Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.

CWmike writes "Canadian interface design firm MetaLab has accused Mozilla of stealing user interface elements for a development tool in the browser maker's Jetpack project, which aims to simplify add-on making. MetaLab leveled the charges on Tuesday when the 11-person firm's founder, Andrew Wilkinson, blogged about the similarities between his company's designs and those posted by Mozilla for FlightDeck, a Jetpack editor. 'What they did was pretty ridiculous,' Wilkinson said on Thursday. 'There's a difference between inspiration versus ripping something off,' he said. 'The measurements of the graphic elements [Mozilla took from us] were the exact same, the very same pixels. When someone takes your images from the server hosting them, that's crossing the line.' Mozilla apologized to MetaLab on Wednesday, saying in a blog post, 'While the design direction being implemented does not utilize these design elements, we inadvertently included the early mockups in our blog post and video announcing the next phase of development for the Jetpack SDK ... We sincerely apologize to MetaLab for incorporating design elements from their web site in our early mockups and for posting them publicly without proper attribution.'" Alexander Limi of the Firefox User Experience Team points out that MetaLab has accepted the apology, too — worth bearing in mind.

alphadogg writes "Former CEO of Sun Microsystems Jonathan Schwartz has taken to his personal blog, provocatively titled 'What I couldn't say ...,' to dish some industry dirt and tell his side of the story about the demise of Sun. He has already hinted at plans to write a book, and a new post suggests a tell-all tome could indeed be in the offing. 'I feel for Google — Steve Jobs threatened to sue me, too,' Schwartz writes, apparently referring to Apple's patent lawsuit against HTC, which makes Google's Nexus One smartphone. As for Bill Gates, Schwartz says he was threatening regarding Sun's efforts in the office software space."

A couple of weeks ago you posed some questions for Matt Asay, who recently moved into the COO role at Canonical. Click below to read his answers.

reporter writes "New strains of 'Gram-negative' bacteria have become resistant to all safe antibiotics. Though methicillin-resistant Staphylococcus aureus (MRSA) is the best-known antibiotic-resistant germ, the new class of resistant bacteria could be more dangerous still. 'The bacteria, classified as Gram-negative because of their reaction to the so-called Gram stain test, can cause severe pneumonia and infections of the urinary tract, bloodstream, and other parts of the body. Their cell structure makes them more difficult to attack with antibiotics than Gram-positive organisms like MRSA.' The only antibiotics — colistin and polymyxin B — that still have efficacy against Gram-negative bacteria produce dangerous side effects: kidney damage and nerve damage. Patients who are infected with Gram-negative bacteria must make the unsavory choice between life with kidney damage or death with intact kidneys. Recently, some new strains of Gram-negative bacteria have shown resistance against even colistin and polymyxin B. Infection with these new strains typically means death for the patient."

Rob Weir got wind that a Slovakian tech site had been discussing the non-randomness of Microsoft's intended-to-be-random browser choice screen, which went into effect on European Windows 7 systems last week. He did some testing and found that indeed the order in which the five browser choices appear on the selection screen is far from random — though probably not intentionally slanted. He then proceeds to give Microsoft a lesson in random-shuffle algorithms. "This computational problem has been known since the earliest days of computing. There are 5 well-known approaches: 3 good solutions, 1 acceptable solution that is slower than necessary and 1 bad approach that doesn’t really work. Microsoft appears to have picked the bad approach. But I do not believe there is some nefarious intent to this bug. It is more in the nature of a 'naive algorithm,' like the bubble sort, that inexperienced programmers inevitably will fall upon when solving a given problem. I bet if we gave this same problem to 100 freshmen computer science majors, at least 1 of them would make the same mistake. But with education and experience, one learns about these things. And one of the things one learns early on is to reach for Knuth. ... The lesson here is that getting randomness on a computer cannot be left to chance. You cannot just throw Math.random() at a problem and stir the pot and expect good results."

registerShift writes "Virgin said it will roll out 100 megabit-per-second broadband connections to homes in the UK. The company said users will experience speeds 'very close' to what's advertised as it plans to deploy cable instead of ADSL used by competitors. 'There is nothing we can't do with our fiber optic cable network, and the upcoming launch of our flagship 100mbps service will give our customers the ultimate broadband experience,' Virgin Media's chief executive officer, Neil Berkett, said. This is just days after the FCC announced aims of 100Mbps by 2020, and companies panned it as unrealistic."

