Adobe has made changes to a page on an Adobe website that controls Flash user’s security settings—or more specifically, to the Flash .SWF file embedded in the page that opens the Flash website privacy settings panel. The changes are intended to prevent a clickjacking attack that uses the file to activate and access users’ webcams and microphones to spy on them.

The change comes a few days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had notified Adobe weeks earlier of the problem, reporting the vulnerability to Adobe through the Stanford Security lab.

The exploit demonstrated by Aboukhadijeh uses an elaborate clickjack “game” that overlays the SWF panel over buttons in a transparent iframe. Here’s a screenshot of the panel before Adobe’s changes:

Through a series of clicks, the exploit was able to clear the privacy settings for Flash’s web camera controls and then authorize a new site to activate and access the camera video.The changes did not prompt any pop-ups or other user notifications.

The changes made by Adobe are to the behavior of the widgets in the privacy settings panel. Here’s a screenshot of the new panel, after the exploit was attempted:

While my test of the exploit still added feross.com to my list of sites in the privacy panel, it was only successfully added with an “always ask” setting for establishing a video link.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

See Also:

• Adobe Hopes Impressive 3-D Graphics Can Save Flash 11
• Metro-style Internet Explorer 10 Ditches Flash, Plugins
• Adobe Proposes New Standard for 3D Effects on the Web

You know that scene in CSI and its ilk where the detective says, “Can you enhance the image?” and some faceless tech hits a few keys and suddenly the license plate is clear and readable? Nerds have been mocking those scenes for decades, but it might be time to stop.

Last week at its Max Conference Adobe showed off a new Photoshop tool the company calls unblur. Unblur does exactly what the cliche detective is asking for — it makes blurry photos sharp. While there may be some forensic use for unblur, the filter seems aimed more at those with less than steady hands. That once-in-a-lifetime image ruined by shaky hands? No problem, just unblur it.

The video below gives some more details about how unblur repairs blurry images. Unfortunately, the video itself is too blurry to really see how well it works. However, given that unblur was demoed to a crowd of photo and imaging specialists who proceeded to gasp and applaud, I’m guessing the results were pretty impressive.

So far Adobe has given no word on when or where the unblur filter might land, but the next version of Photoshop seems like a safe bet. Until then, please, feel free to mock CSI.

See Also:

• Photoshop Contemplates Adding Live HTML Layers
• Adobe’s Magical ‘Content Aware Fill’ Bends Pixels to Your Will

It’s impossible to imagine the web as it is today without Steve Jobs in the story. Even something as seemingly simple as proportional width fonts might not exist were it not for Jobs and Apple, to say nothing of the WebKit project and dozens of other contributions.

Through it all Jobs and Apple always managed to keep the focus on people. Computers, useful as they are, are nothing without people. The web is the same. The web is about people. It’s a tool to help people imagine more, do more, be more.

So thank you Mr. Jobs for being crazy enough to think you could change the world and the people living in it. It’s clear that you did.

If you haven’t already, check out Steve Levy’s piece on Jobs over at Epicenter. Below is a video of Jobs’s 2005 Stanford commencement address.

The CSS 3 box-shadow property allows for drop shadows and other gradient-based effects without the need for images or other hacks. Box shadow works in Firefox 3+, Chrome, Safari, Opera and Internet Explorer 9. Older versions of IE will ignore the rule, but in most cases losing the shadows won’t be catastrophic for your design.

Box Shadows are handy and can do a lot more than just create a shadow effect. Check out this experiment for some examples of the myriad effects you can achieve with just a few box shadow rules (note that some only work in WebKit browsers). However, the box-shadow rule also showcases the ever-present differences between web browsers — even when the browsers all handle the CSS just fine.

While box-shadow works in all the browsers listed above, that doesn’t mean that it looks the same in every browser. For an interesting look at the variety of ways web browsers display box-shadow, head over to this handy guide to box shadow.

As you can see from the screenshot above, there’s considerable variation between the four browsers — everything from the almost non-existant shadow in some IE 9 examples, to the much heavier shadows in Firefox 4. That’s not to say that any one of them is right and the others wrong, just that there are differences. You’ll also find quite a bit of variation in font display and CSS gradients.

The point is, no matter how hard you try, you’re never going to to have pixel perfect rendering across web browsers. Nor do you need pixel perfect rendering across browsers. The real lesson of box shadows is that there will be variety, so stop worrying and get on with creating.

See Also:

• Advice From the CSS Guru: Embrace Prefixes
• Dealing With Browser Differences in CSS 3
• A Universal Solution for Rounded Corners in Your Designs

Mozilla Labs has released a new experimental Firefox add-on, dubbed LessChrome HD, which hides the URL bar to give webpages a bit more room. The idea is to only show the Firefox user interface when needed, the rest of the time the screen real estate is given over to the actual webpage.

