Wiz's Computer and Website Security Blog

March 25, 2008

Tonight, while I was browsing with Firefox, it was suddenly upgraded from version 2.0.0.12 to 2.0.0.13. This is because I set the option for Firefox to automatically check for and apply updates. Being the curious type I looked up the release notes, to find out why this new sub-version was pushed out, so quietly tonight. Here is the skinny.

What's New in Firefox 2.0.0.13

Release Date: March 25, 2008
Security Update: The following security issues were fixed.

1. MFSA 2008-19: XUL popup spoofing variant (cross-tab popups) - High
2. MFSA 2008-18: Java socket connection to any local port via LiveConnect - High
3. MFSA 2008-17: Privacy issue with SSL Client Authentication - Low
4. MFSA 2008-16: HTTP Referrer spoofing with malformed URLs - Moderate
5. MFSA 2008-15: Crashes with evidence of memory corruption (rv:1.8.1.13) - Critical
6. MFSA 2008-14: JavaScript privilege escalation and arbitrary code execution - Critical

This is half the vulnerabilities that were patched in the previous upgrade, from 2.0.0.11 to 2.0.0.12, which was released on February 7, 2008. If you use Firefox Browsers you should check for updates as soon as you go online with a computer it is installed on. It may beat you to the draw though! Otherwise, open Firefox and click on the Menu Item: "Help" > "Check for Updates." If you need the update it will be displayed prominently, with a button to Download and Install now. It'll only take a minute or so, on Broadband, after which a box will pop-up telling you that Firefox was upgraded and must be restarted. Click Ok to restart, even if you have multiple tabs open. They will reopen when Firefox restarts. You may have to login to password protected sites. After the update and restart, if you use and Add-Ons, or Extensions, run a check for updates to those items. It may take a few days for the authors to catch up and issue new releases to remain compatible with the latest updates. Most of the time everything I have added on still works after numerous upgrades.

If this is all news to you and you have not tried the FIrefox browser, here is a link to the official Firefox download page, for all languages. If you, like me, are in the US (or Canada), and use the US English version, on a Windows based computer, here is your Firefox download link, for the 5.7 Mb file. Save it to your hard drive and run setup. During the setup process Firefox will offer to import your Internet Explorer Favorites and Cookies. Allow it to import these items and finish the installation. Once Firefox opens you will have Bookmarks instead of Favorites, but, all of your previously saved Favorites will be available by clicking on Bookmarks > "From Internet Explorer." Mouse over this folder and all your Favorites will flyout in a list. Clicking on any bookmark will open it in the browser. Since you told it to import your cookies your preferences will carry over as well, although you may have to re-type your logins to some websites, manually. If this is necessary, tell Firefox to remember your login for that website and it will be safely stored for you.

Firefox is a tabbed browser and can open links you click on in a new tab, instead of a new Window. You have the option of giving the new tab focus, or staying put where you were when you clicked on the link. Furthermore, Firefox does not run any ActiveX controls, thus making it infinitely more safe to browse with then Internet "Exploder." Give Firefox a try today.

Posted by Wiz at 11:36 PM | Permalink

On February 7, 2008, Mozilla.org released the newest update to the renowned Firefox browser; version 2.0.0.12. This is primarily a security release, fixing ten major issues, nine of which deal with security vulnerabilities. If you are allowing Firefox to automatically check for updates you should be getting yours sometime on Feb 8, 2008, in a little pop-up notice. Otherwise, if you are in a hurry to upgrade now, open Firefox 2.x, click on the menu item Help >> Check for Updates. A pop-up box will appear, then check for updates, then will display the notice that a new version, 2.0.0.12 is available. You can just download the minimum required files and upgrade it on the spot. After the files are downloaded to a temporary directory the installer will ask for permission to restart Firefox, which should only take about 30 seconds, or so. You can confirm that you have the new version by clicking on the Menu item Help >> About Mozilla Firefox.

Firefox is also available for manual downloading and installation, from the main Firefox product page. Just download it and install it over the previous version. It will import/re-use all of your Bookmarks and History, and your Add-ons, if they are still compatible with the new release and it's security fixes. Rest assured, that most add-ons get updated shortly after the authors learn that they have stopped working in a new security release, or major build upgrade.

If you prefer to use a version of Firefox in a language other than English, there is a link in the lower right area of the Download page, where you can select your desired language. There are currently 44 different language versions of Firefox available. They are all available for Windows, Mac OSX and Linux operating systems.

