flash conversion utility for Mac OS X. VideoFlash Converter allows conversion of QuickTime-compatible video files to Adobe Flash. Version 2.9 also includes a new Web update and other fixes. VideoFlash Converter gives you the option of creating an HTML file along with the video and lets you customize how viewers see it. You can use the program to have Flash videos play directly in a Web page, not in a new window or separate page. You can designate that the video start automatically and continuously play when viewers access the page, for example.

The software works with OS X 10.4 (Tiger) or 10.5 (Leopard) and is a Universal app. The app also integrates with iWeb. VideoFlash Converter is available for $40 per single license, and can be downloaded from the Macvide Web site.-Jackie Dove Algoriddim releases Djay3 Algoriddim has released Djay 3, a revamped version of its music software application for Mac and iTunes. The program's interface has also been redesigned. It offers a host of new features, including automatic tempo and beat detection, auto-cut scratching, and MIDI support. With the new version, users can match the playback speed of two songs for a perfect transition.

The changes are aimed at making the program easy enough for novices while letting professional DJs do more with their mixes. In addition, the Auto-Cut feature allows users to scratch music in sync with a song's beat and rhythm. Djay 3 costs $50. A free 15-day trial is available from Algoriddim. The software runs on Mac OS X 10.4 or later.-JD

Cisco, EMC joint venture makes progress

A month since its introduction, the joint data center venture between Cisco and EMC is percolating with activity before it starts business in the first quarter. These so-called "VBlocks" are intended to allow channel partners to easily sell and integrate simplified data center and private cloud computing packages to customers. Acadia is being formed by the two companies to accelerate the adoption of technologies forged from the Virtual Computing Environment coalition, of which Cisco, EMC and VMware are developing pre-integrated compute, networking, storage and virtualization systems. Acadia's role is to wrap the VBlocks in the training and consulting services needed to initially build and operate the VBlock infrastructure, then transfer it to the partner.

Sources say Elias is chairing the board but he would not confirm that. The Acadia board is made up of Howard Elias, president and chief operating officer, EMC Information Infrastructure and Cloud Services; Gary Moore, Cisco's senior vice president of Advanced Services; Rob Lloyd, Cisco's executive vice president of Worldwide Operations; and Mitch Breen, EMC senior vice president, Global Channel Strategy and Sales. He has help from Moor, though, in leading Acadia for the time being. "The two of us have really sponsored the work to get Acadia formed and beginning to stand up," Elias said. Acadia will employ 130 and begin operations in early Q1. The venture is not only looking for "the best and brightest" from the parent companies but also recruiting from across the industry, Elias said. In addition to the formation of the board and management team, employees are being hired, Elias said.

Elias said Acadia's opportunity is "substantial and unique" – enabling existing channel partners to easily and broadly implement private cloud computing infrastructure to increase their own opportunities. "We're offering this intellectual property that Acadia is creating to our partner ecosystem so that they can then deliver and help accelerate the adoption of those VBlock packages by our customers," he said. How do I get access, proof of concept?' We're going to have to hit the ground running in Q1 to be able to start to fulfill some of this interest and demand. He says the company's challenge is to meet high expectations. "There's a lot of interest and demand out there, talk of 'What does this mean? It's about setting expectations all around, " Elias said.

Google Chrome: Redefining end user computing

One of the most profound changes in how computing services are being delivered is the use of the Web as a frontend for just about everything. In the application development world Adobe's Adobe Integrated Runtime (AIR) is perhaps one of the most profound re-thinks of what should be the underpinnings of application architecture by making it possible to deploy applications on the Web and the desktop of Windows, Mac, and Linux with more-or-less identical functionality. We have seen this transformation in the thousands of software as a service (SaaS) offerings that have appeared in the last few years that now cover the entire spectrum of applications from corporate accounting through to video editing (something that just a few years ago was hard to imagine becoming a reality). The 5 best, and 5 worst, features of Google Chrome OS Now the Web is redefining not just how processing functionality is delivered but also what an application is and what an operating system is.

If you doubt the success of AIR consider that by January of this year, a scant year after the version 1.0 release of the SDK, Adobe claimed 100 million installations. Entirely Web-based, Chrome OS sports a tabbed interface to manage concurrent applications which are all Web-based (you can forget all of your standard desktop applications, this is not a Windows alternative) and it eschews client-side hard disk storage for flash and cloud storage. Now Google is pushing the envelope with their recent release of details about the much rumored (and hyped) Google Chrome OS. Google also has a video explaining the end user context of GCOS which is useful (its cheery hipness may well annoy you as much as it did me). You could describe Chrome OS as the big brother of Google's Chrome Web browser. The intention of Chrome OS appears to be to define the netbook market and thus it is being designed to run on both x86 and ARM processors. That said, being open source it is guaranteed that the OSS community will jump on the chance to extend, enhance, and port Chrome OS onto just about every conceivable platform. The entire code base is open source but Chrome OS isn't intended to be something that you'll download and install on a netbook; rather, you'll get Chrome OS pre-installed on Google approved devices.

Some of the most powerful concepts in Chrome are about the issues that users complain about with Windows. With Chrome updates are intended to be transparent and automatic – you'll always have the latest version and patches immediately on refresh. For example, updating Windows is a messy, ugly business that users really hate. And should your Chrome OS instance get corrupted or compromised, the intention is the Chrome will self-heal. My money is on big-time success in the consumer market.

So, will Chrome OS succeed? We've already seen the surprising success of netbooks which address consumer market demand for low price and portability. The SMB market will certainly be paying attention and as their infrastructure investments life out the lure of cheap computing will become very strong. Add to that simplified maintenance and repair and Google's huge brand awareness and I'd say that the probability of success is very close to 100%. In the corporate market, Chrome OS will make slower inroads. The enterprise market will, in a limited way, embrace Chrome OS but only as much as they need to embrace user demand – enterprise manageability concerns will need to be addressed to allow Big IT to feel at all comfortable.

Google's Chrome OS is scheduled for release towards the end of 2010 and I believe will be, to say the least, an important event with long term implications for how consumers and the enterprise deal with personal computing. That said, enterprise IT will most likely have the same scenario they faced with users bringing their own laptops into the work environment and WiFi within the enterprise envelope –unstoppable trends that had to be controllable and, to some extent, accommodated.