The LessChrome HD experiment is available through the Mozilla Add-ons site and you can even try it out without restarting Firefox. LessChrome HD works in Firefox 4 and above.

LessChrome HD doesn’t dispense with the URL bar, it’s just hidden. Moving your mouse anywhere into the window chrome will reveal it, as will the old cmd-L keyboard shortcut or cmd-T to create a new tab. Mozilla refers to this as an “on-demand interface.” In other words, it’s there when you need to navigate and disappears when you’re just reading something on the page.

LessChrome HD is somewhat similar to the new hidden nav bar option in Chrome 13 and seems to hint at a new UI design direction for browsers: hiding the URL bar. The extra screen real estate is useful if you’re using a small screen laptop, but even if you’ve got a massive monitor the minimalist user interface helps focus your attention on the web page, rather than the web browser.

Not everyone likes this trend. Software developer Dave Winer likens the missing URL bar trend to building a house without a backdoor, writing that the URL bar is “the way you can be sure you can get somewhere even if all the powers-that-be don’t want you to go there.” I’d argue that LessChrome HD and Chrome 13′s URL bar experiments are more like hiding the backdoor than eliminating it. That said, I’d hate to see this become a default in any web browser. It seems to work well as it is — an add-on for those that want it, while those that don’t can safely ignore it.

See Also:

• Chrome 13 Introduces Experimental Hidden Nav Bar Option
• AwesomeBar HD Packs More Awesomeness into Firefox
• Mozilla’s ‘Home Dash’ is a Dashboard for Your Personal Web

Attention Ruby on Rails fans, 37 Signals — the folks who created Ruby on Rails — have put together a new, configuration-free, version of Rack for OS X, the Ruby web server interface. Pow, as the new tool is know, allows you to install and run Ruby apps on your local machine without fiddling with Apache config files or setting up virtual hosts. It just works.

Pow is a Node.js app written in CoffeeScript. It includes an HTTP and a DNS server and runs Rack apps through the Nack library. For some more background on Pow, check out this screencast, which covers the internal workings of Pow, along with some of the motivation behind it.

Some commenters on Hacker News have expressed concern that Pow’s installation process consists of running a shell script from a remote server — simple and fast to be sure, but potentially vulnerable. If that bothers you than Pow is not for you.

Otherwise, head on over to the Pow site, fire up your terminal and you’ll have your Ruby on Rails app up and running in no time. The source code is available through Github.

See Also:

• Ruby on Rails Steams Ahead With 3.0 Release
• Sneak a Peek at the Process Behind 37Signals’ Redesigned Site
• Hello, I’m Ruby On Rails

Firefox fans, your tabs are headed for the top of the browser. Opera started it, Safari flirted with it, Chrome brought it to the masses and now Mozilla is falling in line as well — Firefox 4 will feature the tabs above the URL bar by default.

Alex Faaborg, Mozilla’s Principal Designer on Firefox, has posted a short video explaining why tabs on top will be the default look for Firefox in Firefox 4, set to arrive at the end of 2010.

Before you panic, bear in mind that the location of tabs will still be a preference. No one is forcing you to use the new tabs on top look, but that will be the look for new installations of Firefox.

Frankly, after watching Faaborg’s video, which outlines the four main reasons that led to Mozilla’s decision to switch, we’re hard pressed to offer a counter argument. As Faaborg says in the video, the change is less about a trend and more about the evolution of the web as a platform.

Here are Mozilla’s reasons for moving tabs above the URL bar:

• Conceptual model — The URL bar contains state information about the tab, therefore it makes more sense to place the URL bar within the tab. Visually, having the tab above the bar makes the URL bar part of the tab.
• App tabs — App tabs are smaller, semi-permanent tabs designed to hold web applications you want to keep open all the time — Gmail, Facebook, Pandora, etc. App tabs are coming in Firefox 4. Because app tabs don’t really need a URL, having tabs on top makes it easier to display the app tab without a URL bar.
• The new tab-based Firefox UI — Firefox 4 will move Firefox’s dialog boxes into the browser window itself. For example, the add-ons manager is now just a page displayed in a tab. As with app tabs, there’s no need to display the URL bar.
• Notification — Firefox 4 will have a new panel-based notification system. Small overlay windows drop down from the URL bar giving you an easy way to log in to sites or authorize geolocation requests. Tabs below the URL bar will be hidden by these overlays, making it impossible to see or interact with other tabs at the same time.