What's New in Firefox 2.0.0.12?

Fixed in Firefox 2.0.0.12
MFSA 2008-11 - Web forgery overwrite with div overlay
MFSA 2008-10 - URL token stealing via stylesheet redirect
MFSA 2008-09 - Mishandling of locally-saved plain text files
MFSA 2008-08 - File action dialog tampering
MFSA 2008-06 - Web browsing history and forward navigation stealing
MFSA 2008-05 - Directory traversal via chrome: URI
MFSA 2008-04 - Stored password corruption
MFSA 2008-03 - Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 - Multiple file input focus stealing vulnerabilities
MFSA 2008-01 - Crashes with evidence of memory corruption (rv:1.8.1.12)

If you are not already using Firefox and wonder why you should switch, I'd say that security is reason number 1, as Firefox simply does not run or interpret any of the ActiveX Controls that are used in Internet Explorer. Most, but not all, hostile take-overs of Internet Explorer occur via ActiveX exploits. When a new security vulnerability is found in the Wild, for Firefox, the developers usually come out with a patched version in a matter of days. Internet Explorer users usually have to wait a month for patches, which come with your monthly Patch Tuesday Windows Updates. Which reminds me to remind you; Windows Updates are coming next Tuesday, February 12. There will be 12 security updates, including one for Internet Explorer.

Note; If you use a software firewall that monitors files for changes, like ZoneAlarm does, you will need to approved the changed Firefox browser permission to continue to access the Internet. The same will apply to Internet Explorer, next Tuesday. This happens because the file sizes and signatures are changed when the browsers are patched to a new version number. Just tell your Firewall that the change is allowed and have it remember your decision.

Posted by Wiz at 1:25 AM | Permalink

AOL announces the end of development and support for Netscape web browsers.

In1999, AOL acquired the floundering Netscape Communications Corporation, which included their flagship Netscape browser. AOL has announced, on the Netscape Blog, on December 28, 2007, that all development and technical support for it's Netscape line of browsers will end on February 1, 2008. This support includes security patches and stability updates. After February 1, there will be no more active product support for Navigator 9, or any previous Netscape Navigator browser. This includes Netscape v1-v4.x, Netscape v6, Netscape v7 Suite, Netscape Browser v8, and Netscape Navigator/Messenger 9.

The folks running the Netscape division of AOL recommend that people who have been using their branded version of Netscape switch to Firefox and I second that opinion. Netscape, in its current incarnation, is based on the the same rendering engine as Mozilla Foundation's Firefox browser. Mozilla is the parent of Firefox. You can download Firefox here. It is updated frequently and is actively being developed and supported.

Their recommendation for the nostalgic out there is to download Mozilla Firefox, and add on the Netscape theme and Netscape extensions which are available here:

https://addons.mozilla.org/en-US/firefox/user/56836

Despite the demise of the Netscape browser, the Netscape.com portal will remain online and active.

For those who have never used Firefox before and have been using Internet Explorer, one phase of installation will offer to import you IE Favorites and Cookies, which I recommend. With Firefox your IE "Favorites" will now be named "Bookmarks." Firefox uses tabs to open new web pages, instead of new windows, unless you prefer it the old way (it's an option). Firefox's preferences are called "Options" and are found at the bottom of the "Tools" menu item. Firefox has a default setting to automatically check for browser updates, but you can manually do so via "Help" > "Check for Updates."

Continue reading "Say goodbye to the Netscape Browser" »

Posted by Wiz at 5:58 PM | Permalink

Mozilla Foundation has just released a security update to their flagship browser; Firefox. The new version is 2.0.0.8, which was released on October 18, 2007. This is primarily a security update, which fixes the following documented security issues:

Fixed in Firefox 2.0.0.8
MFSA 2007-36: URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35: XPCNativeWrapper pollution using Script object
MFSA 2007-34: Possible file stealing through sftp protocol
MFSA 2007-33: XUL pages can hide the window titlebar
MFSA 2007-32: File input focus stealing vulnerability
MFSA 2007-31: Browser digest authentication request splitting
MFSA 2007-30: onUnload Tailgating
MFSA 2007-29: Crashes with evidence of memory corruption (rv:1.8.1.8)

You can download the current version here: http://www.mozilla.com/en-US/firefox/.

