Wiz's Computer and Website Security Blog

There have been significant program updates issued for Microsoft Windows, the Firefox browser, Adobe Acrobat and Reader and Apple's QuickTime browser plug-in. All updates were released this week to fix critical vulnerabilities that were reported and were being exploited by hackers and cyber-criminals. These criminal elements hijack legitimate websites and install hidden codes to redirect innocent visitors to hostile websites loaded with exploit attack codes.

Most of the successful attacks exploit vulnerabilities in browsers (usually Internet Exploder), or their installed add-ons and plug-ins. like Apple QuickTime, Adobe Flash and Reader (and other PDF readers) and Sun's Java plug-in. If any of these items are a vulnerable version you may have your computer hijacked by cyber-criminals who will make it a zombie member of their Botnet. This will turn your PC into a spam machine, or it could be used to attack websites or Governments, with whom the hackers have a difference of opinion.

In order to stay safe from the barrage of hack attacks targeting browsers and their plug-ins it is imperative that you keep Windows and its components and all third party add-ons up to date. One way is to always select the option to automatically check for, download and install updates to those programs. If there is no automatic update mechanism for a program you use you should check to see if it has been updated. This could be at the manufacturer's website, or by using the free Secunia Online Software Inspector (requires current version of Java).

The details of this week's updates are below, in my extended comments.

Continue reading "Windows, Firefox, Adobe Reader and Apple QuickTime updated" »

Posted by Wiz at 1:07 PM | Permalink

Although I use Firefox as my primary (default) browser and web design test tool, I have kept the latest version of Opera browsers installed as well, just to make sure it renders my layouts correctly. Today, March 3, 2009, I received a security alert that Opera Software, of Norway, had released a security update to the Opera Browser. This was in response to a vulnerability reported on CERT, on March 3, 2009. The new version is number 9.64. Like I usually do, I downloaded the new version, ran the setup file as an Administrator (using Run As), from my XP Professional Power User account and upgraded from the previous version (9.63). When Opera opened everything looked fine and I closed it and went on about my business, working with html files I was editing.

Begin Rant:

I was about an hour later, still logged into my Power User account, that I went to the still open directory where these .html files live and double clicked on one, expecting it to open in Firefox, which is my default browser. Instead, to my surprise, it opened in Opera! I had not made any changes in the setup of Opera. I told the program to perform an Upgrade installation, just like the previous versions had been. None of them ever stole my default browser association and few even asked about being made the default browser. This is something new and as it turned out, slightly difficult and aggravating to resolve.

When I found that Firefox was not opening .html files any more I checked its options to see if it was still the "default browser;" which it claimed it was. Had it not been, I would have been able to make it so, using the Check Now button (Tools > Options > Advanced > System Defaults). But, Firefox thought it still was the default browser, so I tried disassociating .html files within Opera, but nothing changed. About that time I decided switch to my Administrator level account to uninstall Opera and see if it gave back the previous association to Firefox, but no luck. I went into Set Access and Defaults and reset Firefox as the Default browser, which worked in the Admin account, so I logged off it and back into the Power User account. Note, that you cannot change the Program Access and Defaults from a Power User account, only an Administrator level account, in XP.

Back in my Power User account I found that it now associated .html files with Windows Notepad! Every html file I double clicked on opened in Notepad, not Firefox! I decided to do an end run around the Windows File Association defense and right clicked on an html file, in the aforementioned folder, and chose Properties. The Properties sheet showed the html files opened with Notepad and offered a button to Change that. I used the button and chose Firefox to open .html files, clicked Apply and OK. When I tried opening an html file it still wanted to use Notepad, so I restarted the computer. This act alone cures a lot of mess-ups and it fixed this one.

The point of this article isn't just to show my readers how to recover from a browser file type association theft, but also to let Opera Software know that one of their users is pretty #@$%*~ off right now about having to go through all this work to keep a long ago established file type association that their update broke, without any word of warning. Also, it may be a long time before I reinstall an Opera Browser, which I was only using to test website layouts for compatibility anyway.

