Mozilla has disabled and added to a block list a Firefox add-on that stole log-in information when users visited Web sites, the company says.

The software, called Mozilla Sniffer, had been downloaded about 1,800 times in the approximately five weeks it was available on addons.mozilla.org, Mozilla reported in a blog post on Tuesday.

The blocklist will prompt the add-on to be uninstalled for computers running the program. Users who installed it should change their passwords.

Mozilla Sniffer intercepts login data and sends it to a remote server that appeared to be down, according to the blog post.

The software was not developed by Mozilla, nor was it reviewed by the company. Unreviewed add-ons are scanned for viruses, Trojans and other malware, but some malicious activity can only be detected by reviewing the code, Mozilla said.

"We're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site," the company said.

Originally posted at InSecurity Complex

SAN FRANCISCO--Web-based memory service Evernote on Wednesday unveiled what it's calling the next phase of its business with something called "The Trunk."

The Trunk is both a directory of third-party sites and a set of tools that can be integrated into the Evernote service to bring additional functionality. According to Evernote CEO Phil Libin, who held a press conference about the new offering here, The Trunk is not an app store, per se, but it will let other companies more easily bring features to the product that Evernote itself could not.

Libin said more than 2,000 partners are taking advantage of the company's APIs. However, at launch, The Trunk will contain just 100 items from 67 different companies. These are split up by category to serve both mobile and desktop Web users.

This built-in directory is being rolled out to Windows, Mac, and Web versions of Evernote on Wednesday, followed shortly thereafter by iPad, iPhone, Android, and BlackBerry clients. Some of the initial partners include: Nitro PDF, which now offers a "send to Evernote" option in its software; Seesmic, which Evernote is working with to let its users export notes to the service; and Dial2Do, which is offering a voice transcription service that can transcribe audio notes into text notes, then save them to a user's Evernote library.

When users want to add one of these features, or simply browse third-party Evernote-integrated services, they'll be able to simply click the new Trunk button, which opens up the directory within the Evernote application:

For now, any paid service option from one of these third-parties will be done on that company's site, but Libin said a release later this year will include a built-in payment system so that users don't have to leave the app. The company also plans to add revenue sharing and an affiliate program for third-parties to make money off being featured in the directory.

Along with new features, the Trunk will also serve as a place for content providers to offer what the company is calling "branded notebooks." These are pieces of content like articles and features from publishers--including California Home and Design, BlackBook, and O'Reilly's Make--in the form of Evernote files that can be viewed alongside a user's own Evernote notes. Libin explained it as a chance for users to "supplement professional content with [a user's] own thoughts and memories."

Besides the new Trunk feature and branded notebooks, Libin unveiled a new way for groups to work together. Evernote will now be able to collage shared items together into one folder so that users in different locations have the most up-to-date version. Libin explained it as one of the next steps in making Evernote friendlier for business and education users.

In the future, Libin says semantic analysis tools, templates, educational tools, and even games will make their way to the Trunk directory, as well as tighter integration with outside social networks. "The Trunk is a bridge to the social Web," Libin said.

Evernote says it's now up to 3.7 million users since launching in June of 2008. In that time, its users have saved 145 million notes, which Libin said works out to 312 new ones every minute. While the service is free, it does have a premium subscription that costs $5 a month. Libin says that more than 80,000 of its users are currently premium subscribers--a number that has grown every month for the past two years.

According to Libin, there's also been tremendous growth in the number of iPad users, which jumped from 9 percent of mobile users to 18 percent in just one month. He also said that Google's Android platform has made considerable gains in its march to reaching 14 percent of mobile users, and as a result it's requiring more of an investment. "We've more than doubled our Android team, and will be extending our efforts there dramatically," Libin said. "We think over the next year, that the iOS and Android are the two main competitors."

Evernote is currently available on 12 different platforms, and in 16 different languages. Of that, Windows users still dominate on the desktop side at 50 percent of total users, followed at 37 percent by Mac users. On the mobile side, iPhone and iPod Touch users account for the majority share at a combined 62 percent of total users.

Related: The Real Deal 209: Evernote (podcast)

Originally posted at Webware

Software developers for Windows and Mac computers will be able to get their hands on a software developer's kit (SDK) that will put Skype's VoIP calling features into almost any app.

On Wednesday, Skype is offering a limited, invite-only beta release of the SDK, called SkypeKit, to those who request it. SkypeKit beta will work for Windows (x86) and Mac OS X.

The well-known VoIP company first announced SkypeKit in late June, and released its first beta of the program for Linux developers.

