Any urbanite knows that directions aren't created equally. Pedestrians can usually go wherever their feet can take them, but road traffic has to contend with hated one-way streets. Don't even get us started on cyclists. Luckily for bike riders toting Android phones in their messenger bags, a few days after Google added directions specifically for cyclists, the Maps team rolled biking guidance into the Android app.

Now cyclists who download the updated Google Maps 4.2 application from the Android Market can find optimal routes for their two-wheelers--both in the directions module and as a map layer that color codes different types of bike-friendly roads and paths.

Just be forewarned that the maps and directions are in beta mode, and that they're currently operational in the U.S. only, and only for phones running version 1.6 and above of the Android operating system.

In addition to bike-friendly mapping, a new shortcut handily puts Google Maps navigation on the home screen for drivers--the only mode of transport for which voice guidance is available--so you can pop open voice navigation without digging around your apps list.

Google's mobile maps team has also made it possible to share places with friends thanks to a sharing module that can link you to e-mail, text message, Facebook, and other social outlets.

Originally posted at Android Atlas

At the end of this week, EtherPad shuts down for good, taking user creations with it. The online word processor, whose parent company was acquired by Google last year, has not accepted user sign-ups for months now. But just in case you're one of those users who has not moved on, or is just now discovering EtherPad's strengths, there's good news: the service has been open source for the past five months. As a result, there are a handful of open-sourced clones that provide the same EtherPad experience with a few extra bells and whistles.

One thing to point out before going any further is that most of EtherPad's functionality can be found in Google's Wave product and, to a lesser extent, Google Docs. In fact EtherPad users got invites to use Wave, but the service remains in a private preview. Also, many of these services don't offer the same kind of privacy features you'll find in other online word processors.

1. MeetingWords offers the same EtherPad word processor you're probably used to. It can be used solo or with other writers. We got it to work just fine with six different people, all of whom were typing away alongside what I was writing, though the service promises that up to 32 simultaneous users can type at once. To get them there, you can just send out a link, which gave them full read/write access.

One thing to note about MeetingWords is that your docs are only saved for seven days from the last time you had them open, after which they'll be gone forever. It offers the same import and export features you'd find in Etherpad, so you can get your stuff before it disappears.

2. iEtherpad one-ups MeetingWords by offering resizable fonts as well as superscripting and subscripting. These might seem like small additions for a word processor, but keep in mind these are features that the original EtherPad never had. If you found EtherPad's stock formatting options a little lackluster, this is a nice step up.

3. Sync In uses the same core features of EtherPad but gives it a different skin. Along with its free service, there's also a pro tier, that for $2 per month (per user) gives teams a custom domain, per-note password protection, and a way to see all their notes in one place. There's also a search tool so you can find specific notes out of your entire library of work.

One really nice thing about Sync In is that it offers users a desktop app. This doesn't actually let you edit your notes on your desktop, but you can search, sort, and choose documents that you'd like to open up back in your browser.

4. TitanPad, like MeetingWords, is a pure EtherPad clone. It does all the same things MeetingWords does, as well as offering teams a way to map TitanPad notes to their own subdomain.

5. PiratePad is less of a personal word processor and more of a collective of shared EtherPad notes. You can use it to write private items, though the service has a built-in tagging system that lets you make these writings public and/or able to be edited by other users.

6. PrimaryPad is a version of EtherPad for educators, so it's not for business use, though there is a freebie public version that mimics the same features you'll find in many of the above editors. Paid educational users get things like support, password protection, and administrative controls.

These are just a few of the clones. A much more comprehensive list of open EtherPad projects can be found on Etherpad.org, which does not actually host its own EtherPad clone.

See also: Debating the power of Google's Wave

Originally posted at Web Crawler

The United States Computer Emergency Readiness Team (US-CERT) has found a security hole in Safari, with which a hacker could run arbitrary code at the privilege level of the current user account if the victim visits a malicious Web page.

Outlined Monday on the CERT Web site, this problem happens because Safari fails to properly handle references to window objects in the HTML DOM, and allows DOM window references to exist even if the corresponding window object has been deleted. The remaining reference pointer can be used by JavaScript to run code and be used to exploit the user. Apparently there are already public exploits available for this vulnerability.

