New Windows attack can kill firewall

Hackers have published code that could let an attacker disable the Windows Firewall on certain Windows XP machines.

The code, which was posted on the Internet early Sunday morning, could be used to disable the Windows Firewall on a fully patched Windows XP PC that was running Windows' Internet Connection Service (ICS). This service allows Windows users to essentially turn their PC into a router and share their Internet connection with other computers on the local area network (LAN.) It is typically used by home and small-business users.

The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc., who has blogged about the issue.

By knocking off the Windows Firewall, a criminal could open the door to new types of attacks, but there are a number of factors that make such an attack scenario unlikely, Reguly said.

For example, the attacker would have to be within the LAN in order to make the attack work, and, of course, it would only work on systems using ICS, which is disabled by default. Furthermore, the attack would have no effect on any third-party firewall being used by the PC, Reguly said.

Users can avoid the attack by disabling ICS, Reguly said. But this will also kill the shared Internet connection.

An easier solution, may be for ICS users to simply move their networks onto a router or NAT (Network Address Translation) device, said Stefano Zanero, chief technology officer with Secure Network SRL. "They are so cheap right now, and in many cases they offer better protection and a easier administration of your LAN," he said via instant message.

Windows XP appears to be the only platform affected by this attack, which has not been successfully reproduced on Windows Server 2003, Reguly said.

Microsoft 's initial investigation into the matter "has concluded that the issue only impacts users of Windows XP," the company's public relations agency said Monday in a statement. "Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

First IE7 Security Flaw Found

Less than 24 hours after the launch of Internet Explorer 7, security researchers are poking holes in the new browser.

Danish security company Secunia reported today that IE7 contains an information disclosure vulnerability, the same one it reported in IE6 in April. The vulnerability affects the final version of IE7 running on Windows XP with Service Pack 2.

If a surfer uses IE7 to visit a maliciously crafted Web site, that site could exploit the security flaw to read information from a separate, secure site to which the surfer is logged in. That could enable an attacker to read banking details, or messages from a Web-mail account, said Thomas Kristensen, Secunia's chief technology officer.

"A phishing attack would be a good place to exploit this," he said.

One of the security features Microsoft touts for the new browser is the protection it offers users from phishing attacks.

Secunia rates the security flaw as "less critical," its second-lowest rating, and suggests disabling active scripting support to protect the computer. The flaw could result in the exposure of sensitive information and can be exploited by a remote system, Secunia said in a security advisory posted on its Web site.

It is hard to exploit the flaw because it requires the attacker to lure someone to a malicious site, and for the attacker to know what other secure site the visitor might simultaneously have open, Kristensen said.

"A quick user browsing through our Web site using IE7 found it failed one of our tests," he said.

The company then verified the information, notified Microsoft and published a proof-of-concept exploit on its Web site.

Update: Microsoft said Oct. 19 that the problem was not with IE 7, but with Outlook Express.

Wikipedia co-founder plans 'expert' spinoff

Larry Sanger, co-founder of Wikipedia, says he will launch a spinoff of the free site, called Citizendium. It will include user registration and editorial controls to govern user-submitted articles, unlike the free-for-all submission process that reigns on Wikipedia. With "gentle" controls in place, Sanger says Citizendium will naturally weed out so-called trolls from posting obscenities or biased information.

"Wikipedia is amazing. It has grown in breadth and depth, and the articles are remarkably good given the system that is in place. I merely think that we can do better," Sanger said. "There are a number of problems with the system that can be solved, and by solving those we can end up with an even better massive encyclopedia."

Sanger said an invitation-only, pilot version of his nonprofit site will launch this week, but wider release has yet to be determined.

Since early 2001, when Sanger helped get Wikipedia off the ground with co-founder Jimmy Wales, the service has become one of the most popular research tools on the Web and one of its fastest-growing sites, with more than 2 million articles in 229 nationalities. In September, the site attracted more than 33 million unique visitors, up 162 percent from the same period a year earlier, according to research firm Nielsen NetRatings.