Adding Skype modules, like free VoIP calling and video chat to apps, is a big win for Skype's business model, but can also benefit users by letting them use Skype functionality alongside a program's other features without having to fire up a separate Skype app.

It will be interesting to see where these Skype "plug-ins" will pop up.

If you've been thinking about subscribing to Apple's MobileMe service just to get the peace of mind that comes with Find My iPhone, there's an alternative that's $84.02 cheaper.

It's called iHound, and it tracks lost and stolen iPhones.

This app's been around for some time, but like similar tracking tools, it suffered from one major shortcoming: it couldn't run in the background, and therefore couldn't transmit its location unless it was activated. (I don't know about you, but I rarely run my tracker app before I lose my iPhone.)

Now that iOS 4 has arrived, however, iHound can communicate automatically, at regular intervals, even when it's not running. And it does exactly that, sending location data to iHound's servers every few minutes. (Thankfully, there are other interval settings, including 10 minutes and 30 minutes.)

If your phone does go missing, you simply sign into the iHound site to see its last transmitted location on a map. You can also send a push notification with a custom message and even a spoken alert. (Example: "This...is...iHound!" That should get some attention.)

There's even an option to remotely activate a siren, which could help you find a misplaced phone--or startle a thief into ditching it. And the siren can be deactivated only from the site (though an iPhone-savvy thief could simply turn the volume down to zero).

The iHound app costs $3.99, which includes a three-month subscription to the required iHound service. After that, you can get another three months for another $3.99, six months for $5.99, a year for $10.99, or two years for $19.99. All these options are available as in-app purchases.

Much as I hate paying subscription fees for anything, even I have to admit that 11 bucks per year is pretty cheap--especially compared with MobileMe.

The only major difference between the two is that iHound doesn't offer a remote-wipe option to erase your iPhone's memory. That's not a deal-breaker in my book, but I can see where that feature would be important to some.

In my quick and informal tests, iHound worked like a charm. I can definitely see it replacing my previous tracking solution, Undercover.

However, a couple things bother me. First, the developer offers a free iHound sticker in exchange for a positive App Store review. That's ethically questionable. Second, subscription pricing appears nowhere except inside the app, meaning you have to buy it before finding out the bottom-line cost of using it. Why the developer feels the need to closet this information, I'm not sure.

Those issues aside, iHound offers an affordable and effective way to recover (or at least locate) a lost or stolen iPhone. It could even help parents track the whereabouts of their kids.

Originally posted at iPhone Atlas

Opera continues updating the "Mini" version of its mobile browser for Android phones with some noticeable tweaks and enhancements.

The Wednesday release of Opera Mini 5.1 for Android brings sundry features such as setting Opera Mini as the default browser, and seeing the entire screen when you switch to full-screen mode.

The best addition is that Opera Mini can save your session within an hour of starting it, if the browser accidentally closes while working in the background. This is a similar provision to the session restore in Opera Mini for the iPhone.

Opera Mini 5.1 also supports 96 languages in the interface, and has undergone some back-end fixes to improve scrolling and the look of the page layout on high-resolution screens.

It's available for free from the Android Market on your phone, or by visiting m.opera.com.

Originally posted at Android Atlas

Editors' note: Each day for the next 10 business days, CNET personalities you know and love will publish slideshows of their 10 personal favorite iPhone apps. With each post, you get a chance to vote for your own favorite app. Two weeks from now, we'll collect the full list of 100 apps and announce the 10 that you, our readers, love the most.

What's senior associate editor Jasmine France doing sharing 10 favorite iPhone apps when she doesn't own an iPhone? Jasmine, one of CNET's experts in digital media and headphones, knows the beauty of the iPod Touch. Her Touch doesn't take advantage of location-based services that require wireless carrier service, but then again, she doesn't have to worry about any pesky antenna issues. Jasmine's picks include some media masterpieces--important apps (like Pandora and Slacker) for any music fans--plus games galore. Does Jasmine ever get any work done around CNET, you ask? Sure! She put together this slideshow:

Once you've seen all of Jasmine's picks, return to this poll to let us know which app is your favorite, then check back each day on iPhone Atlas to see app choices from Brian Tong, Bonnie Cha, and the rest of the CNET crew.

Originally posted at iPhone Atlas

The most exploited vulnerabilities tend to be Adobe Reader and Internet Explorer, but a rising target for exploits is Java, according to a report to be released on Wednesday by M86 Security Labs.

Of the 15 most exploited vulnerabilities observed by M86 Security Labs during the first half of this year, four involved Adobe Reader and five in Internet Explorer, the lab wrote in its latest security report for January through June 2010.