End Rant

Posted by Wiz at 5:21 PM | Permalink

If you are still browsing the Internet (and reading this) with Firefox 2.x, you need to know that support for it has ceased. Mozilla.org is no longer releasing any security updates to this line, which ended at version 2.0.0.20, in December 2008. With that final security update an existing security feature was disabled. Mozilla has turned off the anti-phishing filter built into Firefox browsers, from 2.0 up. This was done at the request of Google, who maintain the databases used by the phishing filter. However, the anti phishing filter is alive and well in the new series 3 Firefox browsers. For your continued security I recommend that you upgrade to Firefox 3.x as soon as possible.

If you have an older version of Firefox 2.x and the anti phishing filter is still enabled on it, I have bad news for you. On Monday, January 19, 2009, Google turned off the phishing website blacklist for Firefox 2.x browsers. Even though your browser may show the anti phishing filter as active its database is no longer being updated. This gives a false sense of security where none exists. Phishing websites typically have a useful life of between 3 days to two weeks, before they are reported and taken down by hosting providers or ISPs. If your anti phishing filter is not receiving regular updates you will be completely out-dated in a week or two. The websites in your blacklist will probably be inactive (as phishing sites), but newly discovered sites won't be added to your database.

You have some tough choice to make if you want to have Firefox browser protection against phishing attacks via compromised websites. If you choose to not upgrade to Firefox 3.x you should disable the setting "Tell me if the site I'm visiting is a suspected forgery" in the Security preferences section of Firefox 2.0's Options dialog box.

Here are your anti-phishing security options.

• Upgrade to Firefox 3.x which Google is supporting with new anti phishing updates (Recommended)


• Install the Netcraft Toolbar for Firefox


• Install the McAfee SiteAdvisor Toolbar for Firefox


• Install the Trend Micro Web Protection Add on (beta)


• Trend Micro Internet Security (PC-cillin)

Posted by Wiz at 2:55 PM | Permalink

On July 16, 2008, Mozilla released Firefox 3.01, patching three critical vulnerabilities, and 2.0.0.16, patching two critical security vulnerabilities, as reported by Secunia and other locations. Here is an outline of what has been patched in FF 3.01:

• Fixed these security issues:
  
  
  
  1. MFSA 2008-36 Crash with malformed GIF file on Mac OS X
  
  
  2. MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
  
  
  3. MFSA 2008-34 Remote code execution by overflowing CSS reference counter
  
  
  
  


• Fixed several stability issues.


• Fixed an issue where the phishing and malware database did not update on first launch.


• Under certain circumstances, Firefox 3.0 did not properly save the SSL certificate exceptions list.
  
• Updated the internal Public Suffix list (List of known domain suffixes).


• In certain cases, installing Firefox 2 in the same directory in which Firefox 3 has been installed resulted in Firefox 2 being unstable. This issue was fixed as part of Firefox 2.0.0.16.


• Fixed an issue where, when printing a selected region of content from the middle of a page, some of the output was missing (bug 433373).


• Fixed a Linux issues where, for users on a PPP connection (dialup or DSL) Firefox always started in "Offline" mode (bug 424626).

As always, after you update your browser you may have to allow it to connect to the Internet, if you have ZoneAlarm FIrewall, or a similar firewall that monitors for program md5 signature changes.

Continue reading "Mozilla Releases Firefox Browser 3.01 Security Update" »

Posted by Wiz at 8:02 PM | Permalink

Mozilla Foundation has announced that sometime in December 2008 all updates and support for Firefox 2.x browsers will come to an end. After that only version 3.x will receive updates. The following notice is posted on the downloads page for Firefox 2.x browsers.

Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are strongly encouraged to upgrade to Firefox 3.

This gives the authors of the various add-ons, extensions, plug-ins and themes 6 months notice to update their applications to be compatible with Firefox series 3 browsers.

Those of you who are staying with Firefox 2.0.0.x because you use add-ons that have not been updated for version 3.x will have to consider these options over the next few months.

1. Search for replacement add-ons that are compatible with Firefox 3.x and similar enough to our old ones to be suitable.
2. Try to force the new browser to use our old add-ons, using browser configuration hacks. This can have disastrous effects on browser stability if an add-on is truly incapable of working with the new security model or rendering engine. A few of these hacks are listed in my extended content, below.
3. Upgrade to Firefox 3, let it disable incompatible add-ons, then set it to check for updates to add-ons every time it searches for browser updates. This can be set in the browser Options, under Advanced > Update. This will slow the opening of the browser until the search has completed. Also, if an update is available you will have to interact with the notification box to install it, or skip it.
4. You can also check manually for updates to your add-ons (enabled or disabled) by going to the menu item Tools > Add-ons, then clicking "Find Updates." You will have the option of installing any updates, then restarting Firefox. The updates will not "take" until you restart (all instances of) the browser. If you had multiple tabs open when you click Restart they will all re-open when the browser restarts.

