Category: Computer Security

Posted on
by

Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it’s installing from a trusted update site (the maintainers of updates.mozilla.org and addons.mozilla.org—the only trusted sites by default—have made some changes on their server to prevent the exploit from working). The Safari one takes advantage of the Macintosh tradition of automatically opening archives. This one just happens to unzip itself into the location where Dashboard stores its widgets.

IEBlog has weighed in with a balanced (i.e. non-fanboyish) comment on just who “us” vs. “them” should mean: responsible developers & security researchers vs. the malicious ones. It won’t happen—people are too hunkered down in their own trenches—and even with Mozilla, Opera and Apple collaborating on specs, I don’t expect to see much in the way of collaboration on security except in the actual open-source world. (Even then, I suspect there’s too much rivalry between Gecko and KHTML developers to do much collaboration.) Continue reading

Posted on
by

Maybe it’s the housing costs, but people in San Francisco need a little extra incentive to give out their computer password than people in Liverpool. Last year a survey found that 71% would reveal their password for a chocolate bar. A similar survey this month in San Francisco found that 66% would give it up for a coffee.

At least Verisign made good on the offer—with a $3 Starbucks gift card.

Posted on
by

At the end of a post on SSL/TLS and just how much security a “secure” site really gives you, Eric Lawrence of IEBlog posted an interesting thought:

The so-called “browser wars” have fundamentally changed. It’s no longer Microsoft vs. Mozilla vs. Opera et all. Now it’s the “good guys” vs. the “bad guys.” The “bad guys” are the phishers, malware distributors, and other miscellaneous crooks looking for a quick score at the expense of the browsing public.

We’re all in this together.

I’m not sure I agree entirely. It’s more like a second war has started, one in which former enemies are (or at least should be) allies. I do still think competition is necessary, as evidenced by Microsoft’s sudden reversal on updating IE once Firefox became popular—but more cooperation on security may be something MS/Moz/Opera/Apple should consider.

Posted on
by

Talk about convoluted. Someone has developed a Java applet that will use one browser to install spyware on another. The applet runs in any browser using the Sun Java Runtime Environment—Firefox, Opera, Mozilla, etc.—and if it can convince you to run the installer, it will install spyware on Internet Explorer. And since you can’t remove Internet Explorer from Windows (you can hide it, but it’s always there…waiting), just using an alternative browser isn’t enough to protect you.

Of course, the obvious solution here is don’t let it install anything. That’s what the Java sandbox is for, after all: applets run in their own little world and can’t touch the rest of your system unless you let them (or they find a hole in the sandbox, which is why you need to keep Java up to date—just like everything else).

Time to emphasize the fact that while Firefox is still safer than IE, it’s not a magic bullet. There is no magic bullet. You can minimize risk, but never eliminate it.

(via SANS Internet Storm Center)

Posted on
by

Beware the unexpected attack vector – The Register (not that one)

Your enemy may not come at you from the direction you expect. Set up sentries around the beach, they’ll get you through the ocean. Set up a firewall, they’ll get you through web browsers. It’s mainly about computer/network security, but it has an interesting story explaining why there’s only one major newspaper in Los Angeles. (TL;DR: the LA Times bought up all the independent distributors and sabotaged their rivals’ deliveries.)

Posted on
by

Something that could help with the ever-shrinking window between turning on a new (Windows) computer and getting hacked by some automatic probe is to just make downloading security updates part of the setup process. I installed two Linux distributions this weekend, Mandrake 10.1 and SuSE 9.2, and both did this.

What I liked about the SuSE installer was the way the option was worded. The setup utility asks you if you want to “test your Internet connection.” It tests the connection by downloading the latest release notes and checking for updates! (Unfortunately, it somehow chose an old mirror of the SuSE site—not the one I used during the installation—and the process failed.)

Posted on
by

Today’s Microsoft security patches include one for a potential remote exploit in… Wordpad? Yes, according to Security Bulletin MS04-041, there are two problems in the Word 6 converter that could be used to take control of your system. In addition to fixing those holes, they’ve disabled the converter.

I could understand if this were something like Emacs, which is practically its own operating system, but Wordpad is a bare minimum RTF editor.

What next? Are they going to find a plain-text hole in Notepad? Discover you can crash your system by dividing by 0.0000000000001 in Calculator? I know, looking at a malicious font in Character Map is going to be the next big virus vector.

ยปAll pages site-wide with this tag