So far the problem has been confirmed to be on the Windows version of Safari; however, it could also exist on the Mac.

There are no known fixes as yet, and it will be up to Apple to fix the problem fully with a Safari update. In the meantime, there are several things you can do to both reduce the potential harm from exploits of this vulnerability, as well as prevent it from being used.

1. Use nonadministrative accounts.

   This vulnerability is only able to run code with the permissions of the current user on the system. If you are using an administrative account, then there is more potential for harm from an exploit.

2. Disable Javascript.

   Unfortunately most Web sites use JavaScript, but disabling it definitely prevent this problem from occurring. One option may be to disable JavaScript, and then when you visit a Web site that uses JavaScript, enable it just for that session. This would be time-consuming, but it's one way to prevent an exploit from running.

3. Be wise.

   The best advice for any browser, is to not follow random links from spam, forums, chat rooms, or pop-up windows. Check the spelling of links (you can right-click and copy them to better examine them) and see if there are any misspellings, the use of offshore hosting servers, use of IP addresses instead of DNS names, and very long URLs. If any of these exist in a link, avoid them. If you are looking for a specific company, use a reputable search engine or go directly to the company's Web site.

   Regardless of the vulnerability, if you are not browsing malicious Web sites, then your risk will be minimal.

---

Questions? Comments? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Originally posted at MacFixIt

Microsoft issued two critical bulletins on Tuesday fixing holes in its e-mail programs and the Visual Basic for Applications programming language implementation built into Office.

Bulletin MS10-030 resolves a vulnerability affecting Outlook Express, Windows Mail, and Windows Live Mail that an attacker could exploit by compromising a mail server, hosting a malicious mail server, or performing a man-in-the-middle attack to intercept communications between the client and the server.

Bulletin MS10-031 fixes a hole in Microsoft Visual Basic for Applications (VBA) that could allow an attacker to remotely run code if a host application opens and passes a malicious file to the VBA runtime environment. The update resolves the problem by changing the way VBA searches for ActiveX Controls are embedded in documents.

Successful exploits of the vulnerabilities at the heart of the bulletins could allow an attacker to take complete control of a computer, Microsoft said in its bulletins summary advisory. The bulletins affect Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Microsoft Visual Basic for Applications, and Visual Basic for Applications software development kit. However, Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, the company said in a post on the Microsoft Security Response Center blog.

Microsoft is still working on a fix for a vulnerability in SharePoint Services 3.0 and SharePoint Server 2007 that was disclosed late last month and which could lead to a cross-site scripting attack via the browser. Proof of concept exploit code has been published for that.

"I've put the Visual Basic for Applications vulnerability first on my list," said Joshua Talbot, security intelligence manager for Symantec Security Response. "Both vulnerabilities require social engineering to exploit, but the VBA vulnerability requires less action from a user. For instance, an attacker would simply have to convince a user to open a maliciously crafted file--likely an Office document--which supports VBA, and the user's machine would be compromised. I can see this being used in targeted attacks, which are on the rise."

Meanwhile, the other vulnerability requires a user to actually open up Outlook Express or Windows Mail and connect to a malicious mail server, he said. "It's possible that an attacker could somehow convince a user to do this--for example by enticing them to sign up for a new free mail service--but the steps required to do so would probably be a red flag for most users," Talbot added.

Also on Tuesday, Adobe issued a critical security update for Shockwave Player and a less serious one for ColdFusion.

Updated 1:36 p.m. PDT with Adobe security updates.

Originally posted at InSecurity Complex

What do you get when you take a bunch of mobile browser developers and give them free run of the lab? A preview build of Opera's Mobile 10 browser running on the Nokia N900 and N800/N810 Internet Tablet.

Opera Mobile 10 for Nokia's open-source Maemo platform sprang to life as a hobbyist's thrill in the Opera Labs and is now being released, along with a laundry list of caveats, for intrepid testers. Opera stresses that this is no official Opera build. As such, it hasn't been put through the QA paces, and is one experiment that could very well fizzle out before achieving a final release.

Inside, the features in Opera Mobile 10 on Maemo will mirror Opera Mobile 10 for Windows Mobile and Symbian phones, including tabbed browsing, Speed Dial, and syncing bookmarks and other browsing info with other Opera browsers you may use.