Unfortunately, some of the add-ons have been abandoned by their authors and are no longer being updated. While you may be able to hack their configuration codes to force them to install, be prepared for possible instability issues in Firefox, caused by incompatible add-ons forced into service.

Continue reading "Support for Firefox 2.x browsers ends in Mid-December 2008" »

Posted by Wiz at 3:59 PM | Permalink

On July 1, 2008, Mozilla Foundation pushed out automatic and manual updates to its version 2 series Firefox browsers, bring the latest version number up to 2.0.0.15. The new version contain a dozen fixes ranging from low to critical. Five fixes are critical, four are high, two are moderate and one is low importance. Below is a list of the vulnerabilities fixed in Firefox 2.0.0.15.

Fixed in Firefox 2.0.0.15

MFSA 2008-33: Crash and remote code execution in block reflow
MFSA 2008-32: Remote site run as local file via Windows URL shortcut
MFSA 2008-31: Peer-trusted certs can use alt names to spoof
MFSA 2008-30: File location URL in directory listings not escaped properly
MFSA 2008-29: Faulty .properties file results in uninitialized memory being used
MFSA 2008-28: Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27: Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24: Chrome script loading from fastload file
MFSA 2008-23: Signed JAR tampering
MFSA 2008-22: XSS through JavaScript same-origin violation
MFSA 2008-21: Crashes with evidence of memory corruption (rv:1.8.1.15)

The release and installation notes, plus download links, are found here. If you already use Firefox version 2.x and have set the option to automatically check for and download updates, your update should await you now, or next time you open Firefox while connected to the Internet. If you prefer to do a manual update you can do it from your Firefox browser. Go to the menu item "Help" > "Check for Updates."

If you are still using Firefox 2.x you should obtain the update as soon as possible, to stay protected against the 12 attack vectors fixed in version 2.0.0.15. Better yet, you can upgrade all the way to the newest series, Firefox 3.x browser, here. Note, that if you use add-on extensions, many are still waiting to be updated by their authors, to be compatible with series 3 Firefox browsers, first released on June 17, 2008.

Posted by Wiz at 1:09 AM | Permalink

Apple updates Safari browser for Windows with four security patches
June 19, 2008

Today, June 19, 2008, Apple Inc. released four security patches to fix critical vulnerabilities in its Safari browser. One of those fixes was for what has become known as the "Safari carpet-bombing exploit," which Apple had previously discounted as a feature, not a security vulnerability. This is a condition allowed by the unpatched Safari browser that allowed unacknowledged downloading of multiple executable files to a user's desktop. These files could in turn interact with Windows in a special way that would actually launch the setup routines for malware applications - downloaded to your desktop, without your knowledge or explicit permission.

The danger lies in the fact that a user typically has a browser opened to a large size on their desktop, along with other application windows, obscuring the desktop from view. If that browser is an unpatched version of Apple's Safari browser and the user is either enticed, or invisibly redirected to a hostile download site, the malware setup files will be silently downloaded to that user's desktop, where they may be executed by Windows, before the user is even aware they were downloaded. This could lead to instant system takeover, where the malware would run with the same privileges as the logged in user.

The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads.

Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP."

Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled."

BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents.

WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

If you currently have Safari browser installed on your computer you should update it immediately, whether you use it regularly or not.

Continue reading "Apple finally updates its Safari browser to fix carpet-bombing vulnerability" »

Posted by Wiz at 11:54 PM | Permalink

March 25, 2008

Tonight, while I was browsing with Firefox, it was suddenly upgraded from version 2.0.0.12 to 2.0.0.13. This is because I set the option for Firefox to automatically check for and apply updates. Being the curious type I looked up the release notes, to find out why this new sub-version was pushed out, so quietly tonight. Here is the skinny.

What's New in Firefox 2.0.0.13

Release Date: March 25, 2008
Security Update: The following security issues were fixed.

