Wiz's Computer and Website Security Blog

December 13, 2012

I first noticed the category assignment problem in November, 2012. I published an article on my MovableType blog and was annoyed when I didn't see the category I checked appear below the category box. I thought I was imagining things and saved the article. The same thing happened with several more articles. Yesterday I published another article and had the same problem of not being able to assign the entry to a category and it got my goat.

Late tonight I got really curious as to why I couldn't assign categories to my entries anymore and set out to discover whether anybody else had the same problem. At 2AM tonight, I found the cause and a solution.

I use Firefox as my default web browser and always upgrade when a new version comes down the stable release channel. Right now I am typing this in Firefox 17.0.1. The version I was using a month ago was 16.x, and I was using Firefox 15.x when I published my last article that I could assign a category to. Something has changed in Firefox, not MovableType!

After a brief Google search for "MovableType can't select categories for entries" I came across a MovableType Community forum topic about this very problem. All affected users were using Firefox 16 and newer, just like me. Fortunately for all of us, MovableType support figured out what had gone wrong in Firefox and has provided us with a patch. Actually, they provided 4 patches, for versions 4.28, 5.07, 5.14 and 5.2. People using any sub-version of MT 4.x should download the patch for MT 4.28. It is backwards compatible across most of v4.

The patch links are found on the community support page titled: Patch file for Firefox 16 users. Choose the file that most closely matches your installation of MovableType.

Continue reading "Fix for MovableType loses ability to assign categories to entries" »

Posted by Wiz at 1:53 AM | Permalink

back to top ^

It was just 3 days ago, on March 1, 2011, that Mozilla released Firefox 3.6.14, plugging several security and stability issues. Now, on March 4, 2011, they have pushed out another version: 3.6.15, with but one fix: Fixed an issue where some Java applets would fail to load in Firefox 3.6.14.

Not everybody has Java installed on their computers, but, if you do you expect it to work. Some sites use Java to scan for threats or out-of-date software on user's PCs. The Secunia Online Software Inspector is a security scanner that many people routinely use that runs on Java technology. If the Java Virtual Machine fails to load, the scanner does not work. Other uses for Java include online virus scans (real ones, not rogue scanners), interactive animations, presentations and various "applets" that run on a computer desktop.

Normally, when I write about Java it is about an updated version that has been released to fix critical vulnerabilities. This is probably the first time I mention Java where it is not at fault for something that has gone wrong. ;-)

You will want to update your Firefox browser now, whether you have the Java plug-in installed or not. If you have your preferences set to automatically update Firefox, it will happen on its own. Otherwise, you can go to the Help menu item and go down to Check for updates and click on that link. A box will scan for updates and tell you which version is available. Download it and click to restart Firefox. All open tabs will be preserved and will load when Firefox opens, after a minute or so. If you had more than one Firefox windows open, all of the will reappear.

If you experience delays updating through the browser's updater, go directly to the main Firefox download page and download the complete latest version. Install it over the existing version and all of your settings, bookmarks, sign-ons and cookies will be carried over.

Posted by Wiz at 8:10 PM | Permalink

back to top ^

On March 1, 2011, both Google and Mozilla released updates to their web browsers.

Firefox Update

Mozilla Foundation released Firefox 3.6.14, which is a security and stability release. There were 10 security fixes, 8 of which are rated critical. All together, there were 41 bugs reported and fixed, affecting all supported operating systems. I strongly advise all Firefox users to upgrade to the latest version.

Here is a list of the security fixes included in Firefox 3.6.14:

Fixed in Firefox 3.6.14
MFSA 2011-10 - CSRF risk with plugins and 307 redirects
MFSA 2011-09 - Crash caused by corrupted JPEG image
MFSA 2011-08 - ParanoidFragmentSink allows javascript: URLs in chrome documents
MFSA 2011-07 - Memory corruption during text run construction (Windows)
MFSA 2011-06 - Use-after-free error using Web Workers
MFSA 2011-05 - Buffer overflow in JavaScript atom map
MFSA 2011-04 - Buffer overflow in JavaScript upvarMap
MFSA 2011-03 - Use-after-free error in JSON.stringify
MFSA 2011-02 - Recursive eval call causes confirm dialogs to evaluate to true
MFSA 2011-01 - Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

How to upgrade Firefox

You can upgrade to the latest version of Firefox by means of the automatic updater built into Firefox 3+, or by going to Help > "Check for updates," or by downloading the full install file from http://www.mozilla.com/firefox/ (8.2 MB). You must restart the browser to complete the upgrade. All open tabs will be saved and will re-open with the browser, after a minute or so. Ubuntu and Debian Linux users must use their Software Updater, with an Administrator password, to get new versions of Firefox.

Google Chrome Update

Also on March 1, 2011, Google released an updated Chrome browser earlier today. Google has released Chrome 9.0.597.107 for all platforms to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. Open Google Chrome and click on the Settings icon > About Google Chrome, which launches the updater. The browser will close and re-open to complete the upgrade.

Posted by Wiz at 11:36 PM | Permalink

back to top ^

Just three days after Mozilla released Firefox 3.6.7, they have pushed out a stability/security update, Firefox version 3.6.8. I just published an extensive article about Firefox 3.6.7, two days ago!

This back-to-back sudden release was rushed out to fix a stability/security problem in the handling of crashed plug-ins (Flash), in Firefox browser windows and tabs. The problem was apparently caused by one of the 126 bug fixes included in Firefox 3.6.7. Right now, there are more unresolved bugs showing up in Bugzilla, for v 3.6.7 and one for the just released 3.6.8.

If you have allowed the option for automatic Firefox updates, you will see a pop-up notice about the new version. Download it, then, when prompted, restart Firefox. If you prefer to get the update manually, go to Firefox's Help menu item > Check for Updates. Download and apply the update to 3.6.8. You can also download the latest version from the Firefox product page.

UPDATE! July 26, 2010

Geek Alert!
Mozilla developer Daniel Holbert reported that the fix to the plug-in parameter array crash that was fixed in Firefox 3.6.7 caused a crash showing signs of memory corruption. While the Firefox What's New page described the update as a stability patch, there was more to the story. In certain circumstances, properties in the plug-in instance's parameter array could be freed prematurely leaving a dangling pointer that the plug-in could execute, potentially calling into attacker-controlled memory.

Posted by Wiz at 6:33 PM | Permalink

back to top ^

On July 20, 2010, Mozilla released Firefox 3.6.7, which contains 14 security fixes, 8 of which are rated as critical. Two more are rated high risk, with the remainder rated as important. This is the first major security overhaul since version 3.6.4 was released, in June. The other interim releases were to fix stability problems, especially as related to the handling of crashed plug-ins.

