ferikoy.net

Known as APPLE-SA-2008-03-18 Security Update 2008-002, it contains more than 40 specific fixes for versions of
Mac OS X. The most significant updates include Apache, ClamAV, Emacs, OpenSSH, PHP, and X11. There is no trend or theme here. The most serious vulnerabilities could lead to someone gaining remote access to a user’s computer, while others may simply cause an application or service to crash. Other components mentioned in this update include AppKit, Core Foundation, Core Services, curl, CUPs, Help Viewer, ImageRaw, mDNSResponder, Podcast Producer, Preview, Printing and System Configuration.

Emacs
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.5.2. The update addresses a safe mode checks vulnerability in CVE-2007-5795. Apple says “a logic error in Emacs’ hack-local-variable function allows any local variable to be set, even if ‘enable-local-variables’ is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks.

Apple on Tuesday released its second security update of the year–and it’s a big one.

Image Raw
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0987. Apple says “a stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits Clint Ruoho of Laconic Security for reporting this vulnerability.

UDF
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0999. Apple says ” A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits to Paul Wagland of Redwood Software, and Wayne Linder of Iomega for reporting this vulnerability.

Help Viewer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0060. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Apple says “A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript.” Apple credits Brian Mastenbrook for reporting this vulnerability.

OpenSSH
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2007-4752. Apple says “OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7.”

Foundation–1
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The addresses a NSSelectorFromString API vulnerability in CVE-2008-0054. Apple says “an input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name. This issue does not affect systems running Mac OS X v10.5 or later.”

notifyd

This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11 and addresses a vulnerability in CVE-2008-0990. Apple says ” notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the
notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel. This issue does not affect systems running Mac OS X v10.5 or later.”

AppKit–Multiple integer overflow
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a Multiple integer overflow vulnerability in CVE-2008-0057. Apple says ” By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input. This issue does not affect systems running Mac OS X v10.5 or later.

ClamAV–2
This patch affects users of Mac OS X Server v10.4.11. The update addresses vulnerability in CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728. Apple says “multiple vulnerabilities exist in ClamAV 0.88.5 provided with Mac OS X Server v10.4.11, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1.”

Podcast Producer

This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0993. Apple says “the Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits Maximilian Reiss of Chair for Applied Software Engineering, TUM for reporting this issue.

AppKit–NSDocument API
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a NSDocument API vulnerability in CVE-2008-0048. Apple says ” A stack buffer overflow exists in the NSDocument API’s handling of file names. On most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.”

X11
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, and CVE-2007-5269. Apple says ” The PNG reference library (libpng) is updated to version 1.2.24 tp address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution.

CFNetwork
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2 and addresses the frame navigation policy vulnerability in CVE-2008-0050. Apple says “a malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue is already addressed in systems running Mac OS X v10.5.2.”

AppKit–NSApplication
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a NSApplication vulnerability in CVE-2008-0049. Apple says “By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize. This issue does not affect systems running Mac OS X v10.5 or later.”

X11
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2008-1000. Apple says ” A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling. This issue does not affect systems prior to Mac OS X v10.5. Apple credits to Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of CORE Security Technologies for reporting this vulnerability.

pax archive utility
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0992. Apple says “the pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5.”

Foundation–5
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a race condition vulnerability in CVE-2008-0059. Apple says ” A race condition exists in NSXML. By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML. This issue does not affect systems running Mac OS X v10.5 or later..”

Apache–2
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2 and addresses various Apache 2.2.6 vulnerabilities in CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421,
CVE-2008-0005. Apple says “Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting.”

Foundation–2
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the NSFileManager vulnerability in CVE-2008-0055. Apple says “when performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This creates a race condition during which a local user can manipulate the directory and interfere in subsequent operations. This may lead to a privilege escalation to that of the application using the API. This update addresses the issue by creating directories with restrictive permissions. This issue does not affect systems running Mac OS X v10.5 or later.”