1. MFSA 2008-19: XUL popup spoofing variant (cross-tab popups) - High
2. MFSA 2008-18: Java socket connection to any local port via LiveConnect - High
3. MFSA 2008-17: Privacy issue with SSL Client Authentication - Low
4. MFSA 2008-16: HTTP Referrer spoofing with malformed URLs - Moderate
5. MFSA 2008-15: Crashes with evidence of memory corruption (rv:1.8.1.13) - Critical
6. MFSA 2008-14: JavaScript privilege escalation and arbitrary code execution - Critical

This is half the vulnerabilities that were patched in the previous upgrade, from 2.0.0.11 to 2.0.0.12, which was released on February 7, 2008. If you use Firefox Browsers you should check for updates as soon as you go online with a computer it is installed on. It may beat you to the draw though! Otherwise, open Firefox and click on the Menu Item: "Help" > "Check for Updates." If you need the update it will be displayed prominently, with a button to Download and Install now. It'll only take a minute or so, on Broadband, after which a box will pop-up telling you that Firefox was upgraded and must be restarted. Click Ok to restart, even if you have multiple tabs open. They will reopen when Firefox restarts. You may have to login to password protected sites. After the update and restart, if you use and Add-Ons, or Extensions, run a check for updates to those items. It may take a few days for the authors to catch up and issue new releases to remain compatible with the latest updates. Most of the time everything I have added on still works after numerous upgrades.

If this is all news to you and you have not tried the FIrefox browser, here is a link to the official Firefox download page, for all languages. If you, like me, are in the US (or Canada), and use the US English version, on a Windows based computer, here is your Firefox download link, for the 5.7 Mb file. Save it to your hard drive and run setup. During the setup process Firefox will offer to import your Internet Explorer Favorites and Cookies. Allow it to import these items and finish the installation. Once Firefox opens you will have Bookmarks instead of Favorites, but, all of your previously saved Favorites will be available by clicking on Bookmarks > "From Internet Explorer." Mouse over this folder and all your Favorites will flyout in a list. Clicking on any bookmark will open it in the browser. Since you told it to import your cookies your preferences will carry over as well, although you may have to re-type your logins to some websites, manually. If this is necessary, tell Firefox to remember your login for that website and it will be safely stored for you.

Firefox is a tabbed browser and can open links you click on in a new tab, instead of a new Window. You have the option of giving the new tab focus, or staying put where you were when you clicked on the link. Furthermore, Firefox does not run any ActiveX controls, thus making it infinitely more safe to browse with then Internet "Exploder." Give Firefox a try today.

Posted by Wiz at 11:36 PM | Permalink

On February 7, 2008, Mozilla.org released the newest update to the renowned Firefox browser; version 2.0.0.12. This is primarily a security release, fixing ten major issues, nine of which deal with security vulnerabilities. If you are allowing Firefox to automatically check for updates you should be getting yours sometime on Feb 8, 2008, in a little pop-up notice. Otherwise, if you are in a hurry to upgrade now, open Firefox 2.x, click on the menu item Help >> Check for Updates. A pop-up box will appear, then check for updates, then will display the notice that a new version, 2.0.0.12 is available. You can just download the minimum required files and upgrade it on the spot. After the files are downloaded to a temporary directory the installer will ask for permission to restart Firefox, which should only take about 30 seconds, or so. You can confirm that you have the new version by clicking on the Menu item Help >> About Mozilla Firefox.

Firefox is also available for manual downloading and installation, from the main Firefox product page. Just download it and install it over the previous version. It will import/re-use all of your Bookmarks and History, and your Add-ons, if they are still compatible with the new release and it's security fixes. Rest assured, that most add-ons get updated shortly after the authors learn that they have stopped working in a new security release, or major build upgrade.

If you prefer to use a version of Firefox in a language other than English, there is a link in the lower right area of the Download page, where you can select your desired language. There are currently 44 different language versions of Firefox available. They are all available for Windows, Mac OSX and Linux operating systems.

What's New in Firefox 2.0.0.12?

