It hasn’t been a month since the latest Firefox Update was released, but it has already caused a considerable stir. As with a lot of software releases (and usually with Internet browsers), Firefox 3.6 comes with a flaw. This isn’t really all that surprising, is it?

Anyhow, this flaw was discovered by Evgeny Legerov, the founder of Intevydis. This is a company that specializes in providing IT security solutions for various situations. The flaw discovered by Legerov was taken so seriously by the German government that it issued advisories to the effect that users should stop using this version of Firefox until Mozilla gets it fixed. To Mozilla’s credit, they were right on top of things – they went ahead of schedule and fixed the problem. More from eWEEK:

According to Mozilla, the Web Open Font Format (WOFF) decoder contains an integer overflow in a font decompression routine. As a result, too small a memory buffer could be allocated to store a downloaded font, and an attacker could exploit the situation to crash a victim’s browser and execute arbitrary code on the system.

The fix is contained within Firefox 3.6.2, which was initially scheduled to be released March 30. After the German advisory however, Mozilla announced it was moving up the release date. While security researchers are divided on the idea of switching browsers every time a vulnerability appears, it was not the first time a government had made the recommendation.

So is the latest version safe? Only if you download 3.6.2!

Tags: Firefox, Internet browsers, internet-security, Mozilla

Categories: Firefox, Web browsers

Leave a Comment

Have an iPhone? Or maybe you have another smartphone. Personally, I am setting my eyes on the Google Nexus One. It’s just as pretty and from most accounts, it is even more functional than the Apple iPhone.

In any case, most everyone has a smartphone now and that means that their children are getting exposed to mobile computing as well. If you think that it’s such a headache to ensure that children are protected when they go online on laptops and home computers, then think again. It’s even more of a hassle to make sure they are safe on mobile platforms!

One thing you can do about the iPhone is to use the built-in parental control. More than that, however, you can check out Safe Eyes Mobile, a web browser made specially for the iPhone. It gives you additional control on top of the parental controls that the iPhone has.

Forrest Collier, CEO of InternetSafety.com endorses this mobile web browser:

“Apple has gone a long way toward child-proofing the iPhone with the new parental controls in the iPhone 3.0 software, but those controls apply only to content that Apple itself distributes through iTunes and the App Store. They don’t address the #1 source of objectionable material: the Internet. If you combine Apple’s parental controls with a browser that blocks pornography and other offensive websites, however, you can completely protect your child from harmful content both online and off.”

At the end of the day, these are excellent tools but I believe that your parenting skills will still emerge as the most important factor.

Tags: internet-security, iphone, mobile web browser, Safe Eyes Mobile

Categories: Real-World Issues, Web browsers

Leave a Comment

From Internet Explorer to Mozilla Firefox to Google Chrome – that’s the path that many computer users have followed in the past years. Personally, I have stuck to Mozilla but I do use Chrome every now and then when I want things to go much faster. But did you know that Google’s streamlined browser has its share of security issues as well?

This is not really that surprising. After all, most any product you see in the market will be exploited by those who want to do so. In any case, Google has come out with updates to their browser, making it more secure for us users.

The most recent update for Google Chrome fixes some issues on how the browser handles Javascript and XML. For the Javascript engine, the fix makes sure that an infected web site will not allow malicious Javascript to run arbitrary code. You and I know very well that the phrase “run arbitrary code” simply translates to “install malware.” With this problem supposedly fixed, Chrome is definitely safer.

Another fix deals with the possibility of a web page using XML to, again, run arbitrary code. This happens when the malicious XML crashes a Chrome tab.

Last, the Chrome update will not allow you to connect to “HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms.” The reason for this is that these algorithms are prone to hacking and that it is relatively easy to pose as a fake HTTPS site.

For more detailed info, read it from Google’s own blog.

Photo courtesy of Ivan Zlatev

Categories: General, Google Chrome, Malware, News

Leave a Comment

This piece of news is not so good for Mozilla. It had to shut down the operations of its online store late on Tuesday because of an alarming finding. The fact is that the firm that Mozilla had hired to deal with their backend operations has suffered a security breach. Mozilla immediately issued a statement about the issue:

Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach. Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised.

And just to be sure, the company immediately shut down the international version of their online store. While this was not really necessary since the international edition is being maintained by a separate company, Mozilla still shut it down as a precaution. As of this writing, there is no news yet as to the whether the security breach has been fixed. Indeed, Mozilla did not even really divulge details as to the nature and extent of the breach. I guess it is enough that they owned up to the issue and that they took immediate steps to stop the problem before it became serious.

And in case you were not aware of what Mozilla offers in its online store, this is where you can get T-shirts, coffee mugs, backpacks, mouse pads, and all sorts of other things that you can buy with the popular Mozilla logo prominently printed on them.

Moral of the story? Even one of the best IT companies in existence today is prone to hacking. Us “mortals” should learn from this.

Categories: Firefox, General, News

Leave a Comment

This is the first minor point release in the 3.5 series of Firefox. The main reason for this patch is a security flaw in the TraceMonkey JavaScript engine of the browser. We have “zbyte” to thank for the discovery of this flaw. This Firefox user reported that his browser kept on crashing each time he tried to type text in an input box on the site apport.ru. Zbyte sent this bug report in on July 9, and less than a month later, Firefox developers were able to find the reason for the bug AND send out a fix as well.

Anyhow, the TraceMonkey JavaScript engine is a huge development on Mozilla’s part. With the bug concerning the engine, however, Firefox users are left vulnerable to exploits. In fact, a malicious web site can take advantage of this bug and execute arbitrary code. The developers reacted quickly, though, with Firefox 3.5.1 as the result.

