A security firm says it's found a vulnerability in the WebGL technology for building accelerated 3D graphics into the Web, a problem that could enable attacks through code executed on a computer's graphics chip.

Attacks could take two basic forms, according to a blog post by Context Information Security. In one, a computer could be rendered useless by visiting a Web page that would execute WebGL software that simply brings the machine to its knees.

In the other, "Dangers with WebGL...put users' data, privacy, and security at risk," Context said--specifically, graphics-related information. It posted a proof of concept it says demonstrates the problem.

WebGL, enabled in newer versions of Chrome and Firefox, lets a browser show 3D graphics good for applications such as games or online maps, and it's a high-profile example of efforts to endow Web applications with abilities formerly reserved for native software.

Google didn't respond to a request for comment. Mozilla said it's in contact with Context and is looking into the matter.

Context said the problems it's found lie with the WebGL specification, not a particular browser's implementation.

"Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their Web browsers," Context said.

Originally posted at Deep Tech

Google Goggles for Android jumped to version 1.4 today, and introduced a few significant features that should improve your overall visual search experience.

Search history now enables you to add personal notes to Goggles results, which is a helpful tool for keeping your search history organized, especially if you're conducting any kind of photo-based research. And when you find something interesting, you can easily share it (with or without notes) via the built-in Share function.

Also, in an attempt to make Google Goggles results more consistently useful, the app is now open to suggestions. By cropping and tagging certain parts of an image, you can take an active role in improving the capabilities of the always-learning image recognition app.

Finally, business card recognition, one of the most popular uses of Google Googles, just got a whole lot easier. The app now recognizes business cards as contacts, which streamlines the process of adding them to contact lists.

While this new version of Google Goggles certainly doesn't qualify as a major makeover, users should be happy with these improvements nonetheless.

Pure Hacking's Gordon Maddern, a tech security writer, has uncovered a zero-day vulnerability affecting Mac users of the popular chat platform Skype. He writes: "About a month ago I was chatting on Skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues Skype client."

Further tests showed that the payload was only executing in Skype clients on Macs. Windows and Linux appeared to be safe. After using metasploit and meterpreter to produce a proof of concept, Maddern was able to gain a shell remotely using the Skype exploit.

Perhaps alarmingly, this information was brought to the attention of Skype's security team over a month ago, with the only response being a generic "Thank you, we'll get to that soon".

"The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac," Maddern writes. "It is extremely wormable and dangerous."

This bug was finally updated in a manually installable patch today.

If you're a heavy Skype user on your Mac, download the manual update to patch the bug. A full version update, as noted, should be available in the next week or so.

---

Be sure to follow MacFixIt on Twitter and contribute to the CNET Mac forums.

Originally posted at MacFixIt

Only a week after Google upgraded the stable version of Chrome to 11, the company bumped its beta users to version 12 beta last night. Google Chrome 12 beta (download for Windows | Mac | Linux) pushed a moderate range of under-the-hood improvements to Chrome beta users, including better hardware acceleration, stronger privacy controls, and slightly safer file downloads. It also killed support for Google Gears, a move the company announced back in March.

The new beta includes two security improvements. Flash-based local shared objects, which are bits of Web sites stored locally on your computer, can now be deleted from within Chrome's settings. In the past, you would have to use a special online tool from Adobe to remove them.

The second security enhancement that Chrome has expanded is security algorithms that check Web sites for malicious content to downloads. The browser will now natively prevent some malicious downloads from being saved on your computer. Note that this is not a full-powered replacement for your security software.

Improved hardware acceleration in Chrome 12 beta comes in the form of support for 3D CSS, which means that the browser will now leverage the processing power of your computer's graphics card when handling 3D animations written in CSS. This requires your graphics card drivers to be up to date.

Another change is built-in preliminary support for screen readers, which are programs that help the visually impaired by reading aloud what's on the screen when moving the mouse. The support includes readers such as JAWS, NVDA, and VoiceOver.

If Chrome 12 development stays on schedule, these improvements are expected to make it to the stable release about one month from now. The full Chrome changelog is available here.

Mobile-savvy commuters can now access the popular Zipcar car-sharing service right from their Android mobile devices. Just released this past week, the new Zipcar app for Android is as useful as its iOS counterpart, as it enables Zipcar members to map out, reserve, unlock, and even honk the horn of their Zipcar of choice. Non-members can still download and browse nearby inventory, but can't reserve, lock, or, sadly, honk any of the vehicles.