The release notes about installation and known issues are found here

Posted by Wiz at 2:49 PM | Permalink

Mozilla, the owners of the Firefox browser, have released a security update on September 18, 2007, labeled version 2.0.0.7 . This update fixes just one critical vulnerability that was able to be exploited with a QuickTime Media File running a command against the Firefox "chrome." Successful exploitation could lead to complete browser, and/or system takeover, depending on the privileges of the logged in user. Yesterday's updates end the ability of third party software to run command lines in Firefox, entirely.

Firefox can be updated from within the program interface by clicking on Help > Check for Updates. If you see that a new version is available allow it to download and install it. Your browser will close for a minute, then re-open as a new version. If you use a software firewall, like ZoneAlarm, it will pop-up a challenge because the MD5 checksum of Firefox has changed. Allow the change and allow it to access the Internet.

All of the extensions that worked in version 2.0.0.6 continued to work after upgrading to 2.0.0.7. If you don't already have Firefox you can download the current version here

Despite Firefox releasing a patched version, the actual vulnerable program is and remains the Apple Quicktime plug-in. Expect a patched version to be available soon. I will blog about it when it becomes available.

Posted by Wiz at 10:04 PM | Permalink

News Flash!
Mozilla has just released a security update to it's flagship Firefox browser; Firefox 2.0.0.6

The news here is that this sudden release patches a critical vulnerability known as "Firefox URI-Handling Bugs," which could leave a Firefox equipped computer open to hijacking.

Mozilla Security Chief Window Snyder announced on July 23 that Mozilla had found a new scenario over the preceding weekend in which Firefox could be used as an attack entry point in various ways, via URI exploits. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.

The problems arise from an input-validation error that can allow remote attackers to execute arbitrary commands on a victim system, through processes such as "cmd.exe," by employing various URI handlers.

In a Deepsight alert to its customers July 31, Symantec, of Cupertino, Calif., outlined this possible attack scenario: First, an attacker constructs malicious links to pass arguments or parameters for an external application that will run when the URI is loaded. The attacker then plants the malicious link on a Web site or sends it through HTML e-mail or by other means.

If successful, the attacker then executes an arbitrary application. First, an attacker would launch the command line, then could pass arbitrary arguments to the command shell that would then launch other applications.

An additional bug has been patched in version 2.0.0.6. Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window).

One add-on known to be affected is the Web Developer Toolbar, which is used by webmasters to analyze web pages, which was safe in its default configuration but potentially vulnerable to malicious web content if informational windows were opened as separate windows instead of tabs.

Synopsis:
Fixed in Firefox 2.0.0.6
MFSA 2007-27: Unescaped URIs passed to external programs
MFSA 2007-26: Privilege escalation through chrome-loaded about:blank windows

Firefox Version 2.0.0.6, is available here for Windows, Mac and Linux. Users on Firefox 2.0.0.x will be getting an automated update notification within 24 to 48 hours, or the update can be manually downloaded by selecting "check for updates" in Firefox's Help menu. Do so immediately for your own protection!

Posted by Wiz at 7:04 PM | Permalink

Mozilla.org has released a security and compatibility upgrade of the popular Firefox browser; version 2.0.0.4, on May 30, 2007.

While this edition features fixes for several critical security vulnerabilities it also contains compatibility fixes to make it work better under Windows Vista. Details are below.

Security Vulnerabilities Fixed in Firefox 2.0.0.4
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

* Clicking links in some applications (e.g. some instant messaging programs) might not open them in Firefox, even if you have set it as your default browser. To workaround this problem, go to Start -> Default Programs -> Set default programs for this computer, expand custom, select the radio button next to the app you want to set as the system wide default app (e.g. Firefox, etc.), and apply.
* A Windows Media Player (WMP) plugin is not provided with Windows Vista. As a workaround, in order to view Windows Media content, you can follow these instructions. Note that after installing you may have to get a security update and apply it before you can see the content in the browser.
* Vista Parental Controls are not completely honored. In particular, file downloads do not honor Vista's parental control settings. This will be addressed in an upcoming Firefox release.
* When migrating from Internet Explorer 7 to Firefox, cookies and saved form history are not imported.

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Some firewall software may silently block Firefox from running. Other software firewalls, like ZoneAlarm, will pop-up a Program (changed) Alert that you must interact with (twice) to allow the updated Firefox browser to connect to the Internet. This often happens immediately after Firefox has been installed or updated from a previous version. There are configuration instructions available for most popular firewall programs to help you ensure that Firefox is allowed to connect to the Internet. In the case of ZoneAlarm you know you just updated Firefox so Allow it to connect the the Internet AND check the box to remember your decision. Firefox contains a component that automatically checks for updates while you are online and you may have to allow that (changed) component to connect after updating the browser.