Like Wikipedia, he wants the service to evolve with public participation--it will be a "fork" of the open-source code of Wikipedia, meaning that it will replicate its existing database of articles and then evolve, through user participation, into a new compendium of its own. But unlike Wikipedia, Citizendium will have established volunteer editors and "constables," or administrators who enforce community rules.

Citizendium is soliciting experts in their fields to post and oversee articles on any given subject. Another difference from Wikipedia is that Citizendium will require that members register with their real name to post to the wiki. That, Sanger said, should also discourage shenanigans.

iPass to expand remote management

As mobile and remote access becomes more commonplace over a variety of wireless and wired networks, third party outsource providers are expanding their management services to the enterprise.

This week iPass will announce Virtual Office and Device Lockdown, a suite of management and security services respectively, for companies with heterogeneous remote networks.

Virtual Office will give companies a single piece of client software whether connecting over Wi-Fi, cellular, DSL or T-1 from home or remote office. Also included is a portal service for configuration and quality of service management in addition to support, training, and billing information.

Device Lockdown quarantines a device attempting to access the corporate network until it is patted down by the iPass policy server, according to Michael Suby, Research Program Director for Stratecast, a division of Frost & Sullivan.

The iPass policy server checks all compliance requirements before it allows a user to access a VPN and touches the customer's LAN. iPass will also white label the Virtual Office and Lockdown services to other telecommunications providers.

Intel to launch Quad-Core chips on Nov 13

In a race with rival Advanced Micro Devices, Intel will bring its quad-core chips to market in a new line of Hewlett-Packard workstations due to be introduced on November 13.

HP sent out invitations to the event but did not specify exact models and prices. The computers will probably use Intel's planned Xeon 5300 chip, and will be designed to run high-end applications like seismic analysis and visualization technologies from Ansys, Autodesk, Landmark Graphics, and Parametric Technology.

The launch would mean that Intel brings quad-core processors to market before AMD, a crucial win in a year when Intel has made as many headlines for its layoffs and missed earnings targets as for its technology.

AMD plans to release its own quad-core chips in the middle of 2007, and claims its monolithic design is superior to Intel's plan, which essentially glues two dual-cores chips together. But without having any hardware to test, analysts are divided on whether this detail will significantly affect the chips' performance.

Compared to the ratcheting of clock speeds in conventional chips above 3 GHz and 4 GHz, multiple-core chips can accelerate processing tasks in desktops and servers without drawing more electricity and generating extra heat. They can also handle more than one instruction set at a time, allowing computers to multitask more efficiently.

Firefox accepting feature suggestions for V3

The Firefox web browser has come a long way since the project was announced as a fork from the open-sourced Mozilla project. Version 1.0 was released in 2004 and quickly won critical acclaim for its speed, compatibility with web standards, and features. In a couple of years, Firefox managed to reach a milestone that its predecessor never quite reached: hitting 10 percent market share worldwide. Version 2 of the browser recently hit Release Candidate 2, but the team is already making plans for 3.0. The Mozilla organization has set up a feature brainstorming web site that allows everyone to enter their favorite wish lists for the open source browser.

The wish list is long indeed, and it provides an insight into the desires of the browser community, and a look at the open source development process. While closed-source projects often ask their user community for feedback on requested features, the process is not usually open to the public. For Firefox 3, anyone can both suggest new features and comment on other people's suggestions.

The feature requests are divided into categories, such as browser customization, privacy features, security, history, download manager, and other areas. There are suggestions for features found in other competing browsers, such Safari, IE 7 beta, and Opera. IE7 seemed to be featured most prominently, with requests for "low-rights mode," as well as more cosmetic features like skins that mimic Microsoft's browser.

Customization seems high on the list: floating menu and toolbars, tabs that are draggable to other sessions of Firefox, and the ability to add tag notes to web pages are all present.

For those adventurous folks who want to take a sneak peak at Firefox 3's progress, early alpha builds are now available for download.