Also on the Top 15 list were vulnerabilities affecting Microsoft Access Snapshot Viewer, Real Player, Microsoft DirectShow, SSreader, and AOL SuperBuddy. Most of the exploits observed had been first reported more than a year earlier and were addressed by vendors, "highlighting the need to keep software updated with the latest versions and patches," the report said.

More Java-based vulnerabilities have been actively exploited, reflecting attackers' attraction to Java's popularity and broad install base. In the most common attack scenario, browsers visiting a legitimate Web site are redirected by a hidden iFrame or JavaScript to a malicious Web page that hosts a malicious Java applet, according to the report.

"Java is the next low-hanging fruit for attackers," says Marc Maiffret, chief technology officer at eEye Digital Security.

Meanwhile, attackers are finding new ways to dodge malware detection mechanisms, the M86 report concluded. "Over the last few months, we have observed a new technique of code obfuscation that combines JavaScript and Adobe's ActionScript scripting language," which is built into Flash, the report said.

The report also provided details about spam, which it estimates now represents 88 percent of all inbound e-mail to organizations, while most of the spam (nearly 81 percent) is in the pharmaceuticals category, primarily the "Canadian Pharmacy" brand.

The spam information corresponds for the most part with findings of a study released on Tuesday by Proofpoint and CommTouch, which reports that there were an average of 179 billion spam or phishing e-mails sent each day during the second quarter of 2010 and that pharmacy ads were the leading spam topic.

Meanwhile, the top fake "from" domains used for spam were gmail.com, hipenhot.nl, yahoo.com, 123greetings.com, hotmail.com, and postmaster.twitter.com, according to the Proofpoint/CommTouch report.

Originally posted at InSecurity Complex

Microsoft issued four security bulletins on Tuesday to fix five holes in Windows and Office, including a critical vulnerability in a Windows Help and Support Center feature that has been targeted by attacks.

The vulnerability in the online help feature, which is delivered with supported editions of Windows XP and Windows Server 2003, could allow an attacker to take control of a computer by luring a computer user to a malicious Web site. The bulletin has a severity rating of "critical" for Windows XP and "low" for Windows Server 2003, according to the advisory.

Microsoft and others criticized Google researcher Tavis Ormandy for publicly disclosing the hole before the software giant had a chance to develop a fix and releasing a proof-of-concept exploit. Ormandy defended his actions, saying he needed to get Microsoft's attention to fix the problem, and other researchers supported him. Within days of the disclosure, there were attacks discovered that exploited the hole.

"Of the zero-day vulnerabilities patched today, we're only seeing one be exploited in the wild," said Joshua Talbot, security intelligence manager at Symantec Security Response. "In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms. We saw attack activity begin increasing on June 21, but it's since leveled out."

Microsoft's Patch Tuesday releases also include two critical security bulletins fixing a vulnerability in the Canonical Display Driver and two vulnerabilities in Microsoft Office Access ActiveX Controls, both of which could allow an attacker to take control of a computer. The canonical display driver bulletin is rated "critical" for the 64-bit version of Windows 7 and "important" for Windows Server 2008 R2 with Windows Aero enabled. The Access ActiveX Controls bulletin is rated "critical" for Office 2003 and 2007.

In addition, Microsoft released a bulletin rated "important" that resolves a remote code execution vulnerability in Microsoft Office Outlook 2002, 2003, and 2007.

Microsoft is also ending support for Windows XP Service Pack 2 and Windows 2000 on Tuesday, Jerry Bryant group manager for Microsoft's Response Communications, wrote in a blog post.

"Since Windows XP is still the most popular OS version for Windows, I believe we're dealing with hundreds of millions of Windows XP SP2 systems that need to be upgraded," said Wolfgang Kandek, chief technology officer at Qualys. "Our own monitoring shows that roughly 50 percent of all XP machines still run on the SP2 version."

"I was disappointed to see that a number of privately reported flaws were not patched in this final update to Windows XP SP2," said H.D.Moore, chief security officer at Rapid7. "This effectively leaves XP SP2 unprotected against a number of serious vulnerabilities that will be fixed for SP3 later this year. One of these is an issue I reported to Microsoft in December of 2006, which has a serious impact on most rich-text aware applications."

Still pending is a fix for a new Windows flaw that could compromise the security of machines running Windows XP and 2000 that was disclosed by Secunia last week.

Updated 11:40 a.m. PDT with comment from Moore.

Originally posted at InSecurity Complex