The release notes and caveats about this version of Firefox are found here.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Continue reading "Firefox 2.0.0.4 Released on 5/30/2007 - Security and Compatibility Upgrade" »

Posted by Wiz at 2:43 PM | Permalink

Firefox users take note: Mozilla will only supply security and stability upgrades for Firefox 1.5x until mid-May of this year (2007). They encourage all Firefox 1.5 users to visit http://getfirefox.com to download the latest version of Firefox today. Mozilla is focusing on delivering a faster and more secure online experience. They want all of their users to benefit from the new features in Firefox 2.0, and in the not to distant future, Firefox 3.0.

I personally made the switch to version 2.0.x about two months ago and have no regrets. All of the Extensions I was using are now updated to work with version 2.0 and newer. The tabs that used to get squeezed in width as more were opened will now generate horizontal arrow buttons to scroll them to the right or left, when you have more tabs open than the width will accomodate. There are a lot of neat skins being developed for these new Firefox browsers and some awesome new "Add-ons" as the Extensions are now called. Firefox 2 supports JavaScript 1.7 and inline spell checking in text areas and text fields, which is a tremendous help for us Bloggers and Forumites.

Other new features:
* Microsummaries provide a way to create bookmarks that display information pulled from the site they refer to, updated automatically. Great for stock tickers, auction monitoring, and so forth.
* Search engine manager lets you rearrange and remove search engines shown in the search bar.
* Tabbed browsing enhancements include adding close buttons to each tab, adjustments to how Firefox decides which tab to bring you to when you close the current tab, and simplified preferences for tabs.
* Phishing Protection to warn users when the web site you're looking at appears to be a forgery.

Firefox is available for Windows 98 through XP and now Vista, and non-Microsoft operating systems as well, including Mac and Linux. Current versions offer the option to also install the Google Toolbar, which is used by searchers and Webmasters alike.

Posted by Wiz at 11:58 PM | Permalink

Mozilla.org has released a security and compatibility upgrade of the flagship Firefox browser; version 2.0.0.3, on March 20, 2007.

The one security enhancement is in response to the MFSA 2007-11: FTP PASV port-scanning flaw. The compatibility improvement is regarding various web compatibility "regressions."

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Continue reading "Firefox 2.0.0.3 Security Release Issued on March 20, 2007" »

Posted by Wiz at 11:50 PM | Permalink

Mozilla.org has released Firefox 2.0.0.2, on February 23, 2007.

If you are not already using Firefox to browse the Internet, what are you waiting for?

What's New in Firefox 2.0.0.2

* Release Date: February 23, 2007
* Security Update: The following list of security issues have been fixed.
* Windows Vista Support: Many enhancements and fixes for Windows Vista are included along with the following caveats.
* New Languages: Beta releases for several new languages are now available for testing.
* Permissions Bug Fixed: In the German (de) locale on Windows and Linux, resolved a problem with certain files tagged as read-only.

Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Mozilla Firefox 2.0.0.2 Release Notes

Fixed in Firefox 2.0.0.2
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

Get Firefox here

Continue reading "Firefox Browser v 2.0.0.2 released on February 23, 2007" »

Posted by Wiz at 1:31 AM | Permalink

Mozilla.org has released Firefox 1.5.0.9 as a security and stability update to the 1.5x line of browsers. It is recommended that people who are not ready to update the firefox 2 should at least get this update. You extensions should continue to work, along with all of your bookmarks and personal settings (this may not be the case when upgrading to version 2.x). You can download Firefox 1.5.0.9 here.

Here is what Mozilla has to say about this incremental upgrade to 1.5.0.9:

What's New in Firefox 1.5.0.9

Note: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2.

Fixed in Firefox 1.5.0.9

MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

Source and details: http://www.mozilla.com/en-US/firefox/releases/1.5.0.9.html

Posted by Wiz at 2:27 AM | Permalink

I just installed and checked out Firefox 2.0 and had to uninstall it almost immediately. It is missing the Email Client launch icon and disabled most of my important Extensions, which I depend on for my work. These included such Extensions as SpoofStick, Adsense Preview, Lorem Ipsum Generator, McAfee Site Advisor, Google Statusbar PageRank indicator, and my HTML Validator, DNSStuff Toolbar, and ForecastFox Accuweather forecasts. In all it disabled 6 Extensions and updated only one. I will wait a while to upgrade to version 2.0 for a while, to let the Extension authors make their plugins compatible with this version.