Microsoft's PDF-killer heads towards standards body

There's no doubt about it: Adobe's Portable Document Format - better known as PDF - is a choice tool for digital document delivery. Some might say that it's the tool for delivering complex documents to wide array of users, as its design allows for faithful rendering on any platform that supports PDF - application issues, font problems, layout quirks, etc., need need not apply.

Enter Microsoft. The company has been toiling away on its own portable document technology for some time and plans to make a splash with it in 2007. Dubbed the XML Paper Specification (or more succinctly, XPS), Microsoft plans support for the new format in both Windows Vista and Office 2007. In response, Adobe went to EU regulators earlier this year to ask that they bar Microsoft from including XPS support in Windows Vista, fearing that the ability to create XPS documents for free could cut into their ability to sell PDF creation software to Windows users.

Now in a move to appease EU regulators, Microsoft is going to step things up a notch and try to push XPS through as a standard. For Adobe, this could ultimately make XPS more — not less — popular.

Microsoft is looking again at its license in order to make it compatible with open source licenses, which means that the "covenant not to sue" will likely be extended to cover any intellectual property dispute stemming from the simple use or incorporation of XPS. The end result is that using XPS may be considerably more attractive for developers now that the EU has apparently expressed concerns over the license.

The company has not hinted to which standards body it would submit XPS, but a few things are clear already. First, standards approval will see Microsoft opening XPS to the point that any platform could theoretically support it, including Linux and Mac OS X. If it remains royalty-free, this could mean a proliferation of support for the format. Second, given that the EU is pushing Microsoft to be more open with XPS, we can expect Microsoft to take an approach similar to Adobe: the specification would remain open but also controlled by the company.

Treo 680: Affordable, Media Friendly

Palm today announced a new series of Treo smart phones designed to appeal to "price-sensitive" customers. The company also announced the immediate availability of a new, free Google Maps application for Treos based on the Palm operating system.

The announcements of the Treo 680 series and Google Maps for Palm OS-based Treos came at the DigitalLife trade show here. Palm CEO Ed Colligan was mum on pricing, but said the Treo 680 would ship in November and would be "lower cost and easier to use than any other Palm." The new Treo is a quad-band GSM/GPRS/EDGE handset for use in the United States and Europe.

The Treo 680 targets today's media-hungry consumers. It comes with music, video, and photo slide-show players, and Palm says for a limited time it will sell unlocked versions of the phones with a Yahoo music bundle that will include a 1GB SD Card, a stereo headset, and a 30-day free trial to Yahoo's music service. Colligan said Palm expects 20 or more carriers around the world to offer the Treo 680 by the end of Palm's fiscal year next June 1.

Fashion-conscious Treo 680 buyers will be able to choose from four colors: copper, arctic, crimson, and graphite. The Treo 680 has an internal antenna and is smaller and sleeker than previous models. The phone runs the new Palm OS 5.4.

Other features include an enhanced version of Palm's VersaMail e-mail application (version 3.5), which allows for more robust syncing of e-mail and now contacts and calendars as well, the company said. Another update brings a feature that displays SMS text-messaging exchanges as "threaded chats," similar to instant messaging.

Among other bells and whistles is the ability to respond to an incoming call with a preset text message such as "I'm busy now." The bundled Dataviz Documents To Go productivity software now supports viewing Adobe PDF files as well as editing and creating Microsoft Office files.

The Treo 680 smart phone also can function as an MP3 player, and has an integrated digital camera, camcorder, and video player. It sports a 320-by-320 touch screen, a full QWERTY keyboard, and Bluetooth 1.2. The 680 comes with 64MB of usable memory, with expansion available via an SD Card. Palm says the unit's battery is capable of 4 hours of talk time and 300 hours on standby.

Google Docs has some real competition

While the world is going ooh and ah about the merging of Writely and Google Spreadsheets into a package called Google Docs and Spreadsheets, it may surprise them to know that Google has some serious competitors in the online office productivity space. What’s more, in some cases they're way more advanced than the search leader.

