Category: Security

Firefox 2.0.0.13, Sooner Than You Thought

By | February 10, 2008 | 3 Comments

Firefox 2.0.0.13Just a few days ago (with the Firefox 2.0.0.12 release), “Directory Traversal Vulnerability” was supposed to be fixed. However, as it’s noted here, by the guy who discovered new security vulnerability, it wasn’t fully fixed. Here’s a quote from his blog:

Because directory traversal through plugins is all nice and such, we don’t need it. We can trick Firefox itself in traversing directories back.

Continue Reading

Firefox 2.0.0.12 to Fix Chrome Protocol Directory Traversal Vulnerability

By | January 30, 2008 | 1 Comment

Firefox 2.0.0.12The upcoming Firefox 2.0.0.12 release will fix this flaw. It affects extensions (more than 600) which are installed as a set of uncompressed files instead of widely used .jar files.

Issue
A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure.

Impact Continue Reading

ZoneAlarm ForceField Beta Released

By | September 26, 2007 | 0 Comments

ZoneAlarmZoneAlarm Forcefield beta has just been released for Windows XP and Windows Vista. It should be working with Internet Explorer 6-7 and Firefox 1.x-2.x versions. So what is it all about? It can protect you from various “bad things”. And as they say: “Protect yourself by creating a virtual “You” on any PC…”

ForceField lets you connect and communicate the way you already do online, only with a combination of protective measures that makes you impervious. It uses a virtualization engine that shields your computer and personal data from Internet and computer-based threats. It also includes numerous protection layers to combat phishing, spyware and dangerous file downloads.

Isn’t that a good idea?

More details.

It’s a Beta only, still many issues needs to be fixed. However, feel free to try it if you are interested.

Known issues:

  • Virtualized surfing – Creates a “bubble of security” around your browsing session that works two ways: it protects your PC from Web site threats such as drive-by downloads; and protects your browsing session from threats on your PC
  • Seamless use – surf as you always do without any special knowledge required and no interruptions
  • Keylogger jamming – protects your browsing, banking and shopping by disabling keyloggers/screengrabbers that may reside on your PC
  • Anti-spyware scanning during your browsing session to protect you as you bank and shop
  • Phishing and fraudulent Web site warning and protection
  • Dangerous download scanning and protection
  • Private browsing to completely erase your surfing tracks from your PC (not yet in the beta)
  • Svelte proportions – ForceField can be deployed to any PC within about 30 seconds in its Instant ForceField form (not available in current beta), making it convenient for on-the-go use on shared public computers.
  • Full known issues list.

    Learn more.

    Download ForceField 1.0.158 Beta.

    Like this post? Subscribe to our RSS Feed.

    No More Than 10 Days To Release Critical Patch

    By | August 8, 2007 | 2 Comments

    “Ten Fuc*ing Days”. That’s what Mozilla said.

    That’s right, they’ve said that they can release any critical patch within 10 days or faster. Firefox 2.0.0.6 was released even faster than 10 days (after security flaws were discovered). So they are not just using some tricks (or do they?), it’s already proven, we will see how fast they will release next one.

    In my point of view, before using such statements they should also fix other security vulnerabilities. Even if they are not the most critical ones.

    10 Days
    Picture Source.

    Unpatched 43% (6 of 14 Secunia advisories)
    Most Critical Unpatched
    Secunia Security Stats.

    An Interview With DCT, MPack Developer

    By | July 23, 2007 | 0 Comments

    Somehow nothing interesting is going in the last few days, but today I’ve read something more interesting, it’s an interview with “DCT”, MPack developer.

    More about MPack:

    The project is not so profitable compared to other activities on the Internet. It’s just a business. While it makes income, we will work on it, and while we are interested in it, it will live.
    “DCT”, one of three developers of the MPack infection kit
    A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims’ systems and steal personal information. The MPack infection kit has been blamed for hundreds of thousands of compromised computers.

    And here’s what is bit more:

    Anything else you’d like to add?
    I would advise you to use the Opera browser with scripts and plug-ins disabled in order not to be caught by the MPack someday.

    Firefox 3 Alpha 7 Pre. Anti Fraud Feature

    By | July 12, 2007 | 3 Comments

    It’s not a big secret, every web developer wants to have fastest and most secure web browser, which not only should have all the security issues fixed, but also it should help novice user to understand the risks and help him/her to avoid that.

    Firefox 3 Alpha 7 (Pre) got one more feature which should help users to avoid fake domain names. See this picture.

    Firefox 3 Alpha Pre URL

    It highlights domain name (well… actually makes other text light grey) so users could take a look at it and make sure it’s a correct domain name. Not really usefull, isn’t it?

    That’s not all, according to Arstechnica,

    FF3 Alpha 7 also incorporates a domain translator that changes an address that’s encoded in non-standard ASCII (such as a percentile-encoded address) into standard text. Again, this is a change aimed at making domain addresses easier to read by stripping out the non-standard characters a phisher might use to confuse a potential target.

    There’s also an add-on for Firefox 2. Not perfect, but if you don’t want to use Firefox 3 Alpha 7 to test this one, feel free to use Locationbar2 add-on.

    Web Browsers Security. Opera, Internet Explorer, Safari, Firefox

    By | July 12, 2007 | 29 Comments

    After yesterdays post about new Firefox security bug I’ve decided to check out, which of the worlds most popular web browsers are most secure. Thanks to Secunia for stats.

    Opera 9.x – Affected By 6 Secunia advisories
    Unpatched 0% (0 of 6 Secunia advisories)

    Internet Explorer 7.x – Affected By 13 Secunia advisories
    Unpatched 54% (7 of 13 Secunia advisories)
    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Moderately critical.

    Safari 2.x – Affected By 6 Secunia advisories
    Unpatched 67% (4 of 6 Secunia advisories)
    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Safari 2.x, with all vendor patches applied, is rated Less critical.

    Firefox 2.0.x – Affected By 12 Secunia advisories
    Unpatched 67% (8 of 12 Secunia advisories)
    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Mozilla Firefox 2.0.x, with all vendor patches applied, is rated Highly critical.

    I am really confused right now, but does that makes Firefox 2.0.x most insecure web browser? And according to Secunia stats, Internet Explorer 7 is right after Opera which puts it into the 2nd place?

    1. Opera 9.x – Most Secure Web Browser?
    2. Internet Explorer 7.x
    3. Safari 2.x
    4. Firefox 2.0.x – Most Insecure Web Browser?

    Firefox “firefoxurl” URI Handler Registration Vulnerability

    By | July 10, 2007 | 2 Comments

    Secunia reported today about a new exploit for Firefox 2.0.0.4 (might affect previous builds as well).

    A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user’s system.

    Solution:
    Do not browse untrusted sites.
    Disable the “Firefox URL” URI handler.

    Thor Larholm noted:

    There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. This is the same type of input validation vulnerability that I discovered in the Safari 3 beta.