Mozilla Fixes Major Security Issues
July 26, 2012 by admin
Filed under Around The Net
Comments Off on Mozilla Fixes Major Security Issues
Mozilla has fixed a number of security vulnerabilities in the latest versions of its internet applications, including Firefox 14, Thunderbird 14 and Seamonkey 2.11.
Following the release of its Firefox 14 browser for desktop operating systems on Tuesday, Mozilla said it has removed security holes in the Gecko rendering engine that all the applications run, some of which it rated as “critical”.
The bugs fixed included a code execution problem related to javascript URLs, a JSDependentString::undepend string conversion bug that can be exploited to cause a crash and a same-compartment Security Wrappers bypass issue.
Critical use-after-free problems, an out-of-bounds read bug, and a bad cast in the Gecko engine that could lead to memory corruption have also been addressed, Mozilla said.
These bugs were deemed “critical” due to their vulnerability to being exploited remotely by hackers that could execute arbitrary code on an unsuspecting victim’s system.
Is Internet Explorer Making A Comeback?
May 8, 2012 by admin
Filed under Around The Net
Comments Off on Is Internet Explorer Making A Comeback?
Microsoft’s Internet Explorer (IE) in April again managed to grab more user share, the third time in the year’s first four months, to stay well above the 50% mark and remain the world’s top browser, a Web analytics company said on Tuesday.
Google’s Chrome’s share also climbed in April, said Net Applications, ending that browser’s three-month decline.
IE boosted its share by about three-tenths of a percentage point last month to average 54.1% in April. That returns IE to a mark comparable to its September 2011 share.
Since Jan.1, IE has increased its usage share by 2.2 percentage points for a 4% gain since the end of 2011. The turnaround has been IE’s largest and longest since the browser began shedding share years ago to Firefox, then later, Chrome.
Microsoft has pinned its hopes almost entirely on IE9, the 2011 edition that runs only on Windows Vista and Windows 7.
On Tuesday, Microsoft again stayed on message, highlighting the gains made by IE9 on Windows 7 — the pairing the firm has said is the only metric it cares about — but ignoring the overall IE increases this year.
Yahoo Goes-DO NOT TRACK
April 6, 2012 by admin
Filed under Around The Net
Comments Off on Yahoo Goes-DO NOT TRACK
Yahoo websites worldwide will comply with users “do not track” settings starting later this year, Yahoo announced Wednesday.
Most major browsers are now able to send a message to sites visited, indicating whether users want their surfing behavior to be tracked by cookies for the purposes of displaying personalized ads. In February the last major hold-out, Google, announced that its Chrome browser will include do-not-track support by the end of the year.
That message, an HTTP (hypertext transfer protocol) header accompanying a request to display a Web page, avoids the awkward paradox that to store a visitor’s preference not to be tracked by cookies, sites had to store a cookie containing that preference, and provides a consistent way to store and indicate such preferences across all Web sites that respect the do-not-track header.
Support for the do-not-track header has been in the works since last year, Yahoo said. All Yahoo sites will respect the header, including those of Right Media and Interclick, two Yahoo subsidiaries specializing in behavioral or data-driven advertising, the company said.
The company’s announcement comes the same day that the U.S. House of Representatives’ Subcommittee on Commerce, Manufacturing, and Trade is set to hold a hearing on balancing privacy and innovation, and in the same week that the U.S. Federal Trade Commission called for creation of a do-not-track tool for Internet users.
In a statement announcing its plans for allowing visitors to opt out of tracking, Yahoo maintained that allowing advertisers to regulate themselves was the best and quickest way to introduce protections to the market place without sacrificing innovation or value creation.
Did Google Bypass Privacy Rules?
February 28, 2012 by admin
Filed under Around The Net
Comments Off on Did Google Bypass Privacy Rules?
In the wake of reports that Google had circumvented privacy settings in Apple’s Safari browser, Microsoft announced today it had discovered that the Web giant had done the same with Internet Explorer.
“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?” IE executive Dean Hachamovitch wrote in a blog post this morning. “We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”
The blog post, which details Microsoft’s findings and offers privacy protection tips, said it has contacted Google about its concerns and asked it to “commit to honoring P3P privacy settings for users of all browsers.”
Google countered that Microsoft backs a system that is dated and impractical.
“It is well known–including by Microsoft–that it is impractical to comply with Microsoft’s request while providing modern Web functionality,” Rachel Whetstone, senior vice president of communications and policy for Google, said in a statement to CNET this evening. “We have been open about our approach, as have many other Web sites.”
P3P, or Platform for Privacy Preferences, is an official recommendation of the World Wide Web Consortium that sites use to summarize their privacy policies.
Apple Blasted For Not Blocking Stolen Certificates
Comments Off on Apple Blasted For Not Blocking Stolen Certificates
A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.