Online software as a service (SaaS) applications have been with us for some time and have been predicted by organizations such as Gartner to gain a sizable chunk of the business applications market by the end of the decade.

In the online office productivity space, however, there are also some emerging products that have been developed. Two examples that readily spring to mind are Zoho and Thinkfree.
Both of the above-mentioned Web 2.0 products, unlike Google, offer the full suite of basic office productivity tools, including a word processor, spreadsheet and presentation application. Zoho also offers a free database, a planner, a project management package and, for a monthly rental of US$12, a CRM package.

Thinkfree probably presents the most well integrated package, with a web-based implementation of a virtual filing system for documents that simulates the desktop. Thinkfree also offers off-line users a Java-based desktop Microsoft Office compatible clone for US$50 that runs on Windows, Mac OS X and Fedora Core 3 Linux.

As far as solving the needs of offline users, at $50, the Thinkfree Microsoft Office clone sounds interesting. However, Open Office.org 2.0 is free and has already proven itself to be good enough for business use – even if Microsoft says it’s 10 years behind Office 2007.

Like Google Docs and Spreadsheets, neither Zoho nor Thinkfree have really solved the documents storage issue satisfactorily. The Google method of tagging documents is not really the way users are accustomed to organizing their information with the Windows folders based filing system.

Thinkfree makes the best attempt, with a rudimentary web top filing system that simulates the Windows My Documents folder. However, the comparison is superficial, as it’s nowhere near as powerful, not even enabling simple things like folders within folders.

Zoho is reportedly out of beta now, has single sign-on for all its applications and has said that it is working on developing and integrating a web top system.

It’s fairly safe to say that all of the online office productivity tools will do the job if your needs are simple. However, none appear to have quite the industrial strength grunt yet for business strength applications. No doubt, however, they will before too long.

In one respect, however, all of the online office tools totally outshine their desktop equivalents – collaboration. It is so much easier for a group of users to share access to a document that stored in a central location. It sure beats passing it around by email – especially if the file is large.

Thus, we may look forward to a not too distant future, when web access is ubiquitous, in which we are no longer paying through the nose for office productivity software and we no longer care which operating system we’re using.

Nokia plans WiMAX cell phones

The tether tying cell phones to cellular networks will be further loosened in 2008, when Nokia introduces its first WiMAX-capable cellular phones. Nokia isn't releasing too many details on the handsets other than the fact that they will work with the mobile version of the WiMAX standard.

Officially known by its 802.16 monikers, WiMAX comes in two flavors: fixed location and mobile. 802.16REVd handles the fixed-position WiMAX, which promises wide-area wireless connectivity with DSL-type speeds. 802.16e-2005 is the mobile version and promises similar speeds for applications and devices needing something more than a fixed-point connection.

WiMAX is slowly spreading its wireless tendrils, with some installations in Europe and a handful under way in North America. Recently, Samsung, Intel, Motorola, and Sprint Nextel joined forces to build a national WiMAX network using Sprint Nextel's spectrum and cell towers with hopes of a 2008 launch.

In addition to announcing the handsets, Nokia said it will begin selling the Flexi WiMAX Base Station in 2007. Targeted at WiMAX network operators, the Base Station uses a small and modular design which Nokia says can lessen the costs of deploying WiMAX networks. "As the world is going wireless, we believe the Nokia Flexi WiMAX Base Station offers broadband operators an easy and trusted way to offer wireless Internet connectivity to their customers anytime, anywhere," said Nokia SVP of Radio Networks Ari Lehtoranta. "Nokia is a strong believer in having a multiradio strategy that gives operators a future-proof solution and the flexibility to choose different technologies as they evolve."

Nokia currently offers a couple of cell phone models that can also use 802.11b/g for VoIP calls. It has also begun a pilot program for what it calls Unlicensed Mobile Access, where calls are routed seamlessly between WiFi and traditional cell networks, depending on which is the best option. With a handset that can work with WiFi, mobile WiMAX, and cell networks, mobile phone users would have even more options for how to place calls, perhaps to the dismay of the cellular providers.