Going back to version 1.5.0.7 was as simple as running the setup file for that version. It overwrote the new files with the previous versions, and when Firefox opened it was exactly as I had it before performing the upgrade.

If you are using a lot of Extensions and depend on them you may want to hold off on updating to version 2.x until the Extension authors catch up to it, and Mozilla adds back the Email launching icon (if you used it). Keep the setup file for 1.5.0.7 on hand until the dust settles.

If I didn't use so many Extensions and depend on them I would have taken a longer look at version 2.0, but I didn't want to corrupt my saved personal settings with all the disabled and missing items.

Wiz

Posted by Wiz at 10:52 PM | Permalink

Not to be outdone by Microsoft's recent release of Internet Explorer 7, Mozilla will release the second major version of its rival Firefox browser on Tuesday, October 24. The current beta release is RC3 and it is anticipated that not much needs to be changed to make it the official release version 2.0.

According to Mozilla Vice President of Products Christopher Beard, Firefox 2.0, which should be available on Tuesday if all goes according to schedule, includes key new usability features missing in the new IE 7.

Mozilla has also enhanced the popular tabbed browsing feature in 2.0 that Firefox introduced when it emerged two years ago as the first significant rival to IE in years, Beard adds. Tabs allow users to navigate more easily between multiple Web pages when browsing the Internet, and Microsoft added tabs to IE 7 after Firefox's success with the feature.

In Firefox 2.0, Mozilla has added a "close" button on its tabs, as well as new visual features to make the tabs appear more obvious to the user, Beard says.

New usability features in Firefox 2.0 that differentiate it from IE 7 include one that will restore the browser to pages where the user was working if a sudden OS restart is required. "If your browser needs a restart or the OS asks you to reboot, losing all of those Web pages and content is pretty disruptive," Beard notes.

Firefox 2.0 is offering two options for enabling this feature. One way is that, by default, the browser will give the user an option to restore his or her browser sessions if there is an unexpected shutdown; the other is an advanced option to set the browser so that it always restores the last five pages visited before a sudden reboot.

Antiphishing Filters in Both Browsers

Like IE 7, Firefox 2.0 also has an antiphishing filter that will help protect users from divulging personal information to fraudulent Web sites. But Mozilla has taken a different approach to its antiphishing filter than Microsoft has, Beard says.

Instead of checking individual Web pages users visit against lists of known phishing sites, thus sending information from the site to third parties that keep lists of such sites, Firefox updates its blacklist of known fraudulent Web sites automatically every half-hour to an hour. Beard said this better protects users' privacy because no information from the sites they've visited is sent to any third parties.

Mozilla also has added spell-checking features to the browser similar to those found in word-processing applications. Whenever a user is typing text in the browser--as when typing the name of a Web site, a blog entry, or an e-mail--Firefox's spell checker will underline in red words that appear misspelled. Right-clicking on the word will give a user options for a corrected spelling.

In addition, Firefox 2.0 has a new feature in its integrated search box that will suggest a list of search terms after a user types a few letters of a word, depending on the search engine being used. Firefox 2.0 uses Google, Yahoo, and Ask.com search engines as options for the search box, and each uses a different algorithm to suggest search terms, Beard explains. To ensure that this feature is not disruptive to the user experience, the suggested search terms will appear in a separate pane below the search box, he adds.

Posted by Wiz at 10:16 PM | Permalink

Mozilla released Beta 2 of its upcoming Firefox 2 browser for developer review Aug. 31, emphasizing that it is being made available for testing purposes only. The release contains a number of new features, as well as some enhancements to look and feel. "Firefox 2 Beta 2 is intended for Web application developers and our testing community," the team said on the Mozilla development website. "Current users of Firefox 1.x should not use Firefox 2 Beta 2 and expect all of their extensions and plugins to work properly."

Source: http://www.desktoplinux.com/news/NS3852026030.html

This beta release will soon be posted to the following page.

Firefox published beta downloads page: http://www.mozilla.org/projects/bonecho/all-beta.html

The final Firefox 2.0 is expected to be completed in early 2007, the team said. More beta versions are expected to be released this fall and winter.

Continue reading "Mozilla Releases New Beta of Firefox 2.0" »

Posted by Wiz at 3:05 PM | Permalink