One of the best features in the Thunderbird remix called Postbox was the deep and fluid integration of social networking contacts into the desktop e-mail client. Thunderbird itself has begun to get a taste of that power with Thunderbird Contacts, a version of Mozilla Contacts, a Firefox add-on that made the browser more socially aware.

Thunderbird Contacts is so new that Mozilla is still switching between that name and "Contacts for Thunderbird" in its blog post announcing the add-on. Whatever it's called, it pulls your cloud-stored contact info from numerous sites into Thunderbird, and then merges the contacts it identifies as identical. Contacts currently works with Gmail, Yahoo Mail, Twitter, Facebook, LinkedIn, and Plaxo, as well as the Mac address book.

Once the add-on is installed, it can be configured under Tools > Contacts. From there, you can selectively add login information under the Services tab, manage and view addresses under Contacts, and configure contact discovery under the Finders tab. There's also a Permissions tab for easily revoking permission to update contacts without deleting the information you've already downloaded. At the bottom of the Services tab there's options for Emptying your address book, Exporting contacts, and Deleting the data that the Finders tool discovered.

In my tests, the add-on didn't work well with the corporate global address book here, although it did successfully import contacts from Twitter and Gmail into Thunderbird. For Thunderbird fans, this looks like it could grow into a must-have app for adapting the platform-specific "e-mail" into a more generic "communication", but the add-on still feels somewhat rough and has a way to go before that happens.

The fourth and final developer's preview of Internet Explorer 9 was released on Wednesday, with significant updates to standards compliance and rendering speed, according to Microsoft.

Microsoft said in a blog post that the developer's previews had been downloaded more than 2.5 million times, indicating that despite Internet Explorer's plummeting market share over the past few years, developer interest in seeing it improve remains high.

The vast and dramatic improvements made to Internet Explorer 9 are readily apparent, even in this stripped-down preview version. Hardware accelerated HTML5 support is a major and multifaceted component of IE9, allowing for more complex and high-powered audio and video support within the browser. There's also extensive SVG animation support, although, as Microsoft points out in its blog, the animated SVG standards have yet to be finalized. You can see how these differences affect real-world rendering when you run the IE9 preview's SVG tests in other browsers, since they render imperfectly. Still, Microsoft is forging ahead and appears eager to address standards compliance in IE9, which is a good sign.

Internet Explorer 9's new JavaScript engine is a radical departure from older versions. Microsoft says that IE9's Chakra engine is remarkable for the way that the engine is integrated into the browser, as opposed, the company says, to being "bolted on." Previous versions of the developer's preview had Chakra in the "bolted on" position. Microsoft says that decreases page load times and offers benchmarks that the company conducted showing the fourth preview of the browser in the top five browsers for the WebKit SunSpider JavaScript test.

The fourth IE9 preview also does better than any previous version of Internet Explorer on the Acid3 test, which compares a number of commonly used Web browsing technologies. The latest IE9 preview scores 95 out of 100, while the current Internet Explorer 8 only scores 83.

Microsoft offers multiple tests that can be accessed from within the preview so users can see how they perform on their own computers. The developer's preview now lets you copy and paste, but here are a few of the more interesting ones. To access them in other browsers, click on the following links: Hamster Dance Revolution and Psychedelic Browsing for testing JavaScript; IE Beatz and Tweet Map for testing hardware acceleration; or IETrade for seeing how the HTML5 canvas tag can be used in IE9. Note that "Hamster Dance Revolution" may induce rage seizures.

Some of these changes, such as the integration of the JavaScript engine, are unique to Internet Explorer. Others, such as the hardware acceleration, bring the browser up to speed with others, or surpass them entirely. The developer previews of Internet Explorer have served a similar purpose to any good pre-beta technology, by building anticipation that the beta will be more or less usable on a daily basis. The actual feature set and user interface that Microsoft builds on top of the engine will determine a significant amount of how people react to the browser, and it's yet to be seen whether Microsoft takes a page from the playbooks of Google and Mozilla and introduce faster revisions.

Since it was rescued from extinction, Polaroid's look has been transformed into something everyone can have right on their computers or mobile screens. Free applications like Poladroid and Polarize bring Polaroid's feel to the digitally inclined.