AppKit–network printer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The addresses a vulnerability in CVE-2008-0997. Apple says “by enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files. This issue does not affect systems running Mac OS X v10.5 or later.”

curl

This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11 and addresses a vulnerability in CVE-2005-4077. Apple says ” A one byte buffer overflow exists in curl 7.13.1. By enticing a user to run curl with a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by updating curl to version 7.16.3. Crash Reporter was updated to match the curl changes. This issue does not affect systems running Mac OS X v10.5 or later.”

Printing
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0995. Apple says ” Printing to a PDF file and setting an ‘open’ password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4. This issue does not affect systems prior to Mac OS X v10.5.”

Foundation–3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2 and addresses the NSFileManager API vulnerability in CVE-2008-0056. Apple says “a long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. Presenting a specially crafted path to a program using NSFileManager could lead to the execution of arbitrary code. This update addresses the issue by ensuring a properly sized destination buffer. This issue does not affect systems running Mac OS X v10.5 or later.”

CUPS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-0596. Apple says “by sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This issue can not result in arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect systems prior to Mac OS X v10.5.”

CUPS
This patch only affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0047. According to Apple “a heap buffer overflow exists in the CUPS interface’s processing of search expressions. If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits the regenrecht working with the VeriSign iDefense VCP for reporting this vulnerability.

Also on Tuesday, Apple released version 3.1 of its Safari browser for both Mac and Windows users. The release includes new features as well as security fixes, most of which address cross-site scripting flaws.

libc
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-0988. A remote attacker may be able to cause a certificate to appear trusted. According to Apple “An off by one issue exists in Libsystem’s strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.” Apple credits Mike Ash of Rogue Amoeba Software for reporting this vulnerability.

PHP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2. The addresses a vulnerability in CVE-2007-3378 and CVE-2007-3799. Apple says “PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.”

CoreServices
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses the vulnerability in CVE-2008-0052. Apple says: “Files with names ending in “.ief” can be automatically opened in AppleWorks if
Safari’s “Open ‘Safe’ files” preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing “.ief”
from the list of safe file types. This issue only affects systems prior to Mac OS X v10.5 with AppleWorks installed.”

Preview

This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2008-0994. Apple says “when Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.”

To get the update, go to the Software Update pane in System Preferences, or Apple’s Software Downloads Web site. The update “is recommended for all users and improves the security of Mac OS X,” according to the Apple Downloads page.

Foundation–4
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.5.2. The update addresses a vulnerability in CVE-2008-0058. Apple says “a thread race condition exists in NSURLConnection’s cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection.” Apple credits Daniel Jalkut of Red Sweater Software for reporting this vulnerability.

Kerberos

This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2. The update addresses the vulnerabilities in CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, and CVE-2008-0063. Apple says ” Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges. CVE-2008-0063 do not affect systems running Mac OS X v10.5 or later. CVE-2007-5901 does not affect systems prior to Mac OS X v10.4.”

X11

This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerabilities in CVE-2007-4568 and CVE-2007-4990. Apple says “multiple vulnerabilities exist in X11 X Font Server
(XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5.”

System Configuration
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0998. Apple says ” The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine.
By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program.

X11
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429. Apple says ” Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server.
This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend.”

Application Firewall (German)
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2. The update addresses a vulnerability in CVE-2008-0046. Apple says ” the “Set access for specific services and applications”
radio button of the Application Firewall preference pane was translated into German as “Zugriff auf bestimmte Dienste und Programme festlegen”, which is “Set access to specific services and applications”. This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.

Apache–1
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2. The update addresses Apache 1.3.33 and 1.3.39 vulnerabilities in CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388.. Apple says “Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the Apache web site at http://httpd.apache.org For Mac OS X v10.5, Apache version 1.3.x is only shipped on Server configurations. mod_ssl is also updated from version 2.8.24 to 2.8.31 to match the upgraded Apache; no security fixes are included in the update.”