By the way, soon after the bug was fixed, news circulated that there is another bug. This is utterly believable – bugs abound anyway. In fact, researchers Berry-Byrne and Andrew Hayes discovered this bug in the “escape” function. The good news is that they strongly believe that this bug is not exploitable. That means that while those who encounter this bug just might be bugged about it (no pun intended), we are not in danger – security wise.

In any case, you might want to get the latest patch for Firefox, if you have not already.

Categories: Firefox

Leave a Comment

Yup, 46! That is one heck of a lot of security flaws, don’t you think? Considering that the iPhone is being used by a lot of people to go online, it seems quite irresponsible of Apple to release a product that has so many flaws. Still, that has not stopped people from buying the iPhone. Indeed, the major reason people do not get one is the price and not the existence of security flaws. In any case, the recent iPhone 3.0 update has fixed those flaws.

Of the 46, six of the security flaws involve CoreGraphics. Without the update, if a user views a maliciously coded image, the application he is using may terminate suddenly. Alternatively, it can lead to arbitrary code execution. What that can lead to, who knows? Another flaw involves opening and viewing PDF files. Apple provides the same result: either application termination or arbitrary code execution.

There is also a flaw with regard to the mail client. Without the update, remote images in HTML messages are automatically fetched and loaded. There is no option to turn off this feature. With the update, this potential security flaw has been fixed.

Meanwhile, Safari can now be totally wiped clean – history of visited web pages and searches together – by accessing the option in the Setting menu. Previously, only the history of web sites was removed, and the searches remained. Now, iPhone users can rest easy knowing that they’ve left no traces behind.

Of course, there are other features to the updates, many of them not solely related to security.

Categories: E-mail, News, Operating Systems, Privacy & Anonymity, Web browsers

Leave a Comment

And I thought Apple was unhackable. That goes to show that there seems to be no such thing these days. After all, most everything has a “hole,” and it is only a matter of finding that hole and exploiting it, right?

Security expert Charlie Miller will surely agree with you, and unlike me, he can back up his statements too! Charlie Miller is known for hacking a MacBook Air last year. He did this feat in less than two minutes, and won $10,000 for it. He did not stop there, though. About two weeks ago, Miller joined another contest; this time to hack Safari.

He said that he discovered a hole in the security last year. This hole, when exploited, can give a remote user control of the machine. Miller was able to demonstrate how this is possible in about 10 seconds! This is how he did it: he got the computer user to click on a link (a “malicious URL”) and voila, in one click, he had control.

Naturally, the contest rules stipulate that Miller cannot disclose exactly how he got it done. He said, however, that he told the people at Apple the details of what he was planning to do. At the end of the day, everyone walks away happy. Miller gets his cash prize and the MacBook he used to boot. Apple, on the other hand, gets to discover a bug AND fix it as well.

As for us mere mortals, it just goes to show that we should be careful in clicking.

Photo from http://www.flickr.com/photos/colinzhu/542471747/sizes/s/

Categories: General, Web browsers

Leave a Comment

Seems everybody is out for cheap deals on just about everything and who wouldn’t be in this recession where cash is hard to come by and jobs are being shed by the thousands. Now, there are truly some honest cell phone deals out there but you have to be sure you’re getting the right stuff. Having the latest phone gadget might be one thing but keeping that new phone secure from hacks is another. Sure you can get it cheap from the internet but how sure are you you’re getting the real stuff.
Criminals are becoming craftier than ever and they have even managed to copy branded products complete with all the security stickers and holographic security seals with them. They can also be pre-loaded with malware for the amount of computing power they pack is enough to emulate an ultraportable, in function that is. Just how dangerous are these hacking attempts, for mobile devices using Windows very dangerous for there is a group bent on exacting damage on the software giant.
ensuring you have the latest updates to your operating system is vital to maintaining your ability to fend off attacks. Having intrusion prevention systems installed is also a good thing for like your PC, they also need protection. Given the power of these gadgets and their ability to connect to the internet, they are not immune to attack. Let’s set this as an example, an unprotected PC connected to the internet for the first time will last an average of 15 minutes before it is hacked and compromised. Now you do the math for your mobile!

Categories: Cryptography, E-mail, General, IM, IT Security Basics, Malware, News, Privacy & Anonymity, Real-World Issues, Spyware, Tips, Web browsers, Wireless Security

Leave a Comment

Ever since Mozilla came into the picture, I have not been using Internet Explorer. I am sure that I am not alone in this – I have heard so many IE to Mozilla stories in the past years. With the release of Internet Explorer 8, however, some people might start to reconsider. Indeed, Microsoft is touting IE 8 to be its most secure web browser ever. (That’s not saying much, is it?)

Anyway, why should anyone want to use IE8? PC World has a write up on it and this is what they have to say about the security features:

Microsoft touts IE 8 as its most secure browser to date, and Microsoft has indeed added a good number of security features to the mix, ranging from phishing detection to private browsing, plus a new feature to prevent clickjacking, an emerging data theft threat.

IE 8 RC1 includes two security features under the ‘InPrivate’ label: InPrivate Browsing and InPrivate Filtering. Both existed in earlier prerelease versions of IE 8, but IE 8 RC1 lets you use the two features separately, whereas before each relied on the other.

That’s sounding good to me but is that all there is? Apparently not. Another feature that looks interesting is the Private Browsing feature, which is already being enjoyed by Safari users. IE8 also has InPrivate Filtering, which will prevent web sites from gathering data about other web sites that you got to. There seems to be more to it, though. Maybe we should give it a try and see what Microsoft has to offer this time?

Categories: News, Web browsers

Leave a Comment