Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: firefox

    Time to Patch5 Comments
    23
    Jun 10

    Security Updates for Firefox, Opera Browsers

    Mozilla has shipped a new version of Firefox that corrects a number of vulnerabilities in the browser. Separately, a new version of Opera is available that fixes at least five security flaws in the software.

    Firefox version 3.6.4 addresses seven security holes ranging from lesser bugs to critical flaws. Mozilla says this latest version of Firefox also does a better job of handling plugin crashes, so that if a plugin causes problems when the user browses a site, Firefox will simply let the plugin crash instead of tying up the entire browser process. Firefox should auto-update (usually on your next restart of the browser), but you can force an update check by clicking “Help,” and then “Check for Updates” (when I did this, I noticed that in its place was the “Apply Downloaded Update Now,” option, indicating that Firefox had already fetched this upgrade.

    Mozilla also shipped, 3.5.10, an update that fixes at least nine security vulnerabilities in its 3.5.x line of Firefox. The software maker will only continue to support this version of Firefox for another couple of months, so if you’re on the 3.5.x line, you might consider upgrading soon (don’t know which version you’re using, click “Help” and “About Mozilla Firefox”).

    Opera’s update brings the browser to version 10.54, which corrects a few critical vulnerabilities. Opera now includes an auto-update feature, so Opera users may already have been notified about this update (I wasn’t). In any case, Opera is urging users to upgrade to the latest version, available here.

    Time to Patch14 Comments
    26
    May 10

    Mozilla Plugin Check Now Does Windows (Sort of)

    Mozilla‘s Plugin Check Web site, which inspects Firefox browsers for outdated and insecure plugins, now checks other browsers — including Apple‘s Safari, Google‘s Chrome, Opera, and (to a far lesser extent) even Internet Explorer.

    The Plugin Check site looks for a range of outdated plugins, and now works on Safari 4, Google Chrome  4 and up, Mozilla Firefox 3.0 and up, and Opera 10.5. This is a nice idea, and it works to some degree, but the page couldn’t locate version information for about seven of ten plugins I currently have in Firefox.

    Similarly it detected version information for three out of nine of my plugins on my Macbook Pro’s Safari installation, although it helpfully informed me of an outdated Flash player on my Mac (doh!). It also detected version numbers for just two of 11 plugins apparently installed in my Google Chrome browser.

    Mozilla’s Plugin Check also partially supports IE7 and IE8, although when I visited it with IE, I received an interesting result. I went there with a virgin install of IE8 that didn’t have any third party plugins installed. But rather than tell me I was secure  because it could detect no plugins at all, Mozilla’s site actually prompted me to install Adobe’s Flash Player (screen shot below), one of the most-attacked browser plugins of all.

    It would be great to see this technology start to detect more plugins. In the meantime, if you’re running Windows and want help keeping up to date with the latest patches, I’d recommend Secunia‘s Personal Software Inspector, a program that periodically reminds you about insecure programs and plugins, and even includes links to download the latest patches.

    A Little Sunshine / Latest Warnings / Web Fraud 2.029 Comments
    24
    May 10

    Revisiting the Eleonore Exploit Kit

    Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software. That post generated tremendous public interest because it offered a peek at the statistics page that normally only the criminals operating these kits get to see. I’m revisiting this topic again because I managed to have a look at another live Eleonore exploit pack panel, and the data seem to reinforce a previous observation: Today’s attackers care less about the browser you use and more about whether your third-party browser add-ons and plugins are out-of-date and exploitable.

    Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

    Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

    This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

    As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

    Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

    Continue reading →

    Latest Warnings9 Comments
    22
    Apr 10

    Rogue Antivirus Gangs Seize on McAfee Snafu

    Purveyors of rogue anti-virus, a.k.a. “scareware,” often seize upon hot trending topics in their daily efforts to beef up the search engine rankings of their booby-trapped landing pages. So it’s perhaps no surprise that these scammers are capitalizing on search terms surrounding McAfee, which just yesterday shipped a faulty anti-virus update that caused serious problems for a large number of customers.

    Continue reading →

    Time to Patch19 Comments
    20
    Apr 10

    Mozilla Disables Insecure Java Plugin in Firefox

    Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

    On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

    Continue reading →

    A Little Sunshine / Latest Warnings23 Comments
    12
    Apr 10

    TrendMicro Toolbar + Long URL = Fail

    Many anti-virus products — particularly the “Internet security suite” variety — now ship with various Web browser toolbars, plug-ins and add-ons designed to help protect the customer’s personal information and to detect malicious Web sites. Unfortunately, if designed poorly, these browser extras can actually lower the security posture of the user’s system by introducing safety and stability issues.

    The last time I caught up with security researcher Alex Holden, he was showing me a nifty way to crash IE6 and prevent the user from easily reopening the badly outdated and insecure browser version ever again. Just the other day, Holden asked me to verify a crash he’d found that affects users who have Trend Micro Internet Security installed, which installs a security toolbar in both Internet Explorer and Mozilla-based browsers on Microsoft Windows.

    The video here was made on a virgin install of Windows XP SP3, with the latest Firefox build and a brand new copy of Trend Micro Internet Security. Paste a really long URL into the address bar with the Trend toolbar enabled, and Firefox crashes every time. Do the same with the toolbar disabled, and the browser lets the Web site at whatever domain name you put in front of the garbage characters handle the bogus request as it should. This isn’t limited to Firefox: The same long URL crashes IE8 with the Trend toolbar enabled, although for some strange reason it fails to crash IE6. I didn’t attempt to test it against IE7.

    Continue reading →

    Time to Patch24 Comments
    17
    Feb 10

    Security Updates for Adobe Reader, Acrobat

    Adobe is urging users of its PDF Reader and Acrobat software to install an update that fixes a couple of critical security holes in the products. The patches come amid news that booby-trapped PDF files were responsible for roughly 80 percent of the exploits detected in the 4th quarter of 2009.

    The latest update brings Adobe Reader to version 9.3.1, and fixes a pair of vulnerabilities that Adobe has labeled “critical,” which means the flaws could be used to install malicious software on vulnerable systems. Updates are available for Windows, Mac and Linux versions.

    Continue reading →

    Latest Warnings17 Comments
    15
    Jan 10

    Exploit in the Wild for New Internet Explorer Flaw

    Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.

    This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

    Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.

    In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.