In addition to the security updates, 123 out of 126 reported bugs were fixed with version 3.6.7. Many affect the stability of the browser, others deal with particular behind the scenes issues.

If you are already using a prior version of Firefox as your browser of choice (which you are I hope!), go to the Help menu item and move down to Check for updates and click it. You will be offered the latest version of your series of Firefox. If you're already using version 3.6.x, you will receive the update to 3.6.7. If you have allowed the browser to automatically check for, and download updates, you'll get a little pop-up box notifying you that you must restart Firefox to complete the upgrade to version X.

Restart the browser as directed, to complete the upgrade! Any open tabs will reopen when Firefox reloads.

If you are using a different series than 3.6.x, you'll need to upgrade to the final version of that series, restart the browser, then when you check for updates again you will be offered the latest series and newest version.

Or, just go to the main Firefox product page and download the latest version. If you are not English speaking and need Firefox in your own language, go to the all languages download page instead. Each language has links to download Firefox for Windows, Mac OS-X and Linux operating systems. Note though, if you use Debian or Ubuntu Linux, you must update using your "Update Manager" - found in the Administration menu. Using Update Manager requires an Administrator level password.

Internet Explorer users wanting to try or migrate to Firefox can rest assured that Firefox will offer to import your saved Cookies and Favorites, which will now become "Bookmarks."

Firefox now enjoys a sizable percentage of the World wide browser market and as such is a target for malware authors. To add another layer of protection against JavaScript and iframe attacks, I advise you to install the famous NoScript! Add-on. By default, NoScript! disables JavaScript and cross domain redirection exploits, along with clickjacking, tab-napping and a multitude of other browser exploits in the wild. You will need to manually approve websites you trust, to allow scripting. This may include multiple approvals for imported content from advertisers, form suppliers, news feeds, etc. Once approved, a website remains on the whitelist unless you revoke your approval (temp or perm).

Please upgrade your browser to the latest version, to remain safe against the latest threats targeting it.

Posted by Wiz at 11:43 AM | Permalink

back to top ^

Starting with Firefox 3.6.4, Mozilla added a new feature called Crash Protection. This feature watches over three (initially Flash, Silverlight and Quicktime) plug-ins and isolates their tabs, if or when a supported plug-in crashes. Since the browser itself survives the crash, It is possible to reload that tab and hopefully, load the affected plug-in correctly.

However, soon after Firefox 3.6.4 was released, numerous complaints began arriving at Bugzilla, claiming that the new crash protection was making it impossible for those affected to play "Farmville." Apparently, the timeout for detecting a crash was too short, and Farmville was taking too long to load its Flash presentations. The page would halt loading with this message: "The Adobe Flash plugin has crashed."

To rectify the problem Mozilla rushed out Firefox 3.6.6, with a higher timeout of 45 seconds. That should fix the timeout problem for hi-speed broadband customers, but those on low speed broadband (e.g. mobile broadband modems, smartphones, netbooks), less than stellar satellite Internet and dial-up Internet services will still be affected by these timeouts. So, here is a manual workaround that allows you to specify a new timeout value, or even disable the crash protection completely.

How to disable or increase plug-in hang protection in Firefox 3.6.4+

You can disable hang protection to prevent Firefox from killing a hanging plug-in process, regardless of how long it's taking. Crashes in the plug-in will still be caught and will not terminate the browser process.

1. In the Location bar, type about:config and press EnterReturn.
   * The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
2. The about:config page should appear. In the Filter box, type, or copy and paste: dom.ipc.plugins.timeoutSecs
3. Double click the setting and change the number to -1 to disable hang protection.
4. To maintain crash protection, change the value to a higher timeout, in seconds.
   ** Example: "45" means Firefox waits 45 seconds before declaring that a plug-in has crashed and halts the loading of the page.

You can apply this technique anytime an important web page is hanging because a plug-in is taking too long to load and Firefox declares that it crashed. You can undo your changes by lowering the timeout for normal crash protection.

Posted by Wiz at 4:35 PM | Permalink

back to top ^

December 16, 2009

Today, Mozilla released an update for the Firefox browser: version 3.5.6. This is basically a security release as it plugs 7 recently reported vulnerabilities in Firefox (and in Seamonkey). Three os the vulnerabilities were rated as Critical. There were also several stability issues resolved with this release.

Fixed in Firefox 3.5.6

MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)

You can update Firefox right from your browser, using the Help menu > "Check for Updates" link. I found that while I was able to download the update I was unable to apply it, as I operate as an XP Pro Power User. To update via the browser I closed Firefox, then right-clicked on the desktop icon for it, then chose Run As, inputted my administrator credentials and opened Firefox as the Administrator. I was then able to perform the in-browser update. In past releases I was able to update Firefox as a Power User, so something has been changed in this release.

Alternately, you can download the latest version of Firefox from Mozilla's Firefox landing page, save it and run it with whatever permissions it demands. Since Firefox is installed into your Program Files directory, and creates accounts for all users, Windows demands administrator credentials or permissions to allow the installation.

If you are not yet a Firefox user you should try it. Use the link in the previous paragraph to download and install it. Leave the default option set to automatically check for updates. You will be given an option to import your cookies and Favorites into Firefox, both during installation and anytime afterward. Note, Favorites are called Bookmarks in Firefox and all other Mozilla based browsers. Only Internet Explorer and AOL's browsers refer to saved websites as Favorites.

Posted by Wiz at 4:16 PM | Permalink

back to top ^

On November 5, 2009, Firefox was updated to version 3.5.5. I learned this today, when I opened my Firefox browser and it began installing an update. When the browser launched it had moved up from version 3.5.4 to 3.5.5. I looked at the release notes and saw that this sudden update is purely a stability release. Apparently, there were some problems caused by the last two updates, which were mostly security patches. Release Notes. Most Firefox users will receive an automatic update to the new version, the next time you start Firefox. If you don't get an automatic update, use the Help menu item link to "Check for Updates." If you have a previous series 3.0 version you will need to first update to the most current version of that series before being offered to upgrade to series 3.5.x.

For those of you who are curious about Firefox, but have not used it yet, here are some basic facts. Firefox is a freeware project maintained by a foundation named the Mozilla Foundation. Funded by a grant from AOL and other concerns, Mozilla develops open source browsers and email programs (a.k.a. "clients"). The "Firefox" web browser is the flagship product from Mozilla. It is one of the most secure and absolutely the most frequently updated web browser in common circulation. It is constantly being tested and improved in security and stability, as issues or bugs are discovered. Firefox currently enjoys a 24% market share of web browsers, World wide and counting.