AFP Client–afp:// URL
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses an afp:// URL vulnerability in CVE-2007-4680. A remote attacker may be able to cause a certificate to appear trusted. According to Apple, “multiple stack buffer overflow issues exist in AFP Client’s handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution.”

file
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-1004. Affected users may find that requesting to unblock a website leads to information disclosure. Apple says “an integer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.” Apple credits Colin Percival of the FreeBSD for reporting this issue.

CUPS
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0053, and CVE-2008-0882.. Apple says “multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5..”

mDNSResponder
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0989. Apple says “a format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string. This issue does not affect systems prior to Mac OS X v10.5.”

ClamAV–1
This patch affects users of Mac OS X Server v10.5.2. The update addresses vulnerabilities in CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318,
CVE-2008-0728. Apple says “multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1.”

AFP Server–Cross-realm authentication
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a cross-realm authentication vulnerability in CVE-2008-0045. Apple says: “An implementation issue exists in AFP Server’s check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names. This issue does not affect systems running Mac OS X v10.5 or later.” Apple also says that this issue has been addressed within Mac OS X v10.5 or later. Apple credits Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

PHP
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerabilities in CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887. Apple says ” PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.”

Printing
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0996. Apple says ” An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5.”

Emacs

This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a format string vulnerability in CVE-2007-6109. Apple says “A stack buffer overflow exists in Emacs’ format function. By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution.”

If you’re not in San Francisco, we’re hosting a live “Ask the Editors” event Thursday morning at 11 a.m. PST in the CNET Forums. Bookmark this page and come back tomorrow morning, when I’ll take as many questions as possible regarding Macworld 2008 and the MacBook Air, iTunes Movie Rentals, Time Capsule, and Randy Newman.

Please allow me to indulge in a little self-promotion on behalf of my employer, which issues me paychecks that keep me in beer and high-definition sports channels.

Thanks for reading.

If you’re on the show floor this week at Macworld, head over to booth No. 4810 in the West Hall of the Moscone Center and say hi to CNET’s cadre of Apple writers and editors. I’ll be there this afternoon from 4 p.m. until 4:03 p.m. closing time, so stop by if you’ve always wanted to say hello, or if you’ve been waiting for months to give me a piece of your mind.

TripSync: Once you install the TripSync travel manager add-on, you’ll be blown away by its functionality. You can book and hold reservations to places across the world, receive travel alerts, and place your itineraries on Outlook and Google Calendar. TripSync is designed specifically for the business professional, so it’s a bit more useful than using a site like Expedia.

(Credit:
Don Reisinger/CNET)

1 Stop travel and retail shopping engine: If you want to find the best deals across the U.S., Europe, or Canada, the 1 Stop travel and retail shopping engine add-on is a good place to start. While you’re browsing, it allows you to search for flights on more than 40 airlines. It also lets you search for deals on more than 20 sites, including Amazon, eBay, and Wal-Mart. Once you start searching in the add-on, it finds the desired page and automatically opens it in a separate tab.

Power Twitter (download): If you want Twitter to be more powerful, use Power Twitter. Whether you want to automatically add hashtags to a tweet, expand URLs, add in-line YouTube, Flickr, and TwitPic content, or see a person’s status history with a simple mouseover, Power Twitter will do it. Twitter is fun and addicting by itself, but it’s much better with Power Twitter installed.

Buy it online lets you find the best deals.

The student

(Credit:
Don Reisinger/CNET)

Facebook Toolbar (download): A simple, yet highly useful add-on, the Facebook Toolbar allows you to view friends’ statuses, search for people on the popular social network, and interact with friend profiles. It even alerts you when you receive a poke, message, or notification. But perhaps the add-on’s most useful feature is the option to share a page you’re currently browsing with friends on Facebook. You can either send it to them or add it to your own profile in a few clicks.

(Credit:
Don Reisinger/CNET)

WOT (download): WOT, short for Web of Trust, is designed to ensure security and privacy are maintained while you’re browsing. Once installed, the add-on warns you about risky Web sites. It also alerts you to sites that deliver malware or send spam. The add-on shows you safety ratings on over 21 million sites.