GPS Capability Enhanced in MS Streets & Trips 2007

Microsoft today announced improved GPS (global positioning system) functionality in a new version of its travel and mapping software.

Microsoft Streets & Trips 2007 With GPS Locator includes a new receiver from Pharos Science and Applications, the SiRFstarIII, for mapping locations to GPS coordinates. The new GPS locator is ten times more sensitive than its predecessor in the previous version of Streets & Trips, according to Microsoft.

Microsoft Streets & Trips 2007 With GPS Locator sells for $129 in the United States, while the standard version of the software is available for $40.

To use the new locator, customers can plug the GPS receiver included with the software into a notebook PC's USB (Universal Serial Bus) port, after which they can view maps and travel routes in real time. Buyers who want to use the locator wirelessly can purchase the necessary Bluetooth dock or CompactFlash card adaptor directly from Pharos, Microsoft said.

Besides mapping routes for people traveling by car, Streets & Trips includes points of interest--such as gas stations, hotels, restaurants, and national parks--on the map, in case travelers want to stop along the way.

In a press statement, Helen Chiang, a product manager at Microsoft, said that better GPS capability in Streets & Trips will give users of the software more confidence that the journey they've mapped in the software is the correct one.

Pharos, headquartered in Torrance, California, sells GPS navigation tools and location-based services for mobile devices.

IBM Cranks Up Its Server Chip

IBM plans to crank up the speed on its Power6 server chip to 5.0GHz, far higher than competing processors from Intel and Sun Microsystems.

Despite its high frequency, the chip will avoid overheating through its small, 65-nanometer process geometry, high-bandwidth buses running as fast as 75GB per second, and voltage thresholds as low as 0.8 volts, IBM said.

When it ships the chip in mid-2007, IBM will target users running powerful servers with two to 64 processors, said Brad McCredie, IBM's chief engineer for Power6. He shared details on the chip at the Fall Microprocessor Forum in San Jose, California.

By doubling the frequency of its current Power5 design, IBM is swimming against the current of recent chip designs that sacrifice frequency for power efficiency. Instead, IBM cut its power draw by making the chip more efficient, with improvements like computing floating point decimals in hardware instead of software, he said.

The company hopes the Power6 will help it reach new customers in commercial database and transaction processing, in addition to typical users of its Power5 chip in financial and high-performance computing such as airplane design and automotive crash simulation, McCredie said. To win that business, IBM will have to compete with chips like Intel's Montecito Itanium 2 and Sun's high-end SPARC processors.

If this chip works as promised, IBM could be successful in that effort, analysts say. IBM is one of the few remaining alternatives to Intel in the market for 'big iron' servers used in high-end jobs like scientific computing, image processing, weather prediction and defense, said Jim Turley, principal analyst at Silicon Insider, in Pacific Grove, California.

IBM upgraded its current midrange Unix servers in February from 1.9GHz to 2.2GHz Power5+ processors, targeting users of large databases, ERP (enterprise resource planning) and CRM (customer relationship management). The company will ship several versions of the Power6 chip, ranging from 4.0GHz to 5.0GHz in frequency.

Google Blog Gets Hacked

A hacker broke into Google's main official blog and posted a false message on Saturday, saying that the company had decided to cancel a joint project with eBay.

The intrusion marks the second time this year that Google's official blog has fallen into unauthorized hands. In March, Google staffers deleted the so-called Google Blog by mistake and someone briefly took control of the Web address.

n Saturday's incident, someone exploited a bug in Blogger, the Google Web log publishing service on which Google Blog is hosted. The hacker published a note riddled with grammatical and spelling errors that said Google had ended its click-to-call advertising project with eBay because it was "monopolistic."

The next day, Karen Wickre, from the Google Blog team, alerted readers about the false posting and said the Blogger bug had been fixed, without detailing the breach. The eBay project remains alive and well, she wrote on the blog.

The Google Blog is one of the company's main communication tools. As official corporate messages similar to press releases, its postings often trigger news reports, analyst recommendations, and investor decisions.

