Mozilla developers unveiled the Firefox 3.6 beta web browser for download on Friday, giving developers a chance to test their add-ons and extensions for the product before the general release version.
Mozilla recently updated the popular browser to the current version, Firefox 3.5.4, to fix several bugs in 3.5.3. The plan for Firefox 3.6 is to make the web browser more secure from security flaws in add-ons and plugins that hackers exploit using malware.
Firefox users who upgrade to version 3.6 will be automatically warned when plugins are out of date and direct users to a page to "Update Plugins." Plugins are programs in the browser that add functionality, such as helping users watch videos, share content and save websites, for example.
Hackers attacking vulnerabilities in plugins can execute malicious code on victim PCs, allowing them to take over a machine. To ensure better web security, individuals should use the most up-to-date versions.
Mozilla said Firefox 3.6 beta 1 is built on the Gecko 1.9.2 web rendering engine, containing many improvements for web developers and improved performance for faster start-up times.
Tag Archives: Mozilla
Mozilla and Microsoft tangle on Firefox plug-in security
Microsoft and Mozilla got their signals crossed last week over a Windows plug-in called .NET Framework Assistant included by Microsoft in the Firefox browser for activation of add-on programs. Mozilla is blocking one vulnerable Microsoft add-on and blocked then unblocked another.
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
Mozilla previews Firefox browser with XSS blocking filter
Filed under Security News
Tagged as blocking, Content Security Policy, CSP, filter, Firefox, Mozilla, XSS
Tagged as blocking, Content Security Policy, CSP, filter, Firefox, Mozilla, XSS
Mozilla's popular Firefox web browser will soon feature a technology called Content Security Policy which the company said would block cross-site scripting (XSS) hacker attacks from websites injected with malicious code.
The new feature is available for preview for security researchers and developers, Mozilla's security manager Brandon Sterne said in a post Monday on the Mozilla blog.
In an earlier blog post, Sterne explained that CSP can filter out malicious code used in XSS attacks by requiring that all JavaScript for a page be loaded from an external file and served from an explicitly approved host.
This means that only script from an approved host will be treated as valid and all other content will be blocked.
"The bottom line is that it will be extremely difficult to mount a successful XSS attack against a site with CSP enabled," Sterne explained. "All common vectors for script injection will no longer work and the bar for a successful attack is placed much, much higher."
For CSP to be effective at blocking hacker attacks, Mozilla must convince website developers to adopt the new technology in building their sites.
The new feature is available for preview for security researchers and developers, Mozilla's security manager Brandon Sterne said in a post Monday on the Mozilla blog.
In an earlier blog post, Sterne explained that CSP can filter out malicious code used in XSS attacks by requiring that all JavaScript for a page be loaded from an external file and served from an explicitly approved host.
This means that only script from an approved host will be treated as valid and all other content will be blocked.
"The bottom line is that it will be extremely difficult to mount a successful XSS attack against a site with CSP enabled," Sterne explained. "All common vectors for script injection will no longer work and the bar for a successful attack is placed much, much higher."
For CSP to be effective at blocking hacker attacks, Mozilla must convince website developers to adopt the new technology in building their sites.
Security breach closes Mozilla store, Firefox bugs fixed
Filed under Security News
Tagged as breach, Firefox, GatewayCDI, login credentials, Mozilla, security, store
Tagged as breach, Firefox, GatewayCDI, login credentials, Mozilla, security, store
A security breach yesterday caused Mozilla to shut down the Mozilla Store, the online download center for software products from the maker of the second-most popular web browser. GatewayCDI, the vendor that operates the backend of the Mozilla Store, suffered a security breach, Mozilla said.
Customers of the store may have had their login data security compromised and Mozilla encouraged GatewayCDI to quickly inform people whose data was compromised in the breach, Mozilla said.
"Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised," Mozilla said on its company blog Tuesday.
The International Mozilla Store has also temporarily been shut down as a precautionary measure, while the Mozilla Community Store was not impacted by the breach.
Meanwhile, Mozilla was busy over the weekend providing a security update to the Firefox web browser. Firefox 3.5.2 and Firefox 3.0.13 were made available for Windows, Mac, and Linux on Sunday.
Mozilla said Firefox has been downloaded more than 1 billion times.
Customers of the store may have had their login data security compromised and Mozilla encouraged GatewayCDI to quickly inform people whose data was compromised in the breach, Mozilla said.
"Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised," Mozilla said on its company blog Tuesday.
The International Mozilla Store has also temporarily been shut down as a precautionary measure, while the Mozilla Community Store was not impacted by the breach.
Meanwhile, Mozilla was busy over the weekend providing a security update to the Firefox web browser. Firefox 3.5.2 and Firefox 3.0.13 were made available for Windows, Mac, and Linux on Sunday.
Mozilla said Firefox has been downloaded more than 1 billion times.
Mozilla: No hacker exploit for Firefox 3.5.1 vulnerability
Filed under Security News
Tagged as 3.5.1, blog, buffer overflow, exploit, Firefox, Mozilla, security, vulnerability
Tagged as 3.5.1, blog, buffer overflow, exploit, Firefox, Mozilla, security, vulnerability
A flaw in the just-released Firefox 3.5.1 web browser has been confirmed by Mozilla, but the company said on its security blog that it has seen no proof of an attack exploit for the vulnerability, which causes the browser to crash.
IBM reported last week that Firefox 3.5.x is vulnerable to a stack-based buffer overflow, by which an attacker could execute arbitrary code on the system or cause the application to crash. IBM rated the security threat from the vulnerability as high, because a remote hacker could gain access.
Mozilla said that, while the vulnerability exists and can result in crashes of some versions of Firefox, "the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug." The company said it has seen no example of exploitability.