Stock Pilot makes it simple to find quotes.

If you’re a
Firefox user, chances are you’ve been using add-ons to extend its functionality. But if you haven’t, or if you’re looking for new add-ons, I’ve found 20 for you to try. But since installing all 20 will probably slow your browser to a crawl, I’ve broken them into four categories. I have grouped the add-ons into “packs” for business professionals, shoppers, social-network fanatics, and students.

Surf Canyon (downlload): Surf Canyon is a simple add-on that finds relevant information contained in search results on Google, Yahoo, Live Search, Lexis Web, and Craigslist. While it’s running in your browser, you can search as you normally would, but Surf Canyon analyzes your query and finds good results as deep as page 100.

FacePAD: Just because students are expected to be studying all the time doesn’t mean they are. In fact, many of them are on Facebook to check out their friends’ pictures. If you’re one of those people, install FacePAD. It lets you download anyone’s Facebook album or all your friends’ albums in just one click.

GoogleTube puts the videos next to your results.

Dictionary: What good would a Firefox add-on list be for students if it didn’t include a dictionary? With the help of the Dictionary add-on, students won’t need to go elsewhere to find the definitions for words. Simply input the word you’re looking to define and the add-on will deliver the result.

PriceAdvance (download): When you run PriceAdvance and surf to a retail site to research a product, the add-on will tell you its price on a handful of other prominent sites across the Web. For instance, if you’re on Amazon looking to buy an
Xbox 360, the site will automatically search for other retailers selling the console and display their pricing, so you can be sure that you’re getting the best price.

Jigsaw Contact and Company Search: Most business professionals need to have easy access to a company’s contact information. If you’re one of those people, consider using the Jigsaw Contact and Company Search. Jigsaw, a global online business directory, features millions of contacts and company profiles that can be searched by title, geography, and business.

GoogleTube: When you use Google Search, it sometimes displays links directing you to a YouTube video that’s relevant to your query. But instead of going to the YouTube page, installing GoogleTube gives you the option to watch the video in the Google results page. After installation, the add-on adds a YouTube button next to every YouTube result in Google. When you click it, it plays the respective video next to the results.

KeepCash Coupon Notifier (download): As someone who frequents coupon sites and goes to a retailer’s page with the discount ready to be used, I found KeepCash Coupon Notifier to be an extremely useful add-on. Whenever you go to a retail site, it automatically searches its database to find any coupons currently available for the site you’re on. If there are, it will list them for you to be used while you’re shopping.

Delicious Bookmarks (download): If you’re a bookmarking fanatic like I am, you won’t want to use Firefox without the Delicious Bookmarks add-on. Simply install it and whenever you surf to a page, you can click the Delicious button on your address bar to save it to your Delicious profile with a tag of your choosing. It’s simple and a must-have for any Firefox user.

TwitterBar: For those times when you want to update your Twitter profile, but you don’t feel like going to your profile page to do it, use TwitterBar. The add-on allows you to update Twitter from Firefox’s address bar by typing your message out and clicking a small Twitter icon placed alongside the address bar. If you’re worried about the number of characters you have left, you can hover your mouse over the tweet to find out.

Xmarks (download): If you’re running a business and want everyone in the office to have the same resources available to them, Xmarks is the way to do it. Simply download it into your browser, create an account, and install it on all the browsers in the office. Once configured, every Xmarks instance connected to that account will be automatically updated whenever a user adds a bookmark. In other words, if one employee adds Webware to their bookmarks, every other person in the office who’s running Xmarks will have it installed, as well.

The shopper

The social networker

Zotero does all the caption work for you.

The business professional

Buy it online (download): If you’ve ever been on a Web site and found a product you’d like to buy, but were forced to go to Amazon.com to search for it, you’ll be happy to know that there’s an add-on designed specifically for you. Dubbed “Buy it online,” the add-on adds another option when you right-click on a product title on any Web page. If you click the “Buy it online!” button, you’ll be shown a listing of all the stores on the Web that are currently selling the product. All the retailers listed are well-known and trustworthy.