One of the strongest features of Firefox is its total lack of support for the Microsoft technology called ActiveX. ActiveX is one of the primary means of exploitation of Internet Explorer browsers. Only Internet Explorer recognizes that scripting technology, which is used by various scanners that operate inside a browser. Many users of Internet Explorer are easily tricked into installing and running hostile ActiveX Controls. This cannot happen if you browse the Internet using Firefox.

A new security feature found in Firefox, starting with series 3.5.x, is that it will tell you if you have a vulnerable, out of date version of Adobe Flash installed as a plug-in. Flash is found everywhere and cyber criminals use that fact to try to trick people into installing Trojans disguised as updated Flash players, when they are lured to hostile websites. Firefox will let you know if Flash needs to be updated and gives you a direct link to adobe.com, the only official source of the Flash Player. Only accept Flash updates that come from adobe.com!

Firefox uses new tabs to open links to new web pages, rather than opening a new browser window. There is no limit to how many tabs you can have open, altho too many will slow down opening of new links. You can set the behavior of links that are coded to open a new window to open in a new tab, or a new window and decide whether or not that tab or window receives focus as it opens the page. When you close Firefox with multiple tabs open it will offer to Quit and Save your tabs, or just Quit. If, like me, you always have a lot of tabs open and you save them upon closing the browser, the next time you start Firefox it will begin restoring all of those connections. Sometimes it takes a while to load a lot of websites simultaneously! If you are using a really fast broadband Internet service it shouldn't take too awfully long to load a dozen pages at the same time.

Firefox uses third party themes and add-ons to add features and color schemes not built into the browser. The approved color themes and Add-ons, formerly known as Extensions, is huge and is found at "Add-ons For Firefox". Note, that these are developed by individuals and as browser security improves, some older add-ons will no longer work and will be disabled. Unless the authors update those add-ons you will need to search for current model replacements. Firefox has an option setting to automatically check for updates to your Themes and Add-ons.

Internet Explorer ("IE") users wanting to try out, or move to Firefox can rest assured that during installation, or anytime afterward, you can import your saved cookies and Favorites, from IE into Firefox. Your "Favorites" will be placed inside a folder labeled "Imported bookmarks." Favorites in Firefox are called "Bookmarks" and are accessed by opening the menubar item labeled "Bookmarks." You can go on to organize your new or imported Bookmarks as you wish, using the "Organize Bookmarks" link, under the Bookmarks Menubar item.

Firefox is compatible with Windows 2000, upward, including Windows 7 and Mac OS X 10.4 and later and various versions of Linux. System requirements are found here.

Firefox Download links:

Firefox (English) for Windows. Other languages and operating systems. Ubuntu and Debian Linux users must use your Update Manager to get new releases of Firefox. It is part of a package that the installer recognizes. Mac and Windows users who already use Firefox can update to the latest version via the menu item Help > Check for Updates.

No matter what browser you use you still need to keep your guard up against being tricked into installing malware disguised as something else. These "malware" programs are called Trojan Horses. No browser can prevent foolishness on the user's part. That is why you need a good, current, up to date security program, like Trend Micro Internet Security (TMIS) to protect your PC, in case you are about to download or install a malware threat. Also known as PC-cillin, TMIS blocks access to web pages that are known to contain harmful code. This cuts off the most common means of infecting computers.

Posted by Wiz at 1:14 PM | Permalink

back to top ^

There have been significant program updates issued for Microsoft Windows, the Firefox browser, Adobe Acrobat and Reader and Apple's QuickTime browser plug-in. All updates were released this week to fix critical vulnerabilities that were reported and were being exploited by hackers and cyber-criminals. These criminal elements hijack legitimate websites and install hidden codes to redirect innocent visitors to hostile websites loaded with exploit attack codes.

Most of the successful attacks exploit vulnerabilities in browsers (usually Internet Exploder), or their installed add-ons and plug-ins. like Apple QuickTime, Adobe Flash and Reader (and other PDF readers) and Sun's Java plug-in. If any of these items are a vulnerable version you may have your computer hijacked by cyber-criminals who will make it a zombie member of their Botnet. This will turn your PC into a spam machine, or it could be used to attack websites or Governments, with whom the hackers have a difference of opinion.

In order to stay safe from the barrage of hack attacks targeting browsers and their plug-ins it is imperative that you keep Windows and its components and all third party add-ons up to date. One way is to always select the option to automatically check for, download and install updates to those programs. If there is no automatic update mechanism for a program you use you should check to see if it has been updated. This could be at the manufacturer's website, or by using the free Secunia Online Software Inspector (requires current version of Java).

The details of this week's updates are below, in my extended comments.

Continue reading "Windows, Firefox, Adobe Reader and Apple QuickTime updated" »

Posted by Wiz at 1:07 PM | Permalink

back to top ^

Although I use Firefox as my primary (default) browser and web design test tool, I have kept the latest version of Opera browsers installed as well, just to make sure it renders my layouts correctly. Today, March 3, 2009, I received a security alert that Opera Software, of Norway, had released a security update to the Opera Browser. This was in response to a vulnerability reported on CERT, on March 3, 2009. The new version is number 9.64. Like I usually do, I downloaded the new version, ran the setup file as an Administrator (using Run As), from my XP Professional Power User account and upgraded from the previous version (9.63). When Opera opened everything looked fine and I closed it and went on about my business, working with html files I was editing.

Begin Rant:

I was about an hour later, still logged into my Power User account, that I went to the still open directory where these .html files live and double clicked on one, expecting it to open in Firefox, which is my default browser. Instead, to my surprise, it opened in Opera! I had not made any changes in the setup of Opera. I told the program to perform an Upgrade installation, just like the previous versions had been. None of them ever stole my default browser association and few even asked about being made the default browser. This is something new and as it turned out, slightly difficult and aggravating to resolve.

When I found that Firefox was not opening .html files any more I checked its options to see if it was still the "default browser;" which it claimed it was. Had it not been, I would have been able to make it so, using the Check Now button (Tools > Options > Advanced > System Defaults). But, Firefox thought it still was the default browser, so I tried disassociating .html files within Opera, but nothing changed. About that time I decided switch to my Administrator level account to uninstall Opera and see if it gave back the previous association to Firefox, but no luck. I went into Set Access and Defaults and reset Firefox as the Default browser, which worked in the Admin account, so I logged off it and back into the Power User account. Note, that you cannot change the Program Access and Defaults from a Power User account, only an Administrator level account, in XP.