While Faaborg doesn’t mention it and the mockups he uses don’t take advantage of it, tabs on top also use less screen real estate — at least if they’re designed like those in Google Chrome. Because Chrome’s tabs are nearly flush with the top of the application window, there’s a bit of extra room on the screen. It’s not a huge amount of space, but it really can make a difference on small netbook screens.

Still not convinced? Well, you’ll always have the option to revert to the old, tabs-below-the-URL-bar look, but check out the video below to see if Faaborg doesn’t convince you that tabs on top are the way to go.

Keep in mind that everything Faaborg shows in the video is still in the mockup stage and will no doubt change a bit before it works its way into Firefox 4.

See Also:

• First Look: Firefox 4 Preview Delivers Speed, Revamped Interface
• Firefox Ditches the Dialog Box
• Firefox Sync Graduates From Labs, Ready for Firefox 4

Google has updated its Chrome web browser to version 5.0, and, perhaps more importantly, given the ready-for-prime-time blessing to the Mac and Linux versions of Chrome. Previously versions of Chrome for Mac and Linux were limited to beta and developer builds.

To update to Chrome 5, head over to the Google download page and grab a copy for Windows, Mac or Linux.

Chrome 5 brings a number of new features to the table, including some major speed gains, more HTML5 features, like drag-and-drop support and the geolocation API, a much improved bookmark syncing and management tool and a new set of privacy controls.

For more details on everything that’s new in Chrome 5, see our review of the beta release earlier this year.

If you’ve been using the Chrome beta or developer builds there isn’t anything new to see in the official version, but the bugs should be gone and Chrome 5 is now ready the same across all platforms.

In a post on the official Google blog the Chrome team reports that “the Mac and Linux versions [have] caught up with the Windows version.”

One feature you won’t find in this release is the integrated Flash plugin that Google is working on. By adding Flash to Chrome Google plans to make it easier to keep users up-to-date with Flash patches, but so far that feature hasn’t made it to the official versions yet.

On the Mac side Chrome now sports a more polished UI and has a few tricks you won’t find in Apple’s Safari (Mac’s default WebKit-based browser) such as a full-screen mode, integrated bookmark syncing, and of course support for extensions.

We should also note that Mac beta users will be automatically updated to the stable version, so if you want to stick with the beta channel you’ll need to download it again after you’ve updated to stable.

Chrome’s Linux release now sports a GTK+ theme and is available as a .deb or .rpm for most Debian-based systems. The Ubuntu-centric website OMGUbuntu reports that Chrome, and its open source sibling Chromium, already account for over 36 percent of the site’s Linux visitors.

Globally Chrome’s market share hovers between 5 and 6 percent of the browser market, depending on which set of polling numbers you want to believe.

Now that Chrome is stable and has feature parity across operating systems look for that number to continue growing thanks to Chrome’s blazing speed and more mature feature-set.

See Also:

• New Chrome Beta Gets a Huge Speed Boost, Flash
• Google Chrome Beta Adds Privacy and Content Controls
• Google Chrome to Support the Web Open Font Format
• Google Turns to HTML5 for Gmail’s New Drag-and-Drop Attachments

Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e-mails (or, for the really paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack — by hijacking your unattended browser tabs.

The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change the tab favicon and title before loading a new site, say a fake version of Gmail, in the background.

Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.

For example, using Raskin’s method an attacker can hijack your page, detect that you frequently login to Citibank’s website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.

Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As Raskin writes, “as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory is mailable and moldable and the user will most likely simply think they left [the] tab open.”

The only clue that you’re being tricked is that the URL will be wrong.

Raskin has set up a demonstration on his blog post. Visit the page, switch to another tab and then notice that Raskin’s site will reload to look like the Gmail interface (Raskin uses an image for the demo, obviously easy to detect, but a real attack would offer a login page just like Gmail).

In my testing the attack worked in Firefox 3.6, 3.7a, Opera 10 and Safari 4. It did not work in Google Chrome on OS X when the tab was in the background, though it did work when I switched from Chrome to another application. Also, some browsers don’t change the favicon, though it’s possible that they could with a little tinkering to Raskin’s script.

So how do you stop this attack? Well, Raskin points out that Firefox’s coming Account Manager — which delegates tasks like logging in to the browser — is one possible fix, since it always looks at the URL, even if you don’t. Similar tools like 1Password would also work, provided you use them every time you login to a website.

The other fix is on the developer side, just make sure your site doesn’t load any remote scripts. Even if you trust the site your script is loading from, it’s possible that site could be compromised.

In the mean time, up your paranoia level and start paying attention to the URL bar.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

See Also:

• Mozilla Gets It Right, Moves Identity Management Into Firefox
• Warning: This Site May Be Sharing Your Data
• A Look at the ‘Clickjacking’ Web Attack and Why You Should Worry