Fixed in Firefox 2.0.0.12
MFSA 2008-11 - Web forgery overwrite with div overlay
MFSA 2008-10 - URL token stealing via stylesheet redirect
MFSA 2008-09 - Mishandling of locally-saved plain text files
MFSA 2008-08 - File action dialog tampering
MFSA 2008-06 - Web browsing history and forward navigation stealing
MFSA 2008-05 - Directory traversal via chrome: URI
MFSA 2008-04 - Stored password corruption
MFSA 2008-03 - Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 - Multiple file input focus stealing vulnerabilities
MFSA 2008-01 - Crashes with evidence of memory corruption (rv:1.8.1.12)

If you are not already using Firefox and wonder why you should switch, I'd say that security is reason number 1, as Firefox simply does not run or interpret any of the ActiveX Controls that are used in Internet Explorer. Most, but not all, hostile take-overs of Internet Explorer occur via ActiveX exploits. When a new security vulnerability is found in the Wild, for Firefox, the developers usually come out with a patched version in a matter of days. Internet Explorer users usually have to wait a month for patches, which come with your monthly Patch Tuesday Windows Updates. Which reminds me to remind you; Windows Updates are coming next Tuesday, February 12. There will be 12 security updates, including one for Internet Explorer.

Note; If you use a software firewall that monitors files for changes, like ZoneAlarm does, you will need to approved the changed Firefox browser permission to continue to access the Internet. The same will apply to Internet Explorer, next Tuesday. This happens because the file sizes and signatures are changed when the browsers are patched to a new version number. Just tell your Firewall that the change is allowed and have it remember your decision.

Posted by Wiz at 1:25 AM | Permalink

AOL announces the end of development and support for Netscape web browsers.

In1999, AOL acquired the floundering Netscape Communications Corporation, which included their flagship Netscape browser. AOL has announced, on the Netscape Blog, on December 28, 2007, that all development and technical support for it's Netscape line of browsers will end on February 1, 2008. This support includes security patches and stability updates. After February 1, there will be no more active product support for Navigator 9, or any previous Netscape Navigator browser. This includes Netscape v1-v4.x, Netscape v6, Netscape v7 Suite, Netscape Browser v8, and Netscape Navigator/Messenger 9.

The folks running the Netscape division of AOL recommend that people who have been using their branded version of Netscape switch to Firefox and I second that opinion. Netscape, in its current incarnation, is based on the the same rendering engine as Mozilla Foundation's Firefox browser. Mozilla is the parent of Firefox. You can download Firefox here. It is updated frequently and is actively being developed and supported.

Their recommendation for the nostalgic out there is to download Mozilla Firefox, and add on the Netscape theme and Netscape extensions which are available here:

https://addons.mozilla.org/en-US/firefox/user/56836

Despite the demise of the Netscape browser, the Netscape.com portal will remain online and active.

For those who have never used Firefox before and have been using Internet Explorer, one phase of installation will offer to import you IE Favorites and Cookies, which I recommend. With Firefox your IE "Favorites" will now be named "Bookmarks." Firefox uses tabs to open new web pages, instead of new windows, unless you prefer it the old way (it's an option). Firefox's preferences are called "Options" and are found at the bottom of the "Tools" menu item. Firefox has a default setting to automatically check for browser updates, but you can manually do so via "Help" > "Check for Updates."

Continue reading "Say goodbye to the Netscape Browser" »

Posted by Wiz at 5:58 PM | Permalink

Mozilla Foundation has just released a security update to their flagship browser; Firefox. The new version is 2.0.0.8, which was released on October 18, 2007. This is primarily a security update, which fixes the following documented security issues:

Fixed in Firefox 2.0.0.8
MFSA 2007-36: URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35: XPCNativeWrapper pollution using Script object
MFSA 2007-34: Possible file stealing through sftp protocol
MFSA 2007-33: XUL pages can hide the window titlebar
MFSA 2007-32: File input focus stealing vulnerability
MFSA 2007-31: Browser digest authentication request splitting
MFSA 2007-30: onUnload Tailgating
MFSA 2007-29: Crashes with evidence of memory corruption (rv:1.8.1.8)

You can download the current version here: http://www.mozilla.com/en-US/firefox/.

The release notes about installation and known issues are found here

Posted by Wiz at 2:49 PM | Permalink

Mozilla, the owners of the Firefox browser, have released a security update on September 18, 2007, labeled version 2.0.0.7 . This update fixes just one critical vulnerability that was able to be exploited with a QuickTime Media File running a command against the Firefox "chrome." Successful exploitation could lead to complete browser, and/or system takeover, depending on the privileges of the logged in user. Yesterday's updates end the ability of third party software to run command lines in Firefox, entirely.