Back in my Power User account I found that it now associated .html files with Windows Notepad! Every html file I double clicked on opened in Notepad, not Firefox! I decided to do an end run around the Windows File Association defense and right clicked on an html file, in the aforementioned folder, and chose Properties. The Properties sheet showed the html files opened with Notepad and offered a button to Change that. I used the button and chose Firefox to open .html files, clicked Apply and OK. When I tried opening an html file it still wanted to use Notepad, so I restarted the computer. This act alone cures a lot of mess-ups and it fixed this one.

The point of this article isn't just to show my readers how to recover from a browser file type association theft, but also to let Opera Software know that one of their users is pretty #@$%*~ off right now about having to go through all this work to keep a long ago established file type association that their update broke, without any word of warning. Also, it may be a long time before I reinstall an Opera Browser, which I was only using to test website layouts for compatibility anyway.

End Rant

Posted by Wiz at 5:21 PM | Permalink

back to top ^

If you are still browsing the Internet (and reading this) with Firefox 2.x, you need to know that support for it has ceased. Mozilla.org is no longer releasing any security updates to this line, which ended at version 2.0.0.20, in December 2008. With that final security update an existing security feature was disabled. Mozilla has turned off the anti-phishing filter built into Firefox browsers, from 2.0 up. This was done at the request of Google, who maintain the databases used by the phishing filter. However, the anti phishing filter is alive and well in the new series 3 Firefox browsers. For your continued security I recommend that you upgrade to Firefox 3.x as soon as possible.

If you have an older version of Firefox 2.x and the anti phishing filter is still enabled on it, I have bad news for you. On Monday, January 19, 2009, Google turned off the phishing website blacklist for Firefox 2.x browsers. Even though your browser may show the anti phishing filter as active its database is no longer being updated. This gives a false sense of security where none exists. Phishing websites typically have a useful life of between 3 days to two weeks, before they are reported and taken down by hosting providers or ISPs. If your anti phishing filter is not receiving regular updates you will be completely out-dated in a week or two. The websites in your blacklist will probably be inactive (as phishing sites), but newly discovered sites won't be added to your database.

You have some tough choice to make if you want to have Firefox browser protection against phishing attacks via compromised websites. If you choose to not upgrade to Firefox 3.x you should disable the setting "Tell me if the site I'm visiting is a suspected forgery" in the Security preferences section of Firefox 2.0's Options dialog box.

Here are your anti-phishing security options.

• Upgrade to Firefox 3.x which Google is supporting with new anti phishing updates (Recommended)


• Install the Netcraft Toolbar for Firefox


• Install the McAfee SiteAdvisor Toolbar for Firefox


• Install the Trend Micro Web Protection Add on (beta)


• Trend Micro Internet Security (PC-cillin)

All of the above options will detect and prevent access to known phishing websites. The Trend Micro programs also block access to malware distribution or exploit coded websites.

Posted by Wiz at 2:55 PM | Permalink

back to top ^

On July 16, 2008, Mozilla released Firefox 3.01, patching three critical vulnerabilities, and 2.0.0.16, patching two critical security vulnerabilities, as reported by Secunia and other locations. Here is an outline of what has been patched in FF 3.01:

• Fixed these security issues:
  
  
  
  1. MFSA 2008-36 Crash with malformed GIF file on Mac OS X
  
  
  2. MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
  
  
  3. MFSA 2008-34 Remote code execution by overflowing CSS reference counter
  
  
  
  


• Fixed several stability issues.


• Fixed an issue where the phishing and malware database did not update on first launch.


• Under certain circumstances, Firefox 3.0 did not properly save the SSL certificate exceptions list.
  
• Updated the internal Public Suffix list (List of known domain suffixes).


• In certain cases, installing Firefox 2 in the same directory in which Firefox 3 has been installed resulted in Firefox 2 being unstable. This issue was fixed as part of Firefox 2.0.0.16.


• Fixed an issue where, when printing a selected region of content from the middle of a page, some of the output was missing (bug 433373).


• Fixed a Linux issues where, for users on a PPP connection (dialup or DSL) Firefox always started in "Offline" mode (bug 424626).

If you haven't already received your notice to upgrade, from the browser itself, go to the Firefox download page and get it manually. Just install over your previous installation, overwriting your existing installation of Firefox. You won’t lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available (or you learn how to hack the install.rdf files like I do).

As always, after you update your browser you may have to allow it to connect to the Internet, if you have ZoneAlarm FIrewall, or a similar firewall that monitors for program md5 signature changes.

Continue reading "Mozilla Releases Firefox Browser 3.01 Security Update" »

Posted by Wiz at 8:02 PM | Permalink

back to top ^

Mozilla Foundation has announced that sometime in December 2008 all updates and support for Firefox 2.x browsers will come to an end. After that only version 3.x will receive updates. The following notice is posted on the downloads page for Firefox 2.x browsers.

Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are strongly encouraged to upgrade to Firefox 3.

This gives the authors of the various add-ons, extensions, plug-ins and themes 6 months notice to update their applications to be compatible with Firefox series 3 browsers.

Those of you who are staying with Firefox 2.0.0.x because you use add-ons that have not been updated for version 3.x will have to consider these options over the next few months.

1. Search for replacement add-ons that are compatible with Firefox 3.x and similar enough to our old ones to be suitable.
2. Try to force the new browser to use our old add-ons, using browser configuration hacks. This can have disastrous effects on browser stability if an add-on is truly incapable of working with the new security model or rendering engine. A few of these hacks are listed in my extended content, below.
3. Upgrade to Firefox 3, let it disable incompatible add-ons, then set it to check for updates to add-ons every time it searches for browser updates. This can be set in the browser Options, under Advanced > Update. This will slow the opening of the browser until the search has completed. Also, if an update is available you will have to interact with the notification box to install it, or skip it.
4. You can also check manually for updates to your add-ons (enabled or disabled) by going to the menu item Tools > Add-ons, then clicking "Find Updates." You will have the option of installing any updates, then restarting Firefox. The updates will not "take" until you restart (all instances of) the browser. If you had multiple tabs open when you click Restart they will all re-open when the browser restarts.

All of the add-ons and extensions for Firefox are written and maintained by volunteer authors and are available from the official Mozilla.org add-ons website. All add-ons list the author's website on record at the time the add-on was first submitted for approval. Sometimes these websites will have a newer version available than the Firefox website. So, if your add-ons are not yet updated to work in Firefox 3.x, visit the author's website to see if one is available there. Just be sure you use the author links found at https://addons.mozilla.org/en-US/firefox/ for your existing or new add-ons.