Though the overall effect may be less polished than Opera users are used to, this build does have one advantage. It uses the new Carakan JavaScript engine and new rendering library that handles stylized corners and shadow effects. There are drawbacks, too, like no support for Flash or other plug-ins. You'll find the full list of known issues here.

This isn't the first time that Maemo has attracted a browser-maker's attention. Mozilla also chose Nokia's operating system to incubate its mobile Firefox browser.

Security research firm Matousec has published details of a technique for bypassing some of the protections offered by widely used Windows security software, including programs from McAfee and Trend Micro.

However, the attack has serious limitations, including the requirement that the attacker must already have the ability to execute code on a system, Matousec acknowledged. That means the method would have to be used in combination with another attack vector, or employed by an attacker with local access to a system.

The method, called an argument-switch attack, can be used against Windows security programs that use a technique called System Service Descriptor Table (SSDT) hooking. All of the 35 applications tested by Matousec featured this technique, including products from BitDefender, F-Secure, Kaspersky, and Sophos, as well as McAfee and Trend Micro.

Read more of "Attack defeats 'most' antivirus software" at ZDNet UK.

Originally posted at News - Security

GIVEAWAY ALERT: TechSmith is giving away free copies of Snagit 10 together with Camtasia Studio 7 to the first 50 CNET readers to retweet this story along with the #snagitcamtasia hash tag.

When you've got an itinerary to file away, a photo to annotate, or a perplexing error message you can't decipher, what do you do? If you're us, you might reach for your keyboard's Print Screen button to pop open one of dozens of screen capture apps you can install to take a snapshot of your current display for later editing or reference.

Software-maker TechSmith hopes you'll make its new Snagit 10 your screen grabber of choice.

Snagit has remained one of the top screenshot apps in its class over the years, but while this latest model does indeed improve on the previous build, the changes are less drastic than they were with the previous edition, version 9. To be fair, not every version update is an overhaul. By the same token, since the core features remain consistent from version 9 to version 10, Snagit 9 owners may not feel compelled to upgrade. However, if you're new to screen-capture software, Snagit 10 is an excellent choice in the premium category.

What's new in Snagit 10

Just because we're not urging existing users to upgrade doesn't mean that Snagit 10 doesn't add interesting or useful new features. In fact, it does, and for the most part we like them (with one or two notable exceptions.)

In addition to refining the icon art on Snagit's launch pad (pictured above,) TechSmith has added a new default profile. All-in-One Capture rolls the full-screen, window, region, and scrolling captures into one. The profile also adds cross-hairs to help line up a shot and pushes the magnifying glass into the mess.

We'll admit the new capture profile looks like a confusion of lines and planes, especially as the capture borders jump from full screen to window to scrolling mode. But we soon saw the logic of combining the most-used profiles into one juiced-up super-capture mode. By floating the cursor around the page, you can change your mind about your capture area without having to switch up your profile every time you want to alternate between full-screen mode, for instance, and selecting a smaller area that you define yourself (see the video above for a demo).

Transparency is another theme. In the capture tool and editor, a checkered background replaces white as the default canvas color. In addition to making Snagit captures truer to form when pasting them into presentations or other programs, a transparent background also gives rise to a cool new page curl effect. In addition, you'll find blue and silver skin choices in the Options menu to vary up the black default color.

Snagit also gets a remodeled cut-out tool that makes it easier to select areas of an image you'd like to pull from being, but an inability to choose if you want the cut ends mashed together or separated by various styles of transparent space also strikes us as inflexible--we want choices, dangit.

Snagit's sister product, the freemium hosting service Screencast.com, makes a bolder appearance in version 10. You can now upload captures directly. Sharing said images with contacts via Screencast.com keeps large files out of contacts' in-boxes by sending recipients a link for online viewing. Each Snagit user gets a free Screencast.com starter account, nominal storage included.

While there are more enhancements, the last notable one comes from one of the lesser-known text capture tool. Text capture has been on our radar for years, but has traditionally produced inconsistent results, often in part because Snagit and other apps can't capture text from within an image. Words in a company logo, advertisement, or Flash Web site would count. Improvements to the capture software now transfer the formatting, like font and color, along with the text. That's the theory, anyhow, but it occasionally fell flat in our Firefox tests. You can apply the usual roundup of text-editing tools to reformat the text as well. Snagit's text capture, while still not flawless, performed best in IE and fair in Firefox. Chrome support is on the road map, and it also doesn't work in Opera and Safari browsers.

Price

How much it will take to make Snagit 10 yours? If you like what you see after the free 30-day trial, the capture app costs $49.95 to buy new and $24.95 to upgrade from a previous version. If you're just entering the world of premium screen-capture software or have been hanging on to Snagit 7, for instance, then version 10 is a worthy purchase or upgrade. Again, we think it's close enough to version 9 that most existing users of that build won't find a need to jump ahead.

Mozilla hopes to release Firefox 4 in October or November, a new version that has speed among its top goals.

"Performance is a huge, huge, huge thing for us," said Mike Beltzner, vice president of engineering for Firefox, in a Webcast on Tuesday about plans for the browser. "We created the performance story, and we've got to keep at it."

Among other features planned for Firefox 4--and Mozilla emphatically cautions that plans can change--are support for high-speed graphics and text through Direct2D on Windows; a tidier user interface with more prominent and powerful tabs; support for several newer Web technologies; 64-bit versions; and compatibility with multitouch interfaces.

Performance means any number of things in a browser. Among them: the time it takes to launch the program or to load a Web page, the responsiveness of the user interface to commands such as opening new tabs, and the speed with which Web-based JavaScript programs execute. Firefox programmers also will work on more perceptual speed improvements, Beltzner said, such as changing the order that Web page elements appear on the screen and the appearance of the page-loading progress bar.

Speed is one item on a long list of changes Mozilla has in mind for its 5-year-old open-source Firefox browser. Improving Firefox is arguably a greater challenge now, though, for several reasons.

First, there's new energy in competitors including Microsoft's Internet Explorer 9 and Chrome from Web powerhouse Google. Second, making abrupt changes is harder without ruffling feathers among its large user base--Firefox accounts for roughly a quarter of the browser usage worldwide. Third, Firefox is expanding from PCs to mobile phones and tablets with very different hardware requirements. Last, a long list of new technologies are profoundly transforming browsers into a foundation for Web applications, but many of those advancements are far from settled.

Beltzner recognizes the challenges.

"We are in it to win it," Beltzner said. "It's no longer the case where it's all easy wins. There's hard work to be done here. We have to make sure we're the ones leading the charge in keeping the Web open for users."

Mozilla established a Firefox 3.6, 3.7, and 4.0 release plan in 2009, but the organization warned early this year that the browser schedule was changing. Tuesday's Webcast offered a new schedule with no Firefox 3.7.

Why the road map change? One key feature of 3.7 called out-of-process plug-ins, which moves plug-ins such as Adobe Systems' Flash Player to their own separate memory area for better stability, was advanced to Firefox 3.6.4, code-named Lorentz and in beta testing right now. Meanwhile, Mozilla concluded it needed more time for a planned user-interface overhaul and to be liberated by a "rebooted" plan for a new extensions foundation called Jetpack.

So what's the schedule? If all goes well, this:

"I think we need to get to a first beta by the end of June," before the Mozilla Summit in early July, he said. Releasing that version "puts us in a position where we can ship [the final version] somewhere in October or November."

Is it possible? Firefox 3.6 had been due in that time frame in 2009 and slipped into early 2010. "This is an aggressive schedule to be sure. We have to focus the efforts of projects already under way so it can come together to be a really great Firefox 4," Beltzner said. And programmers will have to prove the merit of any new projects very soon if they want them included.

So what else is new?
Beltzner grouped the Firefox 4 plan into three broad areas of interest: features for browser users, features for Web developers, and underlying platform features.

Tabs are one area of change for users. Tabs will be above the address bar, as is the case with Chrome, and a home tab replaces the home button. In addition, narrower application tabs can be dedicated to various Web apps. Instead of a menu bar across the top, there's a single Firefox button with a drop-down menu. Typing in the address bar can be used to switch to other tabs. One change that had been bandied about, though--a unification of the address bar and the search bar, a la Chrome--didn't appear in Beltzner's designs.

Mozilla hopes to change some dialog boxes to make them more effective. Two examples are the option for Firefox to remember a Web site's password and to permit a Web site to use the browser user's physical location.

Mozilla has always been motivated by the idea of giving the user control, and it's hoping the new Firefox will go further with a revamped control panel for managing passwords, cookies, pop-up blocking, geolocation, local data storage, and related details. Users could see what permissions have been granted to Web sites for each category, or alternatively, see which various permissions a specific site has.

Significant changes to the user interface can lead to confusion, but in the long run, the pain can be worthwhile, Beltzner said. Sometimes, he said, "we're going to have to do the uncomfortable thing."

Web developer changes
Those who design Web sites are a smaller but influential group, instrumental in getting Firefox to its present status. For them, Mozilla has a number of features planned for Firefox 4.

For Web applications, the Firefox 4 plan includes support for WebSockets, a mechanism for easier communication between the browser and a Web server. And as for dealing with the new class of touch-enabled devices, which often don't have a keyboard or mouse, Firefox should be able to let Web developers build pages controlled with a multitouch interface.

The heart of Web programming is Hypertext Markup Language (HTML), and Mozilla is building into Firefox a new HTML5 "parser," the part of the browser that interprets the Web page code. The new parser can handle Scalable Vector Graphics (SVG) and mathematical equations interleaved with the rest of a Web page, runs as a separate computing process to improve browser responsiveness, and fixes "dozens" of longstanding bugs on the previous parser, Mozilla said.

In industry shorthand, HTML5 often stands for many new technologies that aren't part of the actual HTML5 specification or even the broader HTML renovation effort.

Firefox 4 will support some of those, too, but two important ones are only tentative at this stage: the newer Indexed DB effort designed to improve how information from a Web site is stored locally on a computer, and the WebGL effort to build hardware-accelerated 3D graphics into the Web. Required driver support for graphics chips complicates WebGL, and the Indexed DB specification isn't likely to be finished in time, Beltzner said.

For the movement to sidestep Flash with Web technologies, Firefox 4 has a few features planned. Some newer aspects of Cascading Style Sheets (CSS), used for formatting, are set to be supported, including transitions that can animate the transformation of one Web element into another. Firefox 4 also is expected to support more of the newer CSS3 specification.

Also stepping on Flash's toes will be support for SMIL, the Synchronized Multimedia Integration Language that can be used for some animation chores, and faster performance with the 2D drawing interface called Canvas.

Under the hood
Performance improvements to Firefox will come through improvements to the underlying software. One significant change coming is JaegerMonkey, which combines Firefox's current JavaScript engine with elements of those used in Chrome and Safari browsers.

"JaegerMonkey has reached a halfway point: we've closed about half the performance gap between our baseline performance and the competition," JaegerMonkey programmer David Mandelin said in a blog post Monday. However, he added, "you can build a browser with JM [JaegerMonkey] today, but you probably won't get too far before crashing. Fixing that is next on my list."

Also on the Firefox 4 plan is support for 64-bit processors. Operating systems have now made the jump in earnest, but not all software has followed suit.

Other hardware changes planned for Firefox 4 include support for Direct2D on Windows, a feature that lets the browser tap into the engine for hardware-accelerated graphics and text. That support exists on Windows 7 and the latest service pack of Vista, but here again, "driver hell" is a risk.

Support for Windows 7 interface features including Aero peek, jump lists, and icons with progress bars also are on to-do list for Firefox 4.

Support for cameras and microphones is only a tentative goal, as is tighter integration with Mac OS X.

Deeper under the covers, for security and stability reasons, Mozilla is splitting Firefox into separate memory areas with a project called Electrolysis. Its first element, out-of-process plug-ins (OOPP), is the chief feature of Firefox 3.6.4, but more is planned for Firefox 4. The new Jetpack interface moves add-ons to a separate memory area, too. Firefox 4, though, won't get the broader sandboxing design in Google's Chrome, in which browser tabs are separated from one other.

These plumbing details might sound arcane, but they're important as browsers become a foundation for ever-increasing amounts of computing chores. A Monday blog post from Firefox programmer Vladimir Vukicevic captured the essence of the matter.

"Today's Web browser is in many ways acting like a miniature full operating system," Vukicevic said.

Updated at 6:34 a.m. PDT and 9:07 a.m. PDT with further detail.

Originally posted at Deep Tech