Firefox can be updated from within the program interface by clicking on Help > Check for Updates. If you see that a new version is available allow it to download and install it. Your browser will close for a minute, then re-open as a new version. If you use a software firewall, like ZoneAlarm, it will pop-up a challenge because the MD5 checksum of Firefox has changed. Allow the change and allow it to access the Internet.

All of the extensions that worked in version 2.0.0.6 continued to work after upgrading to 2.0.0.7. If you don't already have Firefox you can download the current version here

Despite Firefox releasing a patched version, the actual vulnerable program is and remains the Apple Quicktime plug-in. Expect a patched version to be available soon. I will blog about it when it becomes available.

Posted by Wiz at 10:04 PM | Permalink

News Flash!
Mozilla has just released a security update to it's flagship Firefox browser; Firefox 2.0.0.6

The news here is that this sudden release patches a critical vulnerability known as "Firefox URI-Handling Bugs," which could leave a Firefox equipped computer open to hijacking.

Mozilla Security Chief Window Snyder announced on July 23 that Mozilla had found a new scenario over the preceding weekend in which Firefox could be used as an attack entry point in various ways, via URI exploits. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.

The problems arise from an input-validation error that can allow remote attackers to execute arbitrary commands on a victim system, through processes such as "cmd.exe," by employing various URI handlers.

In a Deepsight alert to its customers July 31, Symantec, of Cupertino, Calif., outlined this possible attack scenario: First, an attacker constructs malicious links to pass arguments or parameters for an external application that will run when the URI is loaded. The attacker then plants the malicious link on a Web site or sends it through HTML e-mail or by other means.

If successful, the attacker then executes an arbitrary application. First, an attacker would launch the command line, then could pass arbitrary arguments to the command shell that would then launch other applications.

An additional bug has been patched in version 2.0.0.6. Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window).

One add-on known to be affected is the Web Developer Toolbar, which is used by webmasters to analyze web pages, which was safe in its default configuration but potentially vulnerable to malicious web content if informational windows were opened as separate windows instead of tabs.

Synopsis:
Fixed in Firefox 2.0.0.6
MFSA 2007-27: Unescaped URIs passed to external programs
MFSA 2007-26: Privilege escalation through chrome-loaded about:blank windows

Firefox Version 2.0.0.6, is available here for Windows, Mac and Linux. Users on Firefox 2.0.0.x will be getting an automated update notification within 24 to 48 hours, or the update can be manually downloaded by selecting "check for updates" in Firefox's Help menu. Do so immediately for your own protection!

Posted by Wiz at 7:04 PM | Permalink

Mozilla.org has released a security and compatibility upgrade of the popular Firefox browser; version 2.0.0.4, on May 30, 2007.

While this edition features fixes for several critical security vulnerabilities it also contains compatibility fixes to make it work better under Windows Vista. Details are below.

Security Vulnerabilities Fixed in Firefox 2.0.0.4
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

* Clicking links in some applications (e.g. some instant messaging programs) might not open them in Firefox, even if you have set it as your default browser. To workaround this problem, go to Start -> Default Programs -> Set default programs for this computer, expand custom, select the radio button next to the app you want to set as the system wide default app (e.g. Firefox, etc.), and apply.
* A Windows Media Player (WMP) plugin is not provided with Windows Vista. As a workaround, in order to view Windows Media content, you can follow these instructions. Note that after installing you may have to get a security update and apply it before you can see the content in the browser.
* Vista Parental Controls are not completely honored. In particular, file downloads do not honor Vista's parental control settings. This will be addressed in an upcoming Firefox release.
* When migrating from Internet Explorer 7 to Firefox, cookies and saved form history are not imported.

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Some firewall software may silently block Firefox from running. Other software firewalls, like ZoneAlarm, will pop-up a Program (changed) Alert that you must interact with (twice) to allow the updated Firefox browser to connect to the Internet. This often happens immediately after Firefox has been installed or updated from a previous version. There are configuration instructions available for most popular firewall programs to help you ensure that Firefox is allowed to connect to the Internet. In the case of ZoneAlarm you know you just updated Firefox so Allow it to connect the the Internet AND check the box to remember your decision. Firefox contains a component that automatically checks for updates while you are online and you may have to allow that (changed) component to connect after updating the browser.

