Posts tagged ‘Firefox’
Mozilla released updates for Firefox and Thunderbird.
This is the end of the line for Firefox 3.5. Also it appears that the 4.x train was not very long. It looks like 4.0.1 must update to 5 to have the security updates.
Thunderbird is now running 3.1.11.
Enjoy your updating.
Symantec published the results of a survey regarding password habits of people who read their Security Response Weblog. Nearly 450 readers responded. As you readers of a security blog, their responses probably are far from the norm.
Links: http://www.symantec.com/connect/blogs/password-survey-results
Not surprisingly, the respondents have a lot of passwords. 66 percent report having more than 10 passwords. Its hard to keep track of that many passwords. This leads people to do dumb things.
23 percent of respondent let the browser keep track of their passwords. While Firefox can use a master password to secure these stored passwords, I suspect most people dont use that feature. Browser password caches are merely obfuscated and are not a secure place for your passwords.
7% have a note near their computer. This is ok if your office is secured from outside visitors. But even the home office of a hermit occasionally has workman visiting.
11% use a Word document on the computer. Word or Excel documents can be lost if the computer isn’t backed up. It is also not a secure way to store the passwords. If you’re putting all your financial passwords in one place, wouldn’t it be a good idea to secure them. Perhaps they are in Word and password protected. But that wasn’t specified in the survey.
59% rely on memory. Passwords for work should never be in memory only. If you are hit by the proverbial truck how much productivity will be lost regaining access. For more personal accounts, memory indicates possible password reuse at worse or use of a password scheme at best.
33% use a password manager. That’s great but I found out in 2009 that you need to make sure your backups work if you’re relying on this method.
Check out the link for the rest of the results of this Symantec survey.
Firefox 3.5.8 and Firefox 3.0.18 have been released to resolve several security vulnerabilities.
After a fairly light December patching load, January took no prisoners.
Microsoft’s patch Tuesday had just one patch, MS10-001. But they made up for that with an out of band update later in the month MS10-002. They also put out a bulletin warning about old flash installs.
Adobe and Oracle piggybacked on patch Tuesday to release updates as well. Vendors pretend its more convenient for people to get all their patches at once, but Its more about losing their own vulnerability announcements in the crowd. Adobe Reader is installed on most machines, so deploying Reader and Acrobat updates is kind of a big deal.
To keep admins on their toes, Adobe also released security updates for Shockwave and Illustