Mozilla developers unveiled the Firefox 3.6 beta web browser for download on Friday, giving developers a chance to test their add-ons and extensions for the product before the general release version.
Mozilla recently updated the popular browser to the current version, Firefox 3.5.4, to fix several bugs in 3.5.3. The plan for Firefox 3.6 is to make the web browser more secure from security flaws in add-ons and plugins that hackers exploit using malware.
Firefox users who upgrade to version 3.6 will be automatically warned when plugins are out of date and direct users to a page to "Update Plugins." Plugins are programs in the browser that add functionality, such as helping users watch videos, share content and save websites, for example.
Hackers attacking vulnerabilities in plugins can execute malicious code on victim PCs, allowing them to take over a machine. To ensure better web security, individuals should use the most up-to-date versions.
Mozilla said Firefox 3.6 beta 1 is built on the Gecko 1.9.2 web rendering engine, containing many improvements for web developers and improved performance for faster start-up times.
Tag Archives: Firefox
Mozilla and Microsoft tangle on Firefox plug-in security
Microsoft and Mozilla got their signals crossed last week over a Windows plug-in called .NET Framework Assistant included by Microsoft in the Firefox browser for activation of add-on programs. Mozilla is blocking one vulnerable Microsoft add-on and blocked then unblocked another.
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
Internet Explorer security flaw affects Firefox browser
Microsoft's release of its monthly security update on Tuesday contained fixes for three vulnerabilities affecting all versions of Internet Explorer, including one vulnerability that could be exploited on the .NET Framework to infect users of the Firefox browser.
The patch CVE-2009-2529 fixes a vulnerability in the Windows Presentation Foundation (WPF) component that could be exploited in a browse-and-get owned scenario by visiting a malicious website.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," Microsoft said on its IE Blog. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
That means Firefox users with .NET Framework 3.5 who visit a malicious website could have their Windows PCs hijacked using this vulnerability.
Microsoft said a workaround to mitigate the problem involves disabling the XBAP (XAML Browser Application) in the internet zone under security settings.
Firefox users can disable the Windows Presentation Foundation under Tools, Add-ons and then Plug-ins.
The security update is rated critical for all IE versions including IE 5.0, IE 6, IE 6 SP1, IE 7 and IE 8, including the version shipped with Windows 7.
The patch CVE-2009-2529 fixes a vulnerability in the Windows Presentation Foundation (WPF) component that could be exploited in a browse-and-get owned scenario by visiting a malicious website.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," Microsoft said on its IE Blog. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
That means Firefox users with .NET Framework 3.5 who visit a malicious website could have their Windows PCs hijacked using this vulnerability.
Microsoft said a workaround to mitigate the problem involves disabling the XBAP (XAML Browser Application) in the internet zone under security settings.
Firefox users can disable the Windows Presentation Foundation under Tools, Add-ons and then Plug-ins.
The security update is rated critical for all IE versions including IE 5.0, IE 6, IE 6 SP1, IE 7 and IE 8, including the version shipped with Windows 7.
Mozilla previews Firefox browser with XSS blocking filter
Filed under Security News
Tagged as blocking, Content Security Policy, CSP, filter, Firefox, Mozilla, XSS
Tagged as blocking, Content Security Policy, CSP, filter, Firefox, Mozilla, XSS
Mozilla's popular Firefox web browser will soon feature a technology called Content Security Policy which the company said would block cross-site scripting (XSS) hacker attacks from websites injected with malicious code.
The new feature is available for preview for security researchers and developers, Mozilla's security manager Brandon Sterne said in a post Monday on the Mozilla blog.
In an earlier blog post, Sterne explained that CSP can filter out malicious code used in XSS attacks by requiring that all JavaScript for a page be loaded from an external file and served from an explicitly approved host.
This means that only script from an approved host will be treated as valid and all other content will be blocked.
"The bottom line is that it will be extremely difficult to mount a successful XSS attack against a site with CSP enabled," Sterne explained. "All common vectors for script injection will no longer work and the bar for a successful attack is placed much, much higher."
For CSP to be effective at blocking hacker attacks, Mozilla must convince website developers to adopt the new technology in building their sites.
The new feature is available for preview for security researchers and developers, Mozilla's security manager Brandon Sterne said in a post Monday on the Mozilla blog.
In an earlier blog post, Sterne explained that CSP can filter out malicious code used in XSS attacks by requiring that all JavaScript for a page be loaded from an external file and served from an explicitly approved host.
This means that only script from an approved host will be treated as valid and all other content will be blocked.
"The bottom line is that it will be extremely difficult to mount a successful XSS attack against a site with CSP enabled," Sterne explained. "All common vectors for script injection will no longer work and the bar for a successful attack is placed much, much higher."
For CSP to be effective at blocking hacker attacks, Mozilla must convince website developers to adopt the new technology in building their sites.