Zotero (download): Once students perform their research, they’re usually required to cite their sources. And that’s where Zotero comes in. The add-on stores PDFs, files, images, and other content for later use. But its best feature is automatic citation exporting, which creates a proper citation for a source that can be sent to a Word or OpenOffice document.

(Credit:
Don Reisinger/CNET)

eBayBuddy (download): If you’re obsessed with eBay, there’s a great add-on you might want to consider. Dubbed eBayBuddy, the tool is available in the right-click menu in Firefox and allows you to have full access to eBay’s site map, search, and more. It’s a great way to quickly and easily find products on eBay without being forced to deal with the site itself.

Google Scholar search bar: Since most students are required to use scholarly publications for research, having a Google Scholar search bar installed in their Firefox installation will certainly come in handy. Instead of going to the Google Scholar page, the add-on lets students search regardless of where they are on the Web. Results pop up in a new tab.

Stock Pilot (download): Sometimes going to Google Finance is too time consuming to get quick public company info. Try using Stock Pilot instead. The add-on allows you to switch between financial sites to research a particular stock. It also boasts RSS alerts to update you when news breaks about a company you’re tracking. Ready access to SEC filings makes it a handy tool for anyone who wants to see a company’s quarterly or annual financial data.

We’re pleased with the dual-band HSDPA announcement, as it means we’ll probably see it stateside. Whether it’ll be picked up by a U.S. carrier remains to be seen, however. The 5-megapixel camera is also very promising, as is the addition Wi-Fi. Do keep in mind that these specifications haven’t been confirmed yet, but if they are, we’re extremely excited to see the real deal when it does come out.

Last month, we showed you a sneak peek of the LG Prada II, which will supposedly have a slide-out QWERTY keyboard as well as touch-screen controls. Well, the Boy Genius Report has dug up some supposed specs of the Prada II, and it looks to be quite good. Features include quad-band GSM/EDGE as well as dual-band HSDPA (!), a 5-megapixel autofocus camera with flash and VGA recording, Bluetooth 2.0, Wi-Fi, a motion sensor, and an FM radio.

(Credit:
Boy Genius Report)

The LG Prada II

The computer maker reported revenues climbed to $4.2 billion in the quarter ending June 30, up from $3.8 billion a year ago. Shipments of PCs climbed 14.6 percent for the quarter.

Sales in the Europe, Middle East, and Africa region, for example, increased by 26 percent, while Asia Pacific shipments grew 11 percent.

Lenovo posted earnings of $1.25 a share for the quarter, up from 78 cents the previous year.

“Despite a softening global economy, we delivered solid gains in worldwide sales,” Yang Yuanqing, Lenovo chairman, said in a statement.

Lenovo Group reported a 10.5 percent increase in its fiscal first quarter revenues, despite a weakening global economy.

The Americas, however, continued to be affected by a weak economic environment, the company stated.

(Credit:
CNET Networks)

KnowEm is the latest in services that check for unclaimed user names at multiple social sites. This is helpful if you’re interested in retaining the same user name at sites you haven’t yet signed up for, or if you’re on the verge of launching a new site or service and want to lock down that brand name before someone else does.

Most recently we checked out Namechk, which does the same thing for 84 different sites. KnowEm steps it up by searching in 120 places, as well as offering a premium service which will actually go to each site and sign you up. This doesn’t come cheap though; it’s $64.95, and it only goes to the sites where the user name is still available. It then sends the log-in information back to you so you can do things like change the password and where it’s sending confirmation e-mails.

What’s more, is that for $10 a month it can keep signing you up for any new services it adds to its search engine. It promises anywhere from 6 to 10 per month, but that can change depending on what new sites are introduced during that time.

KnowEm checks 120 different sites to find you open user names, and for a price can sign you up to all the places where that name is still available.