Unfortunately, some of the add-ons have been abandoned by their authors and are no longer being updated. While you may be able to hack their configuration codes to force them to install, be prepared for possible instability issues in Firefox, caused by incompatible add-ons forced into service.

Continue reading "Support for Firefox 2.x browsers ends in Mid-December 2008" »

Posted by Wiz at 3:59 PM | Permalink

back to top ^

On July 1, 2008, Mozilla Foundation pushed out automatic and manual updates to its version 2 series Firefox browsers, bring the latest version number up to 2.0.0.15. The new version contain a dozen fixes ranging from low to critical. Five fixes are critical, four are high, two are moderate and one is low importance. Below is a list of the vulnerabilities fixed in Firefox 2.0.0.15.

Fixed in Firefox 2.0.0.15

MFSA 2008-33: Crash and remote code execution in block reflow
MFSA 2008-32: Remote site run as local file via Windows URL shortcut
MFSA 2008-31: Peer-trusted certs can use alt names to spoof
MFSA 2008-30: File location URL in directory listings not escaped properly
MFSA 2008-29: Faulty .properties file results in uninitialized memory being used
MFSA 2008-28: Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27: Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24: Chrome script loading from fastload file
MFSA 2008-23: Signed JAR tampering
MFSA 2008-22: XSS through JavaScript same-origin violation
MFSA 2008-21: Crashes with evidence of memory corruption (rv:1.8.1.15)

The release and installation notes, plus download links, are found here. If you already use Firefox version 2.x and have set the option to automatically check for and download updates, your update should await you now, or next time you open Firefox while connected to the Internet. If you prefer to do a manual update you can do it from your Firefox browser. Go to the menu item "Help" > "Check for Updates."

If you are still using Firefox 2.x you should obtain the update as soon as possible, to stay protected against the 12 attack vectors fixed in version 2.0.0.15. Better yet, you can upgrade all the way to the newest series, Firefox 3.x browser, here. Note, that if you use add-on extensions, many are still waiting to be updated by their authors, to be compatible with series 3 Firefox browsers, first released on June 17, 2008.

Posted by Wiz at 1:09 AM | Permalink

back to top ^

Apple updates Safari browser for Windows with four security patches
June 19, 2008

Today, June 19, 2008, Apple Inc. released four security patches to fix critical vulnerabilities in its Safari browser. One of those fixes was for what has become known as the "Safari carpet-bombing exploit," which Apple had previously discounted as a feature, not a security vulnerability. This is a condition allowed by the unpatched Safari browser that allowed unacknowledged downloading of multiple executable files to a user's desktop. These files could in turn interact with Windows in a special way that would actually launch the setup routines for malware applications - downloaded to your desktop, without your knowledge or explicit permission.

The danger lies in the fact that a user typically has a browser opened to a large size on their desktop, along with other application windows, obscuring the desktop from view. If that browser is an unpatched version of Apple's Safari browser and the user is either enticed, or invisibly redirected to a hostile download site, the malware setup files will be silently downloaded to that user's desktop, where they may be executed by Windows, before the user is even aware they were downloaded. This could lead to instant system takeover, where the malware would run with the same privileges as the logged in user.

The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads.

Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP."

Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled."

BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents.

WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

If you currently have Safari browser installed on your computer you should update it immediately, whether you use it regularly or not.

Continue reading "Apple finally updates its Safari browser to fix carpet-bombing vulnerability" »

Posted by Wiz at 11:54 PM | Permalink

back to top ^

March 25, 2008

Tonight, while I was browsing with Firefox, it was suddenly upgraded from version 2.0.0.12 to 2.0.0.13. This is because I set the option for Firefox to automatically check for and apply updates. Being the curious type I looked up the release notes, to find out why this new sub-version was pushed out, so quietly tonight. Here is the skinny.

What's New in Firefox 2.0.0.13

Release Date: March 25, 2008
Security Update: The following security issues were fixed.

1. MFSA 2008-19: XUL popup spoofing variant (cross-tab popups) - High
2. MFSA 2008-18: Java socket connection to any local port via LiveConnect - High
3. MFSA 2008-17: Privacy issue with SSL Client Authentication - Low
4. MFSA 2008-16: HTTP Referrer spoofing with malformed URLs - Moderate
5. MFSA 2008-15: Crashes with evidence of memory corruption (rv:1.8.1.13) - Critical
6. MFSA 2008-14: JavaScript privilege escalation and arbitrary code execution - Critical

This is half the vulnerabilities that were patched in the previous upgrade, from 2.0.0.11 to 2.0.0.12, which was released on February 7, 2008. If you use Firefox Browsers you should check for updates as soon as you go online with a computer it is installed on. It may beat you to the draw though! Otherwise, open Firefox and click on the Menu Item: "Help" > "Check for Updates." If you need the update it will be displayed prominently, with a button to Download and Install now. It'll only take a minute or so, on Broadband, after which a box will pop-up telling you that Firefox was upgraded and must be restarted. Click Ok to restart, even if you have multiple tabs open. They will reopen when Firefox restarts. You may have to login to password protected sites. After the update and restart, if you use and Add-Ons, or Extensions, run a check for updates to those items. It may take a few days for the authors to catch up and issue new releases to remain compatible with the latest updates. Most of the time everything I have added on still works after numerous upgrades.

If this is all news to you and you have not tried the FIrefox browser, here is a link to the official Firefox download page, for all languages. If you, like me, are in the US (or Canada), and use the US English version, on a Windows based computer, here is your Firefox download link, for the 5.7 Mb file. Save it to your hard drive and run setup. During the setup process Firefox will offer to import your Internet Explorer Favorites and Cookies. Allow it to import these items and finish the installation. Once Firefox opens you will have Bookmarks instead of Favorites, but, all of your previously saved Favorites will be available by clicking on Bookmarks > "From Internet Explorer." Mouse over this folder and all your Favorites will flyout in a list. Clicking on any bookmark will open it in the browser. Since you told it to import your cookies your preferences will carry over as well, although you may have to re-type your logins to some websites, manually. If this is necessary, tell Firefox to remember your login for that website and it will be safely stored for you.

Firefox is a tabbed browser and can open links you click on in a new tab, instead of a new Window. You have the option of giving the new tab focus, or staying put where you were when you clicked on the link. Furthermore, Firefox does not run any ActiveX controls, thus making it infinitely more safe to browse with then Internet "Exploder." Give Firefox a try today.

