Posts Tagged: Mozilla


14
Jun 11

Adobe Ships Security Patches, Auto-Update Feature

Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.

No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.

Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

Continue reading →


9
Feb 11

Adobe, Microsoft, WordPress Issue Security Fixes

Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendor Tipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.

Microsoft’s bundle includes a dozen updates addressing at least 22 security flaws in its Windows operating system and other software. Five of the vulnerabilities earned a “critical” rating, Redmond’s most serious. Six of the Windows flaws fixed in today’s release have been public for some time, although security experts at Symantec say they’re only aware of one of the flaws being actively exploited in the wild — a bug in the way Internet Explorer handles cascading style sheets. Updates are available through Windows Update or Automatic Update.

Microsoft also issued an update that changes the default behavior in Windows when users insert a removable storage device, such as a USB or thumb drive. This update effectively disables “autorun,” a feature of Windows that has been a major vector for malware over the years. Microsoft released this same update in February 2009, but it offered it as an optional patch. The only thing different about the update this time is that it is being offered automatically to users who patch through Windows Update or Automatic Update.

Update, Feb. 18, 11:56 a.m. ET: As F-Secure notes in a useful blog post, Microsoft has once again failed to disable auto-run, because this update is not offered by default, as Microsoft previously indicated.

Original story:

Adobe released an update for its Acrobat and free PDF Reader software that that fixes at least 29 security problems with these products. Adobe is urging users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh to update to Adobe Reader X (10.0.1), available now. Adobe says that an update to fix these flaws in UNIX installations of its products is expected to be available by the week of February 28, 2011.

Continue reading →


18
Nov 10

Why Counting Flaws is Flawed

Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.

The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.

The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:

  • Be legitimate, non-malicious applications;
  • Have at least one critical vulnerability that was reported between Jan. 1, 2010 and Oct. 21, 2010; and
  • Be assigned a severity rating of high (between 7 and 10 on a 10-point scale in which 10 is the most severe).

The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as:

  • Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
  • How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
  • Which products had the broadest window of vulnerability, from notification to patch?
  • How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
  • How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
  • Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

Continue reading →


23
Jun 10

Security Updates for Firefox, Opera Browsers

Mozilla has shipped a new version of Firefox that corrects a number of vulnerabilities in the browser. Separately, a new version of Opera is available that fixes at least five security flaws in the software.

Firefox version 3.6.4 addresses seven security holes ranging from lesser bugs to critical flaws. Mozilla says this latest version of Firefox also does a better job of handling plugin crashes, so that if a plugin causes problems when the user browses a site, Firefox will simply let the plugin crash instead of tying up the entire browser process. Firefox should auto-update (usually on your next restart of the browser), but you can force an update check by clicking “Help,” and then “Check for Updates” (when I did this, I noticed that in its place was the “Apply Downloaded Update Now,” option, indicating that Firefox had already fetched this upgrade.

Mozilla also shipped, 3.5.10, an update that fixes at least nine security vulnerabilities in its 3.5.x line of Firefox. The software maker will only continue to support this version of Firefox for another couple of months, so if you’re on the 3.5.x line, you might consider upgrading soon (don’t know which version you’re using, click “Help” and “About Mozilla Firefox”).

Opera’s update brings the browser to version 10.54, which corrects a few critical vulnerabilities. Opera now includes an auto-update feature, so Opera users may already have been notified about this update (I wasn’t). In any case, Opera is urging users to upgrade to the latest version, available here.


26
May 10

Mozilla Plugin Check Now Does Windows (Sort of)

Mozilla‘s Plugin Check Web site, which inspects Firefox browsers for outdated and insecure plugins, now checks other browsers — including Apple‘s Safari, Google‘s Chrome, Opera, and (to a far lesser extent) even Internet Explorer.

The Plugin Check site looks for a range of outdated plugins, and now works on Safari 4, Google Chrome  4 and up, Mozilla Firefox 3.0 and up, and Opera 10.5. This is a nice idea, and it works to some degree, but the page couldn’t locate version information for about seven of ten plugins I currently have in Firefox.

Similarly it detected version information for three out of nine of my plugins on my Macbook Pro’s Safari installation, although it helpfully informed me of an outdated Flash player on my Mac (doh!). It also detected version numbers for just two of 11 plugins apparently installed in my Google Chrome browser.

Mozilla’s Plugin Check also partially supports IE7 and IE8, although when I visited it with IE, I received an interesting result. I went there with a virgin install of IE8 that didn’t have any third party plugins installed. But rather than tell me I was secure  because it could detect no plugins at all, Mozilla’s site actually prompted me to install Adobe’s Flash Player (screen shot below), one of the most-attacked browser plugins of all.

It would be great to see this technology start to detect more plugins. In the meantime, if you’re running Windows and want help keeping up to date with the latest patches, I’d recommend Secunia‘s Personal Software Inspector, a program that periodically reminds you about insecure programs and plugins, and even includes links to download the latest patches.


20
Apr 10

Mozilla Disables Insecure Java Plugin in Firefox

Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

Continue reading →