Citing massive growth in their user base ("25 million users, 1000+ games, 12 billion player minutes per month, and 75 billion Steam client minutes per month"), Valve unveiled a revamped UI for Steam on Tuesday, opening the beta test to anyone who wants to try it out. There are many changes, and an increased focus on social features: "Right from within your own game Library, you can now track which of your friends plays each game or invite them to play one with you. Before you've even bought a game, knowing whether your friends play it is one of the most useful pieces of information to have. So on the store homepage, there's a new listing of what your friends have bought or played lately." Tracking games and achievements have both gotten simpler, and Valve has dropped the Internet Explorer rendering engine in favor of WebKit. An enterprising user also found files that may indicate the existence of an OS X Steam client.

jammag writes "Open source advocate Bruce Perens tells the inside story of the recently concluded Jacobsen v. Katzer court case, in which an open source developer was awarded $100,000. Perens, an expert witness in the case, details the blow by blow, including how developers need to make sure they're using the correct open source license for legal protection. The actual court ruling is almost like some kind of Hollywood movie ending for Open Source, with the judge unequivocally siding with the underfunded open source developer."

On Thursday we discussed news that a Pennsylvania high school was spying on students through the webcams in laptops that were issued to the students. The FBI is now taking an interest in the case, investigating whether federal wiretap and computer-intrusion laws were violated in the process. "The FBI opened its investigation after news of the suit broke on Thursday, the law-enforcement official said. Montgomery County District Attorney Risa Vetri Ferman may also investigate, she said Friday." Ferman said her office is "looking to see whether there are potential violations of Pennsylvania criminal laws."

squidw* writes "Online attacks on Google and other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation. From the NY Times: '... the attacks, aimed at stealing trade secrets and computer codes and capturing e-mail of Chinese human rights activists, may have begun as early as April, months earlier than previously believed. ... The Chinese schools involved are Shanghai Jiaotong University and the Lanxiang Vocational School, according to several people with knowledge of the investigation who asked for anonymity because they were not authorized to discuss the inquiry. Jiaotong has one of China’s top computer science programs. Just a few weeks ago its students won an international computer programming competition organized by IBM — the “Battle of the Brains” — beating out Stanford and other top-flight universities. Lanxiang, in east China’s Shandong Province, is a huge vocational school that was established with military support and trains some computer scientists for the military.'"

Kelson writes "Have you noticed that there haven't been many updates to Gears in a while? That's because Google has decided to focus instead on similar capabilities in the emerging HTML5 standard: local storage, database, workers and location cover similar functionality, but natively in the web browser. Of course, since Gears and HTML APIs aren't exactly the same, it's not a simple drop-in replacement, so they'll continue supporting the current version of Gears in Firefox and Internet Explorer. I guess this means the long-anticipated Gears support for 64-bit Firefox on Linux and Opera are moot."

BanjoTed writes "In a move to counter sales of pre-owned games, EA recently revealed DLC perks for those who buy new copies of Mass Effect 2 and Battlefield: Bad Company 2. Now, PlayStation platform holder Sony has jumped on the bandwagon with similar plans for the PSP's SOCOM: Fireteam Bravo 3. '[Players] will need to register their game online before they are able to access the multiplayer component of the title. UMD copies will use a redeemable code while the digital version will authenticate automatically in the background. Furthermore ... anyone buying a pre-owned copy of the game will be forced to cough up $20 to obtain a code to play online."

gehrehmee writes "As usual, the International Olympic Committee is coming down on hard on people mentioning things related to the Olympics without permission. This time it's UVEX sporting supplies, which sponsors Olympic skier Lindsey Vonn. Without explaination, their front page was today updated to include a tongue-in-cheek poem about UVEX's interaction with the IOC. Can the IOC really claim an Olypmian's name as their own intellectual property?"