While the app appears to be fully functioning, it's important to note that it is still officially in beta, which means users may run into a few bugs. However, Android-wielding Zipsters should still be happy with the considerable convenience the app offers.

There's no denying that Amazon's new Cloud Drive is pretty awesome--especially if you routinely buy music from Amazon's MP3 store. Among other things, you can get 20GB of online storage (for a year) for the price of one dirt-cheap album.

Alas, until now, only Android users could listen to their Cloud Drive tunes on the go. The iOS camp has yet to see an Amazon MP3 app.

But as reported by Lifehacker today, Amazon just updated the service to support streaming over Safari. In other words, iOS users can now use the Amazon Cloud Player. They just have to go through their browser to do it.

Assuming you're already set up with a Cloud Drive account (and have some music in it), just point Safari to www.amazon.com/cloudplayer. (Ignore the warning about your incompatible browser.) Sign into your account and you'll see the same interface you get on the desktop.

It's a little unwieldy, to be sure, and very limited in terms of how you can queue up music to play--but it works. We hope this is the precursor to a full-fledged Amazon MP3 app for iOS.

Your thoughts? Are you eagerly awaiting a cloud-based alternative to storing all your music on your iPhone? Think Apple will beat Amazon to the cloud-music punch? Heard any good new tunes lately?

Originally posted at iPhone Atlas

One of the bigger stories in download news this past week was the likely security breach of popular online password manager, LastPass. The incident had many of us considering switching password managers, but LastPass CEO, Joe Siegrist, urged us to keep calm, and even suggested that users with strong passwords had no reason at all to worry.

In other news, barely a week after upgrading its stable version of Chrome to 11, Google bumped its beta users to version 12. The new build introduced better hardware acceleration, stronger privacy controls, and slightly safer file downloads, among other changes. Google also did some work on the mobile side, upgrading its Google Goggles Android app to 1.4, which offers improved business card recognition and a more robust search history experience.

Meanwhile, the cat-and-mouse game between mobile carriers and unauthorized tetherers continued. Just as some of the nation's biggest wireless carriers moved to put the kibosh on unauthorized tethering, popular tethering app PdaNet updated to 3.0 and incorporated a tethering mask feature.

Things is a powerful, easy-to-use task-management app that can help you enter, organize, and act on items in your to-do list. Based on the popular Getting Things Done productivity method, Things gives you an elegant, streamlined interface--a classic, Mac-style multipane setup that doesn't require a lot of additional windows for its work flow. This latest version fixes compatibility issues between the Mac App Store version and the downloadable version.

Also this week, we have the latest Google Chrome beta so the hard-core Chrome users can check out what's next for Google's speedy Web browser (you should save all important data before launching any beta software). Our game this week is Absolute Backgammon featuring 32 board designs, 5 skill levels, and the ability to move game pieces using only your voice.

Don't forget to check out our iPhone apps of the week!

A security researcher said today that he found a serious hole in the Mac version of Skype that could be used by an attacker to remotely take control of someone else's computer.

In response, Skype says it released a "hotfix"--a quick fix to hold users over until a full update is ready--for the issue in a minor update released in mid-April, but did not prompt users to update their software because there were no reports that the hole was being exploited in the wild and it was planning on issuing another update early next week.

Gordon Maddern, of Pure Hacking in Australia, says he discovered the vulnerability about a month ago. He was chatting on Skype to a colleague about a payload when the payload executed in the colleague's Skype client accidentally, Maddern writes in a blog post today.

He created a proof of concept that can be used in an attack but is not releasing details on it until Skype fixes the issue. He could not find the vulnerability in the Skype client for Windows and Linux, he said.

Maddern said he contacted Luxembourg-based Skype and received a note saying "Thank you for showing an interest in Skype security, we are aware of this issue and will be addressing it in the next hotfix."

"That was over a month ago and there still has not been a fix released," he wrote in his blog post. "The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac. It is extremely wormable and dangerous."

In a blog post, Adrian Asher of Skype explains that the vulnerability "is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact."

"At the time they (Pure Hacking) alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users' security very seriously," Asher wrote.

Updated 4:13 p.m. PT with Skype saying it previously issued a hotfix and will release an update that addresses the vulnerability next week.

Originally posted at InSecurity Complex