Crawl the Web with your fingers

If you have a fingerprint scanner hooked up (or built in) to your PC, you've probably thought to yourself, "Self, if this scanner can give me access to my own computer, why can't it log me into websites?" Now it can, thanks to the new TrueMe service from Pay By Touch, one of those firms that has already helped to bring biometric identification into the market.

The new service, announced today, uses certified fingerprint scanners to replace username/password combinations on the Web. "With TrueMe, a simple touch of the finger gives Chief Security Officers the security they demand while giving users the simplicity they desire," said Jon Siegal, a Pay By Touch VP. "TrueMe satisfies both needs without the hassle of multiple User IDs and passwords."

The scanners must be certified because encryption of the fingerprint is done inside the sensor. When a user swipes a finger, the recognition data is compressed and encrypted, then sent to a TrueMe server, which handles authentication. If the user is allowed to visit the website or resource in question, the server sends the verified identity directly to the site.

Given the way that crooks have attacked traditional two-factor authentication systems, will fingerprints prove to be more secure? Hopefully. The TrueMe system also records the device ID of the fingerprint scanner used in the authentication attempt, potentially making it easier to spot fraud and to track down malicious users. We imagine that the technology could also be used by businesses to restrict employee access to sensitive internal websites to certain company-supplied PCs, though Pay By Touch says nothing about the way that the ID check will be used.

While Pay To Touch shows its own branded scanner on its site, the ones built into Lenovo T60 and X60 machines will also work. TrueMe isn't free; there's a yearly fee to use the service, which is currently targeted at business users.

Google buys YouTube

Its confirmed now - Google has agreed to buy YouTube for $1.65 billion in stock. The news comes after a cornucopia of press releases announcing Google and YouTube deals to distribute music videos from Universal, Sony, Warner Music, and CBS, paving the way for a relatively risk-free buyout from Google's perspective.

In the conference call accompanying the press release, the founders of both companies unanimously professed their excitement about the deal, saying that it's a great fit on many different levels. Eric Schmidt said that it was about vision, not about business, and that the YouTube guys reminded him of the early days of Google. Sergei Brin added that video content is certainly information, so the acquisition fits with Google's stated mission of organizing all the world's info.

As for the YouTube leaders, Chad Hurley kept repeating that YouTube has been given the opportunity and resources to "sharpen their focus" and build a better "new media platform" than they could have done on their own. Specifically, Google's "revolutionary new advertising platform" inspired ideas of how to improve the media platform, and users who now demand control over what to watch and where and when to watch it will get what they need from the new YouTube. According to Steve Chen, the two management teams just finished a 48-hour brainstorm where they worked up a list of "potential integration points" between the companies, so there's "no shortage" of ideas on how to improve the user experience or how to make money off the combination.

YouTube will remain a separate brand, and Google Video is not going away. It's unclear how the two services will be different from each other, but Eric Schmidt did mention that one of the principal strengths of YouTube was the social networking aspect of it. Google is issuing stock to pay the YouTube owners rather than dipping into its $10 billion war chest, and according to Schmidt that's because it becomes a tax-free deal for the YouTube team. "Our deals are very, very good for our partners," he said to scattered laughter, calling it a Google hallmark.

Konica Minolta shows wearable display prototype

Konica Minolta is developing a lightweight, holographic wearable display, a prototype of which was on display this week at the Ceatec exhibition in Chiba, Japan.

The Holographic See-Through Browser prototype resembles a pair of eyeglasses and uses a prism with a thickness of 3.5 millimeters and a holographic element to reduce the weight of the display to 27 grams.

Konica Minolta has just begun development of the lightweight display and is looking for an application where the device could be useful, said Hiroshi Itou, an assistant manager at the business development group of Konica Minolta Technology Center Inc. Possible applications under consideration include giving workers access to an instruction manual or allowing commuters to watch a video while riding a train, he said.

In a video demonstration of the technology, Konica Minolta showed how a user could watch a motorcycle race on the display while walking around their house. In this demonstration, the see-through image of the game appeared to be float in the user's line of sight.