The release notes and caveats about this version of Firefox are found here.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Continue reading "Firefox 2.0.0.4 Released on 5/30/2007 - Security and Compatibility Upgrade" »

Posted by Wiz at 2:43 PM | Permalink

Firefox users take note: Mozilla will only supply security and stability upgrades for Firefox 1.5x until mid-May of this year (2007). They encourage all Firefox 1.5 users to visit http://getfirefox.com to download the latest version of Firefox today. Mozilla is focusing on delivering a faster and more secure online experience. They want all of their users to benefit from the new features in Firefox 2.0, and in the not to distant future, Firefox 3.0.

I personally made the switch to version 2.0.x about two months ago and have no regrets. All of the Extensions I was using are now updated to work with version 2.0 and newer. The tabs that used to get squeezed in width as more were opened will now generate horizontal arrow buttons to scroll them to the right or left, when you have more tabs open than the width will accomodate. There are a lot of neat skins being developed for these new Firefox browsers and some awesome new "Add-ons" as the Extensions are now called. Firefox 2 supports JavaScript 1.7 and inline spell checking in text areas and text fields, which is a tremendous help for us Bloggers and Forumites.

Other new features:
* Microsummaries provide a way to create bookmarks that display information pulled from the site they refer to, updated automatically. Great for stock tickers, auction monitoring, and so forth.
* Search engine manager lets you rearrange and remove search engines shown in the search bar.
* Tabbed browsing enhancements include adding close buttons to each tab, adjustments to how Firefox decides which tab to bring you to when you close the current tab, and simplified preferences for tabs.
* Phishing Protection to warn users when the web site you're looking at appears to be a forgery.

Firefox is available for Windows 98 through XP and now Vista, and non-Microsoft operating systems as well, including Mac and Linux. Current versions offer the option to also install the Google Toolbar, which is used by searchers and Webmasters alike.

Posted by Wiz at 11:58 PM | Permalink

Mozilla.org has released a security and compatibility upgrade of the flagship Firefox browser; version 2.0.0.3, on March 20, 2007.

The one security enhancement is in response to the MFSA 2007-11: FTP PASV port-scanning flaw. The compatibility improvement is regarding various web compatibility "regressions."

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Continue reading "Firefox 2.0.0.3 Security Release Issued on March 20, 2007" »

Posted by Wiz at 11:50 PM | Permalink

Mozilla.org has released Firefox 2.0.0.2, on February 23, 2007.

If you are not already using Firefox to browse the Internet, what are you waiting for?

What's New in Firefox 2.0.0.2

* Release Date: February 23, 2007
* Security Update: The following list of security issues have been fixed.
* Windows Vista Support: Many enhancements and fixes for Windows Vista are included along with the following caveats.
* New Languages: Beta releases for several new languages are now available for testing.
* Permissions Bug Fixed: In the German (de) locale on Windows and Linux, resolved a problem with certain files tagged as read-only.

Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Mozilla Firefox 2.0.0.2 Release Notes

Fixed in Firefox 2.0.0.2
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

Get Firefox here

Continue reading "Firefox Browser v 2.0.0.2 released on February 23, 2007" »

Posted by Wiz at 1:31 AM | Permalink

Mozilla.org has released Firefox 1.5.0.9 as a security and stability update to the 1.5x line of browsers. It is recommended that people who are not ready to update the firefox 2 should at least get this update. You extensions should continue to work, along with all of your bookmarks and personal settings (this may not be the case when upgrading to version 2.x). You can download Firefox 1.5.0.9 here.

Here is what Mozilla has to say about this incremental upgrade to 1.5.0.9:

What's New in Firefox 1.5.0.9

Note: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2.

Fixed in Firefox 1.5.0.9

MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

Source and details: http://www.mozilla.com/en-US/firefox/releases/1.5.0.9.html

Posted by Wiz at 2:27 AM | Permalink

I just installed and checked out Firefox 2.0 and had to uninstall it almost immediately. It is missing the Email Client launch icon and disabled most of my important Extensions, which I depend on for my work. These included such Extensions as SpoofStick, Adsense Preview, Lorem Ipsum Generator, McAfee Site Advisor, Google Statusbar PageRank indicator, and my HTML Validator, DNSStuff Toolbar, and ForecastFox Accuweather forecasts. In all it disabled 6 Extensions and updated only one. I will wait a while to upgrade to version 2.0 for a while, to let the Extension authors make their plugins compatible with this version.