Firefox 3.5.3, 3.0.14 will detect outdated Flash
Mozilla said on its security blog that the new releases of its popular Firefox web browser will be able to detect if a user has an outdated version of Adobe Flash and will direct users to download the latest version.
Upon updating to Firefox 3.5.3 and Firefox 3.0.14, the browser will direct users with outdated Flash Player to the Adobe download site with a message that reads: "You should update Adobe Flash right now. Firefox is up to date, but your current version of Flash can cause security and stability issues. Please install the free update as soon as possible."
Flash is the software that allows users to see movies and animations in their web browser. As one of the most common applications on websites, Flash Player is vulnerable to hacker attacks and as much as 80 percent of web users currently have an out-of-date version.
"Our intent is to get the user's attention and direct them to the Adobe web site where they can download the most up to date version," wrote Mozilla's Johnathan Nightingale on the Mozilla security blog. "Mozilla will work with other plugin vendors to provide similar checks for their products in the future."
Keeping software and web browsers up to date remains one of the best ways to stay protected from web security threats like malware, spam and identity theft.
Upon updating to Firefox 3.5.3 and Firefox 3.0.14, the browser will direct users with outdated Flash Player to the Adobe download site with a message that reads: "You should update Adobe Flash right now. Firefox is up to date, but your current version of Flash can cause security and stability issues. Please install the free update as soon as possible."
Flash is the software that allows users to see movies and animations in their web browser. As one of the most common applications on websites, Flash Player is vulnerable to hacker attacks and as much as 80 percent of web users currently have an out-of-date version.
"Our intent is to get the user's attention and direct them to the Adobe web site where they can download the most up to date version," wrote Mozilla's Johnathan Nightingale on the Mozilla security blog. "Mozilla will work with other plugin vendors to provide similar checks for their products in the future."
Keeping software and web browsers up to date remains one of the best ways to stay protected from web security threats like malware, spam and identity theft.
Hackers prefer Firefox, Opera web browsers
Hackers prefer to use the Firefox and Opera web browsers, according to web security researcher Paul Royal of Purewire, who spent three months monitoring the activity of hackers who use exploit toolkits.
Royal said hackers likely prefer Opera, which 26 percent use, because its overall marketshare is only about 2 percent, meaning few other hackers bother to write malware to attack that browser. Mozilla's Firefox browser was used by 46 percent of the hackers, Royal said, according to a report from the UK Register.
Hackers are likely aware of the exploits that plague the most popular browser, Microsoft's Internet Explorer (IE). "It makes them wary of using mainstream browsers," Royal said, according to the Register.
IE has been exploited recently by flaws in the Video ActiveX controls, the subsystem that allows IE users to watch videos in the browser. The company has issued multiple security updates to fix flaws in that system, including an "out-of-band" patch earlier this month.
The latest version, IE8, surpassed other browsers in a security test sponsored by Microsoft and run by an independent research lab.
Royal said hackers likely prefer Opera, which 26 percent use, because its overall marketshare is only about 2 percent, meaning few other hackers bother to write malware to attack that browser. Mozilla's Firefox browser was used by 46 percent of the hackers, Royal said, according to a report from the UK Register.
Hackers are likely aware of the exploits that plague the most popular browser, Microsoft's Internet Explorer (IE). "It makes them wary of using mainstream browsers," Royal said, according to the Register.
IE has been exploited recently by flaws in the Video ActiveX controls, the subsystem that allows IE users to watch videos in the browser. The company has issued multiple security updates to fix flaws in that system, including an "out-of-band" patch earlier this month.
The latest version, IE8, surpassed other browsers in a security test sponsored by Microsoft and run by an independent research lab.
Internet Explorer 8 aces web browser security test
Microsoft's Internet Explorer 8 (IE8) web browser outperformed Safari 4, Firefox 3, Chrome 2 and Opera 10 Beta in a Microsoft-sponsored security test by NSS labs.
The test measured the ability of the different web browsers to catch socially engineered malware attacks - where cybercriminals use web links to malicious sites featuring downloads of Trojan malware files disguised as applications such as video codecs.
In live testing over a two-week period in July, IE8 caught 81 percent of malware threats, 54 percent better than Firefox 3, the next best score, NSS Labs said in its report.
Firefox 3 caught 27 percent of live threats, the best among products utilizing the Google SafeBrowsing API. Apple's Safari 4 recognized just 21 percent of malware sites, Google Chrome just 7 percent and Opera only 1 percent.
Web browsers rely on in-the-cloud reputation software to decipher if a website URL hosts malicious content. However, not all browsers use the same techniques for determining which URLs are malicious.
"The use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies," NSS Labs said. "But not all vendor implementations and daily operations yield the same results."