Is it worth it to place your money, and trust in a service like this? It depends on how fast the providers are at adding the new sites and registering for you. If you’ve got an eccentric, or otherwise uncommon user name then yes, it will probably still be available. However, for more common names, you’re better off keeping an eagle eye on your RSS reader and signing up for new services as soon as they’re announced.

Mark my words: the geeks of today will be the Borgs of tomorrow.

Answer: it all started with Bluetooth headsets.

Where will it all end? I don’t know, maybe combining cosmetic surgery with techno-implants to create human advertisements. How much would it take to turn you into a walking
iPhone?

I see more and more people walking around with Bluetooth headsets lodged behind their ears every day. Most states are passing hands-free laws for drivers. Even my technophobe wife wants one.

And that’s just the beginning. I can envision an entire line of implantable products, from Bluetooth and Wi-Fi transceivers to language translators and heads up displays. How about DC power plugs? What, you didn’t know that people can generate their own electricity? Isn’t that what the bad guys did with the entire human race in The Matrix?

I guess a smart card slot or something similar might do the trick.

Question: How did the Borg–the not-so-lovable cyborgs in Star Trek–get to be that way?

Not being a biotech guy, I’m not really equipped to judge the biological challenges of such a thing. But on the tech side, the only significant problem I can think of is designing it to be upgradeable so you don’t need surgery every time the standard is updated or, God forbid, there’s a new standard.

If the device is well-designed, the procedure is relatively safe, and the whole package isn’t too pricey, voila, you’ve got a market.

I could be wrong, but I think it’s only a matter of time before some enterprising startup comes up with an implantable device.

As for the demand side of the equation, here’s what I’m thinking. Lots of people seem to be willing to go under the knife for elective cosmetic surgery. Who would have thought there’d be so many vain people? I’ve got to believe there are at least as many folks who are pragmatic, efficient and geeky to the point of undergoing a little snip snip or nip tuck or whatever they call it.

I also have to wonder how much mostly free services like e-mail and instant messaging win customer loyalty. I use Yahoo for both, and I’ll be annoyed if another company messes with it. But am I panicked about it the way I would be if someone messed with my iTunes? Heck no. I’ll deal.

Confused by all the companies trying buy or partner with Yahoo? You're not alone. Just follow the numbers in this diagram, and it will start to make a little more sense. Sort of.

Those of us covering the Microsoft-Yahoo saga have been amazed at the apparent lack of hand-wringing among Yahoo customers. It’s baffling. Even the comments on stories we’ve written about the Microsoft takeover attempt have been mostly along the lines of, “Let’s get this deal done already.”

It’s easy to understand why advertisers aren’t squawking about Microsoft acquiring Yahoo: they’re a lot more concerned about Yahoo hooking up with Google–or Google just getting more powerful, which could drive up ad rates.

I have to think that Yahoo has just a few more customers than Business 2.0 had readers. So what gives? I suspect a few things: As Yahoo has attempted to become more of a media company, it’s become less of a fascination for the tech set.

Ultimately, Google, which looks every bit as tough as the Redmond gang these days, is the biggest factor. Microsoft can’t seem to find a way to compete with Google in new markets (or with Apple in old ones). Buying Yahoo? That’s an acknowledgment that Microsoft needs help, not an aggressive act by a corporate predator trying to snuff out the competition.

A company with a reputation for cutthroat behavior and squashing the little guy tries to buy a pioneer of the Internet, once one of the most beloved companies in Silicon Valley.

And the customers of that pioneer yawn.

In fairness, the generic Yahoo group on Facebook has 1,597 fans. (If you have a “save Yahoo” group I haven’t discovered, please send it to me, and I’ll add it to our list.)

To figure out what’s going on, I applied the scientific method: I went to Facebook. So far, I’ve only come up with two “save Yahoo” groups: one with 20 members and the other with 41. There’s also a “Save Yahoo too (sic) Hell with Google” group with seven members.

But the Internet public? Where’s the Yahoo love?

Sure, there have been a few horrified readers. But the majority have either been nonplussed or even pro-Microsoft.

