Firefox

In the Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, Canada, security researchers and hackers quickly hacked three of the major browsers to take control of the underline operating systems. — A German hacker who goes by the handle “Nils” used a previously unknown vulnerability in Mozilla’s Firefox to gain control of a 64-bit Windows 7 machine. — Peter Vreugdenhil an independent researcher from the Netherlands, used several vulnerabilities in Internet Explorer to take control of a machine running a patched 64-bit Windows 7 implementation. ...

Not so long ago, examples of fake Firefox websites / downloads were in the news with the sites involved serving Hotbar installs. It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts: ...

Mozilla Foundation has released version 3.6.2 of its Firefox browser a week early. The group had said the update would be available March 30. The update fixes a widely reported vulnerability (CVE-2010-1028) that prompted Germany’s CERT to advise Web users to switch to another browser until a fix was made. (My blog post “Germany’s CERT warns against Firefox use” ) Intevydis researcher Evgeny Legerov had found that Wide Open Font Format decoder in Firefox had an integer overflow in its font decompression mechanism. The flaw involved a memory buffer that was too small to handle a downloadable font. Legerov had found that exploiting the vulnerability could crash a victim’s browser making it possible to run arbitrary code on the system. ...

BürgerCERT, Germany’s government information security organization, is recommending that Web users NOT use the Firefox browser until Mozilla fixes a vulnerability in it March 30. No malicious use has been found yet, however a researcher posted proof-of concept code for exploiting the previously unknown vulnerability. A malicious operator could use the vulnerability to run arbitrary code. Mozilla is expected to post version Firefox 3.6.2 to fix the problem. In January, the governments of France and Germany urged users to stop using Microsoft’s Internet Explorer browser until the company fixed the vulnerability that was blamed, at least in part, for the attacks from China on Google and more than two dozen other companies. ...

A little more than a week ago Microsoft started delivering a new Browser Choice for Windows to be compliant to the European Union law. There are plenty of web browsers to choose from, and my colleague Sorin Mustaca recommended Firefox. Usually a good choice, but currently users should be cautious about which browser they choose: Opera just released version 10.51 of their web browser. According to the changelog, it fixes a vulnerability which could lead to execution of injected code. Users of opera 10.50 should update as soon as possible. ...

Apple yesterday released a huge Safari update that fixes 16 vulnerabilities – six for Windows versions and ten for Mac OS X and Windows. The update, Safari 4.0.5, makes fixes in Tiger, Leopard, Snow Leopard and Windows versions. This is probably pretty significant. In November, the TheInquirer.net of the UK carried a piece about browser vulnerabilities that rated Firefox and Safari as the ones with the most vulnerabilities: ...

Opera and Safari don’t currently allow browser extensions in the same way as Firefox, Internet Explorer and Google Chrome does, and therefore, providing WOT for these environments is not feasible. However, as a response to requests from our users, we have created a WOT bookmarklet that brings at least some of the functionality to the users of these two popular browsers. If you are using Safari or Opera, you can add the WOT bookmarklet to your browser simply by dragging this link to your bookmarks: WOT Rating. ...

A Windows Update is available to users who are located in member countries of the European Union allowing for choosing a different standard browser for the system. The update is available for download through Windows Update. The Update creates a shortcut on your desktop. This shortcut leads to a Web page in which it is possible to select which Web browser to install. Additionally, the first time the users logs in to the computer after installing the update, Windows Internet Explorer starts automatically and displays the Browser Choice Web page. ...

My friends often ask me about steps they can take to keep their systems at work and home free from malware. Apart from the usual recommendation to use alternative, less targeted and therefore slightly more secure operating system like Linux or OSX (OpenBSD would also be an interesting alternative) I used to mention that a change of the web browser would also be very helpful. Internet Explorer is still the most commonly used browser with a little above 60% market share, but its market share is steadily in decline in the last couple of years. I am fairly sure that one of the main reasons people move to Firefox or Chrome is perceived lack of security. Internet Explorer is the most common target for malware and various exploit packs although the latest versions have proved to be much more resilient to various attacks. With most of the users finally making the switch away from IE6 we hope that the exploits will be even less successful in the future. This of course means that attackers are changing their focus to other products like Adobe Reader of Flash, the most commonly used internet applications after browsers. Exploiting Flash or Adobe Reader allows the attacker to abstract the browser version and often the browser itself. Adobe’s attitude to security also does not help. ...

A massive earthquake struck near the Chilean city of Concepcion in the early hours of the morning of February 27th, 2010. The quake measuring 8.8 on the Richter scale was considerably stronger than the one that recently caused widespread destruction on the island of Haiti. Fortunately, despite the size of this latest quake, so far there has been few reported casualties. The quake occurred near the coast and tsumani warnings were issued for many countries bordering on the Pacific ocean. Unfortunately as with any major news event, miscreants are not slow to pounce when such opportunities arise to further their aims. ...