Crescent City Networking » Web Browsers

Stopgap Fix for Critical Firefox 3.5 Security Hole

Ken — Tue, 14 Jul 2009 16:34:42 +0000

Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla’s new Firefox 3.5 Web browser have been posted online. So, until Mozilla can ship an update to quash this bug, Security Fix is posting instructions to help readers protect themselves from this vulnerability.
The security hole has to do with a flaw in the way Firefox 3.5 handles Javascript, a powerful programming language heavily used on popular Web sites. Specifically, the vulnerability was introduced with the addition of the Tracemonkey, a new feature in 3.5 that is designed to dramatically speed up the rendering of Javascript.
Vulnerability watcher Secunia rates this flaw “highly critical,” noting that it is the type of flaw that criminals could use to remotely install rogue software, merely by convincing users to visit a hacked or booby-trapped Web site.
Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type “about:config” (without the quotes) in the browser’s address bar. In the “filter” box, type “jit” and you should see a setting called “javascript.options.jit.content”. You should notice that beside that setting it reads “true,” meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to “false.” That’s it.
Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw.

Gmail Labs Adds Verified Accounts Key To Prevent Phishing

Ken — Mon, 13 Jul 2009 19:42:22 +0000

Here’s the latest invention from the Gmail labs team: a verified accounts key to help distinguish spam from a legit email. Last year, Gmail started filtering spam from fake eBay and PayPal emails, requiring actual verification from the source that an email was being sent from ebay.com. Anything that can’t be verified is rejected.

Not many people were aware of this feature, says the Gmail team, so they decided to create an actual icon for a verified account so people would recognize an email address that’s legitimate. If you turn on “Authentication icon for verified senders” from the Labs tab under Settings, you’ll start to see a key icon next to verified emails that are “super-trustworthy.”

What does “super-trustworthy” mean? Brad Taylor, Gmail’s Spam Czar, says the term includes several situations: 1. when the the sender, usually a financial institution, is a target of phishers, 2. all of the sender’s email is authenticated with DKIM, and 3. Gmail rejects any fake messages that claim to come from this sender, but actually don’t.

Gmail says that because of the arduous process for senders to make their email super-trustworthy, the feature is currently limited to just eBay and PayPal. Gmail hopes to add more senders in the future, making the key icon a more widely used and recognizable symbol for verified accounts.

Mozilla Pushes the Web Forward With Firefox 3.5

Ken — Sun, 05 Jul 2009 00:39:08 +0000

Mozilla Firefox 3.5 is the culmination of nearly a year-long quest to build a browser for the next version of the web. And while it’s not perfect, it comes very, very close.

The open-source browser is now available for download for Windows, Mac and Linux.

Originally envisioned as a quick follow-up to 2008’s release of Firefox 3.0, Mozilla ended up packing in quite a few extra features into its flagship browser and spent months making sure that Firefox 3.5 was the fastest, most powerful Firefox yet.

Firefox 3.5 brings with it entirely new and much faster rendering engines for both static web pages and the JavaScript code that powers today’s complex web-based applications. There are new privacy features, new capabilities for playing video and audio files and improved search tools. There are also a handful of other new features that should prove useful for both Firefox devotees and newcomers alike.

We’ve been using the latest betas and release candidates for the last few months. No matter what kind of web surfer you are, we recommend you download Firefox 3.5 as soon as you can