Going back to version 1.5.0.7 was as simple as running the setup file for that version. It overwrote the new files with the previous versions, and when Firefox opened it was exactly as I had it before performing the upgrade.

If you are using a lot of Extensions and depend on them you may want to hold off on updating to version 2.x until the Extension authors catch up to it, and Mozilla adds back the Email launching icon (if you used it). Keep the setup file for 1.5.0.7 on hand until the dust settles.

If I didn't use so many Extensions and depend on them I would have taken a longer look at version 2.0, but I didn't want to corrupt my saved personal settings with all the disabled and missing items.

Wiz

Posted by Wiz at 10:52 PM | Permalink

Not to be outdone by Microsoft's recent release of Internet Explorer 7, Mozilla will release the second major version of its rival Firefox browser on Tuesday, October 24. The current beta release is RC3 and it is anticipated that not much needs to be changed to make it the official release version 2.0.

According to Mozilla Vice President of Products Christopher Beard, Firefox 2.0, which should be available on Tuesday if all goes according to schedule, includes key new usability features missing in the new IE 7.

Mozilla has also enhanced the popular tabbed browsing feature in 2.0 that Firefox introduced when it emerged two years ago as the first significant rival to IE in years, Beard adds. Tabs allow users to navigate more easily between multiple Web pages when browsing the Internet, and Microsoft added tabs to IE 7 after Firefox's success with the feature.

In Firefox 2.0, Mozilla has added a "close" button on its tabs, as well as new visual features to make the tabs appear more obvious to the user, Beard says.

New usability features in Firefox 2.0 that differentiate it from IE 7 include one that will restore the browser to pages where the user was working if a sudden OS restart is required. "If your browser needs a restart or the OS asks you to reboot, losing all of those Web pages and content is pretty disruptive," Beard notes.

Firefox 2.0 is offering two options for enabling this feature. One way is that, by default, the browser will give the user an option to restore his or her browser sessions if there is an unexpected shutdown; the other is an advanced option to set the browser so that it always restores the last five pages visited before a sudden reboot.

Antiphishing Filters in Both Browsers

Like IE 7, Firefox 2.0 also has an antiphishing filter that will help protect users from divulging personal information to fraudulent Web sites. But Mozilla has taken a different approach to its antiphishing filter than Microsoft has, Beard says.

Instead of checking individual Web pages users visit against lists of known phishing sites, thus sending information from the site to third parties that keep lists of such sites, Firefox updates its blacklist of known fraudulent Web sites automatically every half-hour to an hour. Beard said this better protects users' privacy because no information from the sites they've visited is sent to any third parties.

Mozilla also has added spell-checking features to the browser similar to those found in word-processing applications. Whenever a user is typing text in the browser--as when typing the name of a Web site, a blog entry, or an e-mail--Firefox's spell checker will underline in red words that appear misspelled. Right-clicking on the word will give a user options for a corrected spelling.

In addition, Firefox 2.0 has a new feature in its integrated search box that will suggest a list of search terms after a user types a few letters of a word, depending on the search engine being used. Firefox 2.0 uses Google, Yahoo, and Ask.com search engines as options for the search box, and each uses a different algorithm to suggest search terms, Beard explains. To ensure that this feature is not disruptive to the user experience, the suggested search terms will appear in a separate pane below the search box, he adds.

Posted by Wiz at 10:16 PM | Permalink

Mozilla released Beta 2 of its upcoming Firefox 2 browser for developer review Aug. 31, emphasizing that it is being made available for testing purposes only. The release contains a number of new features, as well as some enhancements to look and feel. "Firefox 2 Beta 2 is intended for Web application developers and our testing community," the team said on the Mozilla development website. "Current users of Firefox 1.x should not use Firefox 2 Beta 2 and expect all of their extensions and plugins to work properly."

Source: http://www.desktoplinux.com/news/NS3852026030.html

This beta release will soon be posted to the following page.

Firefox published beta downloads page: http://www.mozilla.org/projects/bonecho/all-beta.html

The final Firefox 2.0 is expected to be completed in early 2007, the team said. More beta versions are expected to be released this fall and winter.

Continue reading "Mozilla Releases New Beta of Firefox 2.0" »

Posted by Wiz at 3:05 PM | Permalink