Posted by Wiz at 11:36 PM | Permalink

back to top ^

On February 7, 2008, Mozilla.org released the newest update to the renowned Firefox browser; version 2.0.0.12. This is primarily a security release, fixing ten major issues, nine of which deal with security vulnerabilities. If you are allowing Firefox to automatically check for updates you should be getting yours sometime on Feb 8, 2008, in a little pop-up notice. Otherwise, if you are in a hurry to upgrade now, open Firefox 2.x, click on the menu item Help >> Check for Updates. A pop-up box will appear, then check for updates, then will display the notice that a new version, 2.0.0.12 is available. You can just download the minimum required files and upgrade it on the spot. After the files are downloaded to a temporary directory the installer will ask for permission to restart Firefox, which should only take about 30 seconds, or so. You can confirm that you have the new version by clicking on the Menu item Help >> About Mozilla Firefox.

Firefox is also available for manual downloading and installation, from the main Firefox product page. Just download it and install it over the previous version. It will import/re-use all of your Bookmarks and History, and your Add-ons, if they are still compatible with the new release and it's security fixes. Rest assured, that most add-ons get updated shortly after the authors learn that they have stopped working in a new security release, or major build upgrade.

If you prefer to use a version of Firefox in a language other than English, there is a link in the lower right area of the Download page, where you can select your desired language. There are currently 44 different language versions of Firefox available. They are all available for Windows, Mac OSX and Linux operating systems.

What's New in Firefox 2.0.0.12?

Fixed in Firefox 2.0.0.12
MFSA 2008-11 - Web forgery overwrite with div overlay
MFSA 2008-10 - URL token stealing via stylesheet redirect
MFSA 2008-09 - Mishandling of locally-saved plain text files
MFSA 2008-08 - File action dialog tampering
MFSA 2008-06 - Web browsing history and forward navigation stealing
MFSA 2008-05 - Directory traversal via chrome: URI
MFSA 2008-04 - Stored password corruption
MFSA 2008-03 - Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 - Multiple file input focus stealing vulnerabilities
MFSA 2008-01 - Crashes with evidence of memory corruption (rv:1.8.1.12)

If you are not already using Firefox and wonder why you should switch, I'd say that security is reason number 1, as Firefox simply does not run or interpret any of the ActiveX Controls that are used in Internet Explorer. Most, but not all, hostile take-overs of Internet Explorer occur via ActiveX exploits. When a new security vulnerability is found in the Wild, for Firefox, the developers usually come out with a patched version in a matter of days. Internet Explorer users usually have to wait a month for patches, which come with your monthly Patch Tuesday Windows Updates. Which reminds me to remind you; Windows Updates are coming next Tuesday, February 12. There will be 12 security updates, including one for Internet Explorer.

Note; If you use a software firewall that monitors files for changes, like ZoneAlarm does, you will need to approve the changed Firefox browser permission to continue to access the Internet. The same will apply to Internet Explorer, next Tuesday. This happens because the file sizes and signatures are changed when the browsers are patched to a new version number. Just tell your Firewall that the change is allowed and have it remember your decision.

Posted by Wiz at 1:25 AM | Permalink

back to top ^

AOL announces the end of development and support for Netscape web browsers.

In1999, AOL acquired the floundering Netscape Communications Corporation, which included their flagship Netscape browser. AOL has announced, on the Netscape Blog, on December 28, 2007, that all development and technical support for it's Netscape line of browsers will end on February 1, 2008. This support includes security patches and stability updates. After February 1, there will be no more active product support for Navigator 9, or any previous Netscape Navigator browser. This includes Netscape v1-v4.x, Netscape v6, Netscape v7 Suite, Netscape Browser v8, and Netscape Navigator/Messenger 9.

The folks running the Netscape division of AOL recommend that people who have been using their branded version of Netscape switch to Firefox and I second that opinion. Netscape, in its current incarnation, is based on the the same rendering engine as Mozilla Foundation's Firefox browser. Mozilla is the parent of Firefox. You can download Firefox here. It is updated frequently and is actively being developed and supported.

Their recommendation for the nostalgic out there is to download Mozilla Firefox, and add on the Netscape theme and Netscape extensions which are available here:

https://addons.mozilla.org/en-US/firefox/user/56836

Despite the demise of the Netscape browser, the Netscape.com portal will remain online and active.

For those who have never used Firefox before and have been using Internet Explorer, one phase of installation will offer to import you IE Favorites and Cookies, which I recommend. With Firefox your IE "Favorites" will now be named "Bookmarks." Firefox uses tabs to open new web pages, instead of new windows, unless you prefer it the old way (it's an option). Firefox's preferences are called "Options" and are found at the bottom of the "Tools" menu item. Firefox has a default setting to automatically check for browser updates, but you can manually do so via "Help" > "Check for Updates."

Continue reading "Say goodbye to the Netscape Browser" »

Posted by Wiz at 5:58 PM | Permalink

back to top ^

Mozilla Foundation has just released a security update to their flagship browser; Firefox. The new version is 2.0.0.8, which was released on October 18, 2007. This is primarily a security update, which fixes the following documented security issues:

Fixed in Firefox 2.0.0.8
MFSA 2007-36: URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35: XPCNativeWrapper pollution using Script object
MFSA 2007-34: Possible file stealing through sftp protocol
MFSA 2007-33: XUL pages can hide the window titlebar
MFSA 2007-32: File input focus stealing vulnerability
MFSA 2007-31: Browser digest authentication request splitting
MFSA 2007-30: onUnload Tailgating
MFSA 2007-29: Crashes with evidence of memory corruption (rv:1.8.1.8)

You can download the current version here: http://www.mozilla.com/en-US/firefox/.

The release notes about installation and known issues are found here

Posted by Wiz at 2:49 PM | Permalink

back to top ^

Mozilla, the owners of the Firefox browser, have released a security update on September 18, 2007, labeled version 2.0.0.7 . This update fixes just one critical vulnerability that was able to be exploited with a QuickTime Media File running a command against the Firefox "chrome." Successful exploitation could lead to complete browser, and/or system takeover, depending on the privileges of the logged in user. Yesterday's updates end the ability of third party software to run command lines in Firefox, entirely.

Firefox can be updated from within the program interface by clicking on Help > Check for Updates. If you see that a new version is available allow it to download and install it. Your browser will close for a minute, then re-open as a new version. If you use a software firewall, like ZoneAlarm, it will pop-up a challenge because the MD5 checksum of Firefox has changed. Allow the change and allow it to access the Internet.

All of the extensions that worked in version 2.0.0.6 continued to work after upgrading to 2.0.0.7. If you don't already have Firefox you can download the current version here

Despite Firefox releasing a patched version, the actual vulnerable program is and remains the Apple Quicktime plug-in. Expect a patched version to be available soon. I will blog about it when it becomes available.