(Credit:
Susan Dove/CNET News.com)

By comparison, the “I read Business 2.0, and I want to keep reading!” group had 2,082 members before Time Warner shut down the magazine.

Google has also become the Internet darling of the general public. Ask your parents to name an Internet company, and they’d probably say “Google,” not “Yahoo.” I’d like to think that my parents would say “CNET Networks,” but they’d probably say “Google” too.

A chart from Toyota's 2008 Sustainability report on the barriers to different types of auto fuels.

(Credit:
Toyota)

Toyota Releases Sustainability Report 2008, Looks to Liquid Peak - Green Car Congress
More on Toyota’s plans to use alternative fuels, as part of its corporate sustainability efforts.
Alt-chemistry battery maker PowerGenix lands a deal for electric scooters and bikes - VentureBeat
Nickel metal hydride battery designed for plug-in hybrids is finding a home in electric scooters.
Out of Africa: New Concentrating-Solar Tech Inspired by Congo Stint - Greentech Media
Interesting profile of Canadian company that claims to reduce cost of concentrating solar power using acrylic as material.
Republicans break with Bush on ethanol - Reuters
A proposal to shift away from government mandates on ethanol production which, along with a phase-out of MTBE additive, has been driving the market.
Experts wary of Pickens’ clean-energy plan - SF Chronicle
Some skeptical reactions to the Pickens Plan, specifically on the speed of wind turbine deployment and the shift to natural gas-powered
cars.
Scoop: Tesla’s future - Autocar
Details on planned five-person plug-in hybrid sedan from Tesla, which reportedly will be the platform for future cars.
Carbon offset developer raises $280 million: source - Reuters
Snapshot of the carbon offset marketplace with a Dubai-based fund committing to a 10-year fund despite some policy uncertainty.

AltaRock & Weyerhaeuser Sign Engineered Geothermal Exploration Deal - RenewableEnergyWorld.com
AltaRock, funded by Google and Kleiner Perkins, is an enhanced geothermal systems company drilling deep into stone to get renewable energy.
Toyota Plugs Lithium Ion Batteries, Reluctantly - Greentech Media
A presentation from Toyota exec handicaps the different transportation technologies, including plug-in hybrids, liquid fuels, and hydrogen. Not mentioned is Toyota’s rumored plans to use zinc air batteries for plug-ins.

Looking back, headphones seem to have anticipated the era of performance-enhancing body extensions that we may be entering soon, but at the same time they now appear like a nostalgic relict of a time when the supply of attention among young consumers was still excessive. Having their social function shifted from providing excessive to expressive intimacy, headphones have become a status symbol for consumers who want to consume in between or parallel to other activities, and who want do that on their own terms — in public, alone; in a perfect manifestation of what psychoanalyst Jacques Lacan coined “extimacy.” The album has dissolved into 99-cent units on iTunes, and the headphone experience has been succeeded by portable soundtracks for permanent distraction.

Rob Walker will read from his new book “Buying In” at the frog Design Mind speaker series in New York on June 11.

Rob Walker, the author of the just-released “Buying in,” is a marketing connoisseur, an expert in reading the cultural underpinnings of commerce. In his Consumed column for the New York Times Magazine, he examines how technology shapes consumer culture and vice versa. In tomorrow’s piece he elaborates on the history of headphones, and how their role evolved in modern society, from the first Bose set to the Sony Walkman to the
iPod earbuds.

With the miniaturization of devices, the public exposure of personal space increased. I remember that when I was 14, I came home from school, had lunch, and didn’t wait a second to lie down on my bed, put my clunky Sennheiser headphones on, and listen to an album I had just bought. Thomas Dolby’s “Aliens Ate My Buick” or Prince’s “Sign of the Times.” I closed my eyes and forgot the world around me. It was a moment of total immersion and uncompromising intimacy, both with the artist and myself. I wasn’t ready to share the music with anyone else until I had fully experienced and vetted every single note through the immediacy of the headphone connection.

(Credit: Sennheiser)