The Department of Homeland Security's National Vulnerability Database reports that the flaw allows remote attackers to cause a denial of service (application crash), "or possibly have unspecified other impact," via a long Unicode string.
Mozilla said it has attempted to get IBM and others to correct their reports.
Firefox 3.5.1 was issued last week, ahead of schedule, in order to patch a security flaw in the earlier version of the browser, Firefox 3.5.
IBM reported last week that Firefox 3.5.x is vulnerable to a stack-based buffer overflow, by which an attacker could execute arbitrary code on the system or cause the application to crash. IBM rated the security threat from the vulnerability as high, because a remote hacker could gain access.
Mozilla said that, while the vulnerability exists and can result in crashes of some versions of Firefox, "the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug." The company said it has seen no example of exploitability.
The Department of Homeland Security's National Vulnerability Database reports that the flaw allows remote attackers to cause a denial of service (application crash), "or possibly have unspecified other impact," via a long Unicode string.
Mozilla said it has attempted to get IBM and others to correct their reports.
Firefox 3.5.1 was issued last week, ahead of schedule, in order to patch a security flaw in the earlier version of the browser, Firefox 3.5.
Mozilla plugs Firefox web browser security hole
Filed under Security News
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Mozilla yesterday released an update to its web browser, Firefox 3.5.1, that patches a critical web security flaw that hackers could exploit in a browse-and-get-owned scenario.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.
Web browser security holes in abundance: IE, Firefox, Chrome
Filed under Security News
Tagged as 3.5, browse-and-get-owned, Firefox, flaw, javascript, JIT, Mozilla, security, vulnerability
Tagged as 3.5, browse-and-get-owned, Firefox, flaw, javascript, JIT, Mozilla, security, vulnerability
Mozilla warned users of its Firefox 3.5 web browser yesterday that a security flaw in the browser's Just-in-time (JIT) JavaScript compiler leaves users vulnerable to browse-and-get-owned attacks by visiting malicious websites, the latest in a series of browser security flaws disclosed by developers.
Mozilla said on its security blog that developers will issue a security update "as soon as the fix is completed and tested." Users are urged to disable JIT in the JavaScript engine or by running Firefox in Safe Mode.
The announcement came on the same day that Microsoft issued security patches for two critical security vulnerabilities in Internet Explorer, which had been exploited by hackers in the wild. Microsoft also warned Monday of another IE vulnerability that remains unpatched.
Security researcher Robert "RSnake" Hansen, CEO of SecTheory, revealed on his blog last week that Google Chrome has a security bug that could allow a hacker to tinker with the view-source: directive.
Hansen told InformationWeek that the Chrome flaw isn't an "earth-shattering bug," but Chrome is built with WebKit, the open source browser layout engine used by Chrome and Apple's Safari, "and WebKit is not necessarily secure."
Apple issued security patches last week for two WebKit flaws in Safari 4.0.2.
Bradley Anstis of Marshal8e6 observed in a security report this week that web browsers are "categorically one of the most dangerous applications on a user's computer."
Mozilla said on its security blog that developers will issue a security update "as soon as the fix is completed and tested." Users are urged to disable JIT in the JavaScript engine or by running Firefox in Safe Mode.
The announcement came on the same day that Microsoft issued security patches for two critical security vulnerabilities in Internet Explorer, which had been exploited by hackers in the wild. Microsoft also warned Monday of another IE vulnerability that remains unpatched.
Security researcher Robert "RSnake" Hansen, CEO of SecTheory, revealed on his blog last week that Google Chrome has a security bug that could allow a hacker to tinker with the view-source: directive.
Hansen told InformationWeek that the Chrome flaw isn't an "earth-shattering bug," but Chrome is built with WebKit, the open source browser layout engine used by Chrome and Apple's Safari, "and WebKit is not necessarily secure."
Apple issued security patches last week for two WebKit flaws in Safari 4.0.2.
Bradley Anstis of Marshal8e6 observed in a security report this week that web browsers are "categorically one of the most dangerous applications on a user's computer."
Mozilla will issue security fixes for Firefox 3.5
Mozilla, which just released the latest version of its Firefox browser on Tuesday, is already planning to release web security fixes for bugs in Firefox 3.5, according to Computerworld.com.
The company said it plans to fix at least three bugs and "topcrashes," how the company refers to bugs that cause the most-reported crashes.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said, according to Computerworld.com.
Mozilla reports in its Firefox 3.5 release notes that several flaws for Windows, Mac OS X and Linux operating systems include a flaw in the browser's Java to Javascript communication, which may not work properly. Some sites with Flash can cause problems with the Cookies dialog.
Users who encounter strange problems relating to bookmarks, downloads, window placement, toolbars, history or other settings are advised to try creating a new profile and attempting to reproduce the problem before filing bugs.
Some of the browser's new features include improved tools for controlling private data, including a private browsing mode. Conversely, the browser also has location aware browsing to allow users to identify their location on certain sites.
Firefox 3.5 has been downloaded more than 6.5 million times in the first 36 hours of its release.
The company said it plans to fix at least three bugs and "topcrashes," how the company refers to bugs that cause the most-reported crashes.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said, according to Computerworld.com.
Mozilla reports in its Firefox 3.5 release notes that several flaws for Windows, Mac OS X and Linux operating systems include a flaw in the browser's Java to Javascript communication, which may not work properly. Some sites with Flash can cause problems with the Cookies dialog.
Users who encounter strange problems relating to bookmarks, downloads, window placement, toolbars, history or other settings are advised to try creating a new profile and attempting to reproduce the problem before filing bugs.
Some of the browser's new features include improved tools for controlling private data, including a private browsing mode. Conversely, the browser also has location aware browsing to allow users to identify their location on certain sites.
Firefox 3.5 has been downloaded more than 6.5 million times in the first 36 hours of its release.