The display image is produced by a small attachment above the glasses, which contains an LED (light-emitting diode) that projects the image through a condenser lens and a prism. Once the image travels through the prism, it passes through the display where it is projected onto the holographic element.

The display attachment on the glasses is connected by a cable that leads to a small, wearable device.

Best Buy launches iTunes competitor

Best Buy, in cooperation with SanDisk and RealNetworks, is the latest company to join the growing list of competitors to Apple Computer's iTunes music service.

Best Buy unveiled on Thursday a online music service, called Best Buy Digital Music Store, that allows customers to find, manage and purchase music online. It is powered by RealNetworks' Rhapsody 4.0 music service and lets users purchase and permanently download songs and albums, as well as subscribe monthly to listen to an unlimited number of songs, the company said.

As part of the offering, Best Buy also will carry and promote SanDisk Sana e200R Rhapsody MP3 players, which have been optimized to work with its new music service. Both the players and the service will be available starting Oct. 15, the company said.

Jennifer Schaidler, vice president of music for Best Buy, said the company is differentiating its service from Rhapsody by offering exclusive artist content and tailoring that to what Best Buy customers are purchasing.

"Look at it as Rhapsody 4.0 plus," she said. "You get all the stuff that's there [on Rhapsody], plus more exclusive content."

Selling CDs and MP3 players in its stores and online is already a successful part of Best Buy's business, so offering a music service was a logical next step for the company, Schaidler said. "Customers expect Best Buy to provide them with quality entertainment in an easy way," she said.

Songs on the Best Buy Digital Music Store will cost $0.99, with monthly subscriptions that allow users to play an unlimited number of songs for $14.99 a month

The news comes on the heels of the formal unveiling last week of the availability and pricing for Microsoft's forthcoming Zune Player and Zune Marketplace service. Microsoft will make the digital media players and service available in the U.S. on Nov. 14.

Like Best Buy's new service, songs on the Zune Marketplace will cost about $0.99 each, though the charges will be according to a points system (i.e., 79 points a song) that will allow users to purchase items on other Microsoft properties, such as Xbox Live. Zune Marketplace's unlimited monthly subscription also costs $14.99 a month. Songs on Apple's iTunes service cost $0.99, but there is no monthly subscription available.

Firefox JavaScript security "a complete mess"?

Firefox is loaded with security flaws, according to a hacker duo that presented at this year's ToorCon. Mischa Spiegelmock and Andrew Wbeelsoi used a session at the show to highlight what they have called "a complete mess" that is "impossible to patch" in Firefox's JavaScript implementation. According to the pair, the implementation is home to at least 30 possible exploits, all of which they plan to keep to themselves. CNet's Joris Evers brought the story to light this past weekend, but reports are surfacing everywhere.

The presentation, dubbed "Lovin the LOLs, LOL is my will," actually only focused on one flaw, which the presenters said affects Firefox on Windows, Linux, and Mac OS X. The exploit reportedly causes a stack overflow by merely including a small snippet of JavaScript code on a webpage. Spiegelmock and Wbeelsoi have declined to fully detail the exploit, however, leaving Mozilla a bit in the dark. In fact, after a Mozilla employee exhorted them to report the flaw and collect a $500 reward, Wbeelsoi said "what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."

Mozilla's head of security, Window Snyder, indicated that Mozilla believes the exploit to be real. She has also said that the presentation given at the conference contained enough information that other hackers may be able to reproduce the exploit before it can be patched.

Reports of the flaw come less than a week after Symantec's biannual Internet Security Threat Report indicated that the number of browser vulnerabilities is on the rise. Firefox led the pack both in terms of absolute number of vulnerabilities disclosed on the last six months, and in terms of percentage growth over the year. The report also noted that Firefox had the lowest "window of vulnerability," meaning that the time between identification and fix was comparatively shorter that for other browsers. Nevertheless, the current state of affairs has led many readers to start joking, "Firefox: the next Internet Explorer."