“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.
Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.
Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.
Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.
Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.
Download Defense Added To Chrome Browser
Comments Off on Download Defense Added To Chrome Browser
Google has updated Chrome to version 12, adding a new feature that warns users when they’ve downloaded files from dangerous Web sites.
New to Chrome 12 is a tool that flags questionable files pulled from the Web. Chrome now shows an alert when users download some file types from sites that are on the Safe Browsing API (application programming interface) blacklist, which Google maintains.
The messages reads: “This file is malicious. Are you sure you want to continue?” If they wish, users can ignore the warning and install the file on their system’s hard drive.
“This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API,” said Google last April when it debuted the feature in an earlier edition of Chrome.
Safe Browsing already identifies suspicious or unsafe sites, then adds them to a blacklist. Chrome, Mozilla’s Firefox and Apple’s Safari all tap into Safe Browsing to warn users of risky sites before they actually visit them.
Microsoft’s IE Latest Flaw: ‘Cookiejacking’
Comments Off on Microsoft’s IE Latest Flaw: ‘Cookiejacking’
A technology security researcher has discovered a flaw in Microsoft Corp’s widely used Internet Explorer browser that he said may allow hackers to steal credentials to access FaceBook, Twitter and other websites.
He coined the technique as ”cookiejacking.”
“Any website. Any cookie. Limit is just your imagination,” said Rosario Valotta, an independent Internet security researcher based in Italy.
Hackers can exploit the flaw to access a data file stored inside the browser known as a “cookie,” which holds the login name and password to a web account, Valotta wrote.
Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique “cookiejacking.”
The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.
To take advantage of this flaw, the hacker must first persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to “undress” a photo of an attractive woman.
“I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server,” he said. “And I’ve only got 150 friends.”
Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.
“Given the level of required user interaction, this issue is not one we consider high risk,” said Microsoft spokesman Jerry Bryant.
Google SEARCH Goes SSL
Google is finally taking privacy seriously to a degree by offering its users a secure form of searching while using Google Search. Moving forward users will have the opportunity to enable SSL (Secure Socket Layer) for added security. Be advised, the service will only cover the Google search and clicks made through Google to other non-secured sites will be visible.
‘Do Not Track’ Internet Legislation, Advances
Comments Off on ‘Do Not Track’ Internet Legislation, Advances
California is a moving closer to making into law the first Do Not Track legislation in the U.S., aimed at protecting Internet users from invasive advertising.
The proposed Senate bill, SB-761, passed a Senate Judiciary Committee vote late Tuesday, but it still has a long road ahead before having a chance of being signed into law. It now moves on to the Appropriations Committee, and must also pass the Senate and State Assembly before being sent to Governor Jerry Brown’s desk.
Still, it’s the first time such a bill has made it out of committee, and that’s a big deal, according to John Simpson, director of Consumer Watchdog’s Privacy Project. “This is the first time that a ‘do not track’ bill has actually had a hearing and been debated and then voted forward in the legislative process,” he said.
The bill would give California consumers a simple way of opting out of data collection systems that keep track of their online activities. “It puts up a no trespassing sign on our device,” Simpson said.
Opponents of the bill, including Google, the Direct Marketing Association, and the wireless industry group CTIA, say it puts an unnecessary burden on online commerce.
Online marketers love this type of data because it helps them fashion highly effective targeted advertising. But many consumers don’t want to hand marketers every detail of what they do on the Web.
Under the proposed law, users would have a way — possibly a through a browser setting — of telling Web sites not to track them. If a company disregarded this and collected data without permission, it could face stiff fines.
FTC Singles Out Google’s Chrome
Federal Trade Commission Chairman Jon Liebowitz this week singled out Google for not adopting “Do Not Track,” the privacy feature that allows consumers the ability to opt out of online tracking by Web sites and marketing entities.
In an interview Monday with Politico, Liebowitz called out Google for not supporting Do Not Track in its Chrome browser.
Noting that Do Not Track had gathered momentum, Liebowitz said, “Apple just announced they’re going to put it in their Safari browser. So that gives you Apple, Microsoft and Mozilla. Really the only holdout — the only company that hasn’t evolved as much as we would like on this — is Google.”
Do Not Track has been promoted by the FTC and by privacy advocates including the Electronic Frontier Foundation (EFF), as the best way to help consumers protect their privacy.
The technology requires sites and advertisers to recognize incoming requests from browsers as an opt-out demand by the user. The information is transmitted as part of the HTTP header.
As Liebowitz said, Microsoft and Mozilla have added Do Not Track header support to their Internet Explorer 9 (IE9) and Firefox 4 browsers. While Apple hasn’t confirmed that the next version of Safari will include Do Not Track, developers have reported finding the feature in early editions bundled with Mac OS X 10.7, aka “Lion,” the upgrade slated to ship this summer.