Once you open Poladroid, a picture of a Polaroid camera will show up on your desktop. To start converting your pictures into retro gems, drag and drop any JPEG file onto the Poladroid icon. The loading time for the application is a bit slow, but at least the sound effects are realistic. The final image does not show up right after you drag the photo into Polardroid. Just like real Polaroid film, the image starts out dark and then slowly transitions into a fully visible photo. The application allows users to adjust image effects, such as vignette strength and blurriness, as well.

Polarize for iPhone is a lot of fun as well. The application gives users the option to select from their iPhone's photo roll, or simply take a picture straight from the app. Either way, the end product is a retro-looking image that is not vintage overkill; the program edits the image to the appropriate color. With Polarize, you can also tag the bottom of your Polaroid with a digital sharpie.

With Polaroid's rising popularity among the generation of digital natives, more and more applications have been introduced into the scene. Polarock and ShakeIt are among the paid Polaroid applications for iPhone. As time goes on, more retro gadgets may be making their way into the virtual world.

Apple says that it has a fix for the browser security flaw discovered earlier this week on its iOS-powered devices.

After the iPhone Dev Team released the latest jailbreak software hack for the iPhone over the weekend, it became apparent that the way the jailbreak worked--via an iPhone's mobile Safari browser--that the phone has a security vulnerability when it comes to the way it loads PDF files from the Web.

On Wednesday an Apple spokeswoman said in a statement, "We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

Apple declined to say when the update would be pushed out.

There are two distinct vulnerabilities in the iPhone uncovered with the jailbreak software's release, principal analyst Charlie Miller of Independent Security Evaluators told CNET Tuesday. One flaw is in the way the browser parses PDF files, enabling the code to get inside a protective sandbox, and the other hole allows code to break out of the sandbox and get root, or control, privileges on the device.

The security flaw is so serious that the German government issued an official warning to citizens about it on Wednesday and said it was investigating.

Apple declined to comment on Germany's Federal Office for Information Security's statement.

Originally posted at Circuit Breaker

It's a fact that Google is stuffed to the brim with really, really smart people. You might think you're a bit of a brainbox, but compared to those dudes at Google, we're all idiots. So to help us feel better about ourselves, the search and mobile OS giant has created Google App Inventor, a simple way for us to make our own Android apps.

And by simple, we mean probably not as hard as learning a programming language from scratch, but still not the sort of thing most people would find easy. It does make it possible, however, for everyone to have a go at writing their own app, and have a reasonable chance of success. And to prove even the dimmest of wits can produce something usable, we had a go.

When you open the App Inventor, you're presented with a very Googlish user interface, similar to the Google Apps components such as Docs. In the middle there's a window that represents the screen of your phone--although it's not quite as simple, or limited, as that makes it sound.

Read more of "Google App Inventor: Hands-on with the idiot-proof Android creation tool" at Crave UK.

Originally posted at Crave

In October 2006, security researcher H.D. Moore discovered a serious problem with the way applications running on Windows display rich text content.

He reported the vulnerability to Microsoft and nearly four years later it's still not fixed, despite the fact that it could be exploited to run malicious code on a PC and take control of it.

Unfortunately, this is not an isolated incident. According to the Zero Day Initiative, which serves as a broker between security researchers who find flaws and software companies who need to fix them, there are 122 outstanding vulnerabilities that have been reported to vendors and which have not been patched yet. The oldest on the list was reported to IBM in May 2007 and more than 30 of the outstanding vulnerabilities are older than a year.

But a new policy announced Wednesday by TippingPoint, which runs the Zero Day Initiative, is expected to change this situation and push software vendors to move more quickly in fixing the flaws.

Vendors will now have six months to fix vulnerabilities, after which time the Zero Day Initiative will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves.

"There is a large quantity of bugs that have gone unpatched for a long time," said Aaron Portnoy, manager of security research at TippingPoint, which is owned by Hewlett-Packard.

Retroactive deadline
The deadline will apply retroactively so all currently outstanding vulnerabilities--regardless of when they were submitted--will have to be patched by February, a TippingPoint spokeswoman said.