Posted by Wiz at 10:04 PM | Permalink

back to top ^

News Flash!
Mozilla has just released a security update to it's flagship Firefox browser; Firefox 2.0.0.6

The news here is that this sudden release patches a critical vulnerability known as "Firefox URI-Handling Bugs," which could leave a Firefox equipped computer open to hijacking.

Mozilla Security Chief Window Snyder announced on July 23 that Mozilla had found a new scenario over the preceding weekend in which Firefox could be used as an attack entry point in various ways, via URI exploits. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.

The problems arise from an input-validation error that can allow remote attackers to execute arbitrary commands on a victim system, through processes such as "cmd.exe," by employing various URI handlers.

In a Deepsight alert to its customers July 31, Symantec, of Cupertino, Calif., outlined this possible attack scenario: First, an attacker constructs malicious links to pass arguments or parameters for an external application that will run when the URI is loaded. The attacker then plants the malicious link on a Web site or sends it through HTML e-mail or by other means.

If successful, the attacker then executes an arbitrary application. First, an attacker would launch the command line, then could pass arbitrary arguments to the command shell that would then launch other applications.

An additional bug has been patched in version 2.0.0.6. Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window).

One add-on known to be affected is the Web Developer Toolbar, which is used by webmasters to analyze web pages, which was safe in its default configuration but potentially vulnerable to malicious web content if informational windows were opened as separate windows instead of tabs.

Synopsis:
Fixed in Firefox 2.0.0.6
MFSA 2007-27: Unescaped URIs passed to external programs
MFSA 2007-26: Privilege escalation through chrome-loaded about:blank windows

Firefox Version 2.0.0.6, is available here for Windows, Mac and Linux. Users on Firefox 2.0.0.x will be getting an automated update notification within 24 to 48 hours, or the update can be manually downloaded by selecting "check for updates" in Firefox's Help menu. Do so immediately for your own protection!

Posted by Wiz at 7:04 PM | Permalink

back to top ^

Mozilla.org has released a security and compatibility upgrade of the popular Firefox browser; version 2.0.0.4, on May 30, 2007.

While this edition features fixes for several critical security vulnerabilities it also contains compatibility fixes to make it work better under Windows Vista. Details are below.

Security Vulnerabilities Fixed in Firefox 2.0.0.4
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

* Clicking links in some applications (e.g. some instant messaging programs) might not open them in Firefox, even if you have set it as your default browser. To workaround this problem, go to Start -> Default Programs -> Set default programs for this computer, expand custom, select the radio button next to the app you want to set as the system wide default app (e.g. Firefox, etc.), and apply.
* A Windows Media Player (WMP) plugin is not provided with Windows Vista. As a workaround, in order to view Windows Media content, you can follow these instructions. Note that after installing you may have to get a security update and apply it before you can see the content in the browser.
* Vista Parental Controls are not completely honored. In particular, file downloads do not honor Vista's parental control settings. This will be addressed in an upcoming Firefox release.
* When migrating from Internet Explorer 7 to Firefox, cookies and saved form history are not imported.

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Some firewall software may silently block Firefox from running. Other software firewalls, like ZoneAlarm, will pop-up a Program (changed) Alert that you must interact with (twice) to allow the updated Firefox browser to connect to the Internet. This often happens immediately after Firefox has been installed or updated from a previous version. There are configuration instructions available for most popular firewall programs to help you ensure that Firefox is allowed to connect to the Internet. In the case of ZoneAlarm you know you just updated Firefox so Allow it to connect the the Internet AND check the box to remember your decision. Firefox contains a component that automatically checks for updates while you are online and you may have to allow that (changed) component to connect after updating the browser.

The release notes and caveats about this version of Firefox are found here.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Continue reading "Firefox 2.0.0.4 Released on 5/30/2007 - Security and Compatibility Upgrade" »

Posted by Wiz at 2:43 PM | Permalink

back to top ^

Firefox users take note: Mozilla will only supply security and stability upgrades for Firefox 1.5x until mid-May of this year (2007). They encourage all Firefox 1.5 users to visit http://getfirefox.com to download the latest version of Firefox today. Mozilla is focusing on delivering a faster and more secure online experience. They want all of their users to benefit from the new features in Firefox 2.0, and in the not to distant future, Firefox 3.0.

I personally made the switch to version 2.0.x about two months ago and have no regrets. All of the Extensions I was using are now updated to work with version 2.0 and newer. The tabs that used to get squeezed in width as more were opened will now generate horizontal arrow buttons to scroll them to the right or left, when you have more tabs open than the width will accomodate. There are a lot of neat skins being developed for these new Firefox browsers and some awesome new "Add-ons" as the Extensions are now called. Firefox 2 supports JavaScript 1.7 and inline spell checking in text areas and text fields, which is a tremendous help for us Bloggers and Forumites.

Other new features:
* Microsummaries provide a way to create bookmarks that display information pulled from the site they refer to, updated automatically. Great for stock tickers, auction monitoring, and so forth.
* Search engine manager lets you rearrange and remove search engines shown in the search bar.
* Tabbed browsing enhancements include adding close buttons to each tab, adjustments to how Firefox decides which tab to bring you to when you close the current tab, and simplified preferences for tabs.
* Phishing Protection to warn users when the web site you're looking at appears to be a forgery.

Behind the scenes version 2 and newer have increased security enhancements not found in version 1.x, and they are now basically Windows Vista compatible, with a few minor Vista bugs scheduled to be fixed in soon to be released updates. At the time of this Post the current version of Firefox browser is 2.0.0.3, with 2.0.0.4 around the corner. Updates are released to fix compatibility, security and stability issues and can be applied manually by selecting "Check for Updates..." from the Help menu, on the toolbar, or by allowing (periodic) automatic update checks.

Firefox is available for Windows 98 through XP and now Vista, and non-Microsoft operating systems as well, including Mac and Linux. Current versions offer the option to also install the Google Toolbar, which is used by searchers and Webmasters alike.

Posted by Wiz at 11:58 PM | Permalink

back to top ^

Mozilla.org has released a security and compatibility upgrade of the flagship Firefox browser; version 2.0.0.3, on March 20, 2007.

The one security enhancement is in response to the MFSA 2007-11: FTP PASV port-scanning flaw. The compatibility improvement is regarding various web compatibility "regressions."

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Continue reading "Firefox 2.0.0.3 Security Release Issued on March 20, 2007" »

Posted by Wiz at 11:50 PM | Permalink

back to top ^

Mozilla.org has released Firefox 2.0.0.2, on February 23, 2007.