The test measured the ability of the different web browsers to catch socially engineered malware attacks - where cybercriminals use web links to malicious sites featuring downloads of Trojan malware files disguised as applications such as video codecs.
In live testing over a two-week period in July, IE8 caught 81 percent of malware threats, 54 percent better than Firefox 3, the next best score, NSS Labs said in its report.
Firefox 3 caught 27 percent of live threats, the best among products utilizing the Google SafeBrowsing API. Apple's Safari 4 recognized just 21 percent of malware sites, Google Chrome just 7 percent and Opera only 1 percent.
Web browsers rely on in-the-cloud reputation software to decipher if a website URL hosts malicious content. However, not all browsers use the same techniques for determining which URLs are malicious.
"The use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies," NSS Labs said. "But not all vendor implementations and daily operations yield the same results."
Security breach closes Mozilla store, Firefox bugs fixed
Filed under Security News
Tagged as breach, Firefox, GatewayCDI, login credentials, Mozilla, security, store
Tagged as breach, Firefox, GatewayCDI, login credentials, Mozilla, security, store
A security breach yesterday caused Mozilla to shut down the Mozilla Store, the online download center for software products from the maker of the second-most popular web browser. GatewayCDI, the vendor that operates the backend of the Mozilla Store, suffered a security breach, Mozilla said.
Customers of the store may have had their login data security compromised and Mozilla encouraged GatewayCDI to quickly inform people whose data was compromised in the breach, Mozilla said.
"Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised," Mozilla said on its company blog Tuesday.
The International Mozilla Store has also temporarily been shut down as a precautionary measure, while the Mozilla Community Store was not impacted by the breach.
Meanwhile, Mozilla was busy over the weekend providing a security update to the Firefox web browser. Firefox 3.5.2 and Firefox 3.0.13 were made available for Windows, Mac, and Linux on Sunday.
Mozilla said Firefox has been downloaded more than 1 billion times.
Customers of the store may have had their login data security compromised and Mozilla encouraged GatewayCDI to quickly inform people whose data was compromised in the breach, Mozilla said.
"Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised," Mozilla said on its company blog Tuesday.
The International Mozilla Store has also temporarily been shut down as a precautionary measure, while the Mozilla Community Store was not impacted by the breach.
Meanwhile, Mozilla was busy over the weekend providing a security update to the Firefox web browser. Firefox 3.5.2 and Firefox 3.0.13 were made available for Windows, Mac, and Linux on Sunday.
Mozilla said Firefox has been downloaded more than 1 billion times.
Mozilla: No hacker exploit for Firefox 3.5.1 vulnerability
Filed under Security News
Tagged as 3.5.1, blog, buffer overflow, exploit, Firefox, Mozilla, security, vulnerability
Tagged as 3.5.1, blog, buffer overflow, exploit, Firefox, Mozilla, security, vulnerability
A flaw in the just-released Firefox 3.5.1 web browser has been confirmed by Mozilla, but the company said on its security blog that it has seen no proof of an attack exploit for the vulnerability, which causes the browser to crash.
IBM reported last week that Firefox 3.5.x is vulnerable to a stack-based buffer overflow, by which an attacker could execute arbitrary code on the system or cause the application to crash. IBM rated the security threat from the vulnerability as high, because a remote hacker could gain access.
Mozilla said that, while the vulnerability exists and can result in crashes of some versions of Firefox, "the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug." The company said it has seen no example of exploitability.
The Department of Homeland Security's National Vulnerability Database reports that the flaw allows remote attackers to cause a denial of service (application crash), "or possibly have unspecified other impact," via a long Unicode string.
Mozilla said it has attempted to get IBM and others to correct their reports.
Firefox 3.5.1 was issued last week, ahead of schedule, in order to patch a security flaw in the earlier version of the browser, Firefox 3.5.
IBM reported last week that Firefox 3.5.x is vulnerable to a stack-based buffer overflow, by which an attacker could execute arbitrary code on the system or cause the application to crash. IBM rated the security threat from the vulnerability as high, because a remote hacker could gain access.
Mozilla said that, while the vulnerability exists and can result in crashes of some versions of Firefox, "the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug." The company said it has seen no example of exploitability.
The Department of Homeland Security's National Vulnerability Database reports that the flaw allows remote attackers to cause a denial of service (application crash), "or possibly have unspecified other impact," via a long Unicode string.
Mozilla said it has attempted to get IBM and others to correct their reports.
Firefox 3.5.1 was issued last week, ahead of schedule, in order to patch a security flaw in the earlier version of the browser, Firefox 3.5.
Mozilla plugs Firefox web browser security hole
Filed under Security News
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Mozilla yesterday released an update to its web browser, Firefox 3.5.1, that patches a critical web security flaw that hackers could exploit in a browse-and-get-owned scenario.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.