"That's awesome," security researcher Dino Dai Zovi said when told about the Zero Day Initiative deadline news.

"A number of high-profile attacks in the past year have used exploits that had been known by the vendors and had been in the queue to be fixed," he said. "Decreasing the amount of time from when the vulnerability is discovered to when it is patched will shrink the window when other people may discover the vulnerability and take advantage of it."

Vendors can request an extension and it will be granted on a case-by-case basis, Portnoy said. The group will share e-mails TippingPoint and vendors exchange when an extension is requested so the community can see why the vendor needs more time, he said.

"We understand some vulnerabilities will take longer to patch," he said. "We're hoping for a quicker turnaround time."

The lack of a deadline fostered a vulnerability-disclosure environment that was ripe for abuse. Security experts accuse vendors of dragging their feet on fixes. That leaves computer users at risk for attack by unscrupulous hackers who may have discovered the hole on their own and are able to exploit it without anyone knowing, security researchers say.

Giving burglars the keys?
Vendors complain that releasing information to the public on vulnerabilities before a patch is available is akin to giving a burglar the keys to the house. But if computer users know about the risk then they can protect themselves with workarounds and other fixes, researchers argue.

"I think vendors were stretching things out quite a bit," said Chris Wysopal, chief technology officer at Veracode. "We reported a bug to a vendor, a simple cross-site scripting bug, and now its been four months and we're still waiting for them to fix it. I think vendors sometimes take liberties if there is no pressure put on them."

The debate came to a head recently when a researcher at Google publicly disclosed a Windows XP-related flaw and released code to exploit it five days after reporting it to Microsoft. Within days of the disclosure, there were attacks discovered that exploited the hole. Microsoft has since fixed the hole.

"I would like to point out that if I had reported (the issue) without a working exploit, I would have been ignored," Tavis Ormandy wrote in his post to the Full Disclosure e-mail list in June, adding that he was acting as an independent agent and not as a Google employee.

Microsoft and a few other researchers criticized Ormandy for being hasty in his disclosure, but his move was praised by numerous other researchers tired of waiting for patches that seem to take forever to come.

Google, which distanced itself from Ormandy's actions and the debate at the time, released a blog post addressing the disclosure issue a few weeks ago that was signed by Ormandy and others on the security team. The post suggested that 60 days is a reasonable time frame for vendors to fix critical holes.

"We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts," the Google post said. "Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet."

Microsoft responded with a blog post of its own that did not suggest a timeframe for fixes.

Asked for his thoughts on Google's proposed 60-day deadline, Mike Reavey, director of the Microsoft Security Response Center, said "I don't think there is a one size (fits all) for deadlines for fixing vulnerabilities in products."

Magic number
Dai Zovi and other researchers contacted by CNET said six months is plenty of time for vendors to fix most issues, and it provides more time than the U.S.-CERT (Computer Emergency Response Team) deadline of 45 days.

"It's hard to say what the magic number is," said Charlie Miller, principal analyst at Independent Security Evaluators. "Tavis reported a bug to Microsoft and wanted them to agree to patch within 60 days and they refused so he released it. So, if everyone can agree on a timeline (the industry) will benefit."

A Google spokesman said the company had no comment beyond the earlier blog post, and Ormandy was not available to comment.

Dave Forstrom, director of Microsoft's Trustworthy Computing Group provided this statement from Microsoft: "Many vulnerability coordinators have established timelines for disclosure and as always, we'll continue to work with them to in a way that minimizes customer risk. Microsoft advocates for coordinated vulnerability disclosure, where vendors and finders work together closely toward a resolution. Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible."

When asked about the Zero Day Initiative deadline for patches, Moore, the researcher who has been waiting nearly four years for Microsoft to patch a hole he discovered, said: "It's about time."

"For too many years, vendors have been pressuring researchers and research organizations to withhold vulnerability information until the patch is released," said Moore, who is chief security architect at Rapid7 and founder of the open-source Metasploit exploit database, which is used for penetration testing of software, networks, and Web sites.

"Personally, I'd like to see a shorter deadline," he said, "but this is a good compromise."

Originally posted at InSecurity Complex