If you are not already using Firefox to browse the Internet, what are you waiting for?

What's New in Firefox 2.0.0.2

* Release Date: February 23, 2007
* Security Update: The following list of security issues have been fixed.
* Windows Vista Support: Many enhancements and fixes for Windows Vista are included along with the following caveats.
* New Languages: Beta releases for several new languages are now available for testing.
* Permissions Bug Fixed: In the German (de) locale on Windows and Linux, resolved a problem with certain files tagged as read-only.

Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Mozilla Firefox 2.0.0.2 Release Notes

Fixed in Firefox 2.0.0.2
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

Get Firefox here

Continue reading "Firefox Browser v 2.0.0.2 released on February 23, 2007" »

Posted by Wiz at 1:31 AM | Permalink

back to top ^

Mozilla.org has released Firefox 1.5.0.9 as a security and stability update to the 1.5x line of browsers. It is recommended that people who are not ready to update the firefox 2 should at least get this update. You extensions should continue to work, along with all of your bookmarks and personal settings (this may not be the case when upgrading to version 2.x). You can download Firefox 1.5.0.9 here.

Here is what Mozilla has to say about this incremental upgrade to 1.5.0.9:

What's New in Firefox 1.5.0.9

Firefox 1.5.0.9 is a security and stability update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all Firefox 1.5.0.x users upgrade to this latest version.

* Improvements to product stability
* Several security fixes

Release Date: December 19, 2006

Note: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2.

Fixed in Firefox 1.5.0.9

MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

Source and details: http://www.mozilla.com/en-US/firefox/releases/1.5.0.9.html

Posted by Wiz at 2:27 AM | Permalink

back to top ^

I just installed and checked out Firefox 2.0 and had to uninstall it almost immediately. It is missing the Email Client launch icon and disabled most of my important Extensions, which I depend on for my work. These included such Extensions as SpoofStick, Adsense Preview, Lorem Ipsum Generator, McAfee Site Advisor, Google Statusbar PageRank indicator, and my HTML Validator, DNSStuff Toolbar, and ForecastFox Accuweather forecasts. In all it disabled 6 Extensions and updated only one. I will wait a while to upgrade to version 2.0 for a while, to let the Extension authors make their plugins compatible with this version.

Going back to version 1.5.0.7 was as simple as running the setup file for that version. It overwrote the new files with the previous versions, and when Firefox opened it was exactly as I had it before performing the upgrade.

If you are using a lot of Extensions and depend on them you may want to hold off on updating to version 2.x until the Extension authors catch up to it, and Mozilla adds back the Email launching icon (if you used it). Keep the setup file for 1.5.0.7 on hand until the dust settles.

If I didn't use so many Extensions and depend on them I would have taken a longer look at version 2.0, but I didn't want to corrupt my saved personal settings with all the disabled and missing items.

Wiz

Posted by Wiz at 10:52 PM | Permalink

back to top ^

Not to be outdone by Microsoft's recent release of Internet Explorer 7, Mozilla will release the second major version of its rival Firefox browser on Tuesday, October 24. The current beta release is RC3 and it is anticipated that not much needs to be changed to make it the official release version 2.0.

According to Mozilla Vice President of Products Christopher Beard, Firefox 2.0, which should be available on Tuesday if all goes according to schedule, includes key new usability features missing in the new IE 7.

Mozilla has also enhanced the popular tabbed browsing feature in 2.0 that Firefox introduced when it emerged two years ago as the first significant rival to IE in years, Beard adds. Tabs allow users to navigate more easily between multiple Web pages when browsing the Internet, and Microsoft added tabs to IE 7 after Firefox's success with the feature.

In Firefox 2.0, Mozilla has added a "close" button on its tabs, as well as new visual features to make the tabs appear more obvious to the user, Beard says.

New usability features in Firefox 2.0 that differentiate it from IE 7 include one that will restore the browser to pages where the user was working if a sudden OS restart is required. "If your browser needs a restart or the OS asks you to reboot, losing all of those Web pages and content is pretty disruptive," Beard notes.

Firefox 2.0 is offering two options for enabling this feature. One way is that, by default, the browser will give the user an option to restore his or her browser sessions if there is an unexpected shutdown; the other is an advanced option to set the browser so that it always restores the last five pages visited before a sudden reboot.

Antiphishing Filters in Both Browsers

Like IE 7, Firefox 2.0 also has an antiphishing filter that will help protect users from divulging personal information to fraudulent Web sites. But Mozilla has taken a different approach to its antiphishing filter than Microsoft has, Beard says.

Instead of checking individual Web pages users visit against lists of known phishing sites, thus sending information from the site to third parties that keep lists of such sites, Firefox updates its blacklist of known fraudulent Web sites automatically every half-hour to an hour. Beard said this better protects users' privacy because no information from the sites they've visited is sent to any third parties.

Mozilla also has added spell-checking features to the browser similar to those found in word-processing applications. Whenever a user is typing text in the browser--as when typing the name of a Web site, a blog entry, or an e-mail--Firefox's spell checker will underline in red words that appear misspelled. Right-clicking on the word will give a user options for a corrected spelling.

In addition, Firefox 2.0 has a new feature in its integrated search box that will suggest a list of search terms after a user types a few letters of a word, depending on the search engine being used. Firefox 2.0 uses Google, Yahoo, and Ask.com search engines as options for the search box, and each uses a different algorithm to suggest search terms, Beard explains. To ensure that this feature is not disruptive to the user experience, the suggested search terms will appear in a separate pane below the search box, he adds.

Posted by Wiz at 10:16 PM | Permalink

back to top ^

Mozilla released Beta 2 of its upcoming Firefox 2 browser for developer review Aug. 31, emphasizing that it is being made available for testing purposes only. The release contains a number of new features, as well as some enhancements to look and feel. "Firefox 2 Beta 2 is intended for Web application developers and our testing community," the team said on the Mozilla development website. "Current users of Firefox 1.x should not use Firefox 2 Beta 2 and expect all of their extensions and plugins to work properly."

Source: http://www.desktoplinux.com/news/NS3852026030.html

This beta release will soon be posted to the following page.

Firefox published beta downloads page: http://www.mozilla.org/projects/bonecho/all-beta.html

The final Firefox 2.0 is expected to be completed in early 2007, the team said. More beta versions are expected to be released this fall and winter.

Continue reading "Mozilla Releases New Beta of Firefox 2.0" »

Posted by Wiz at 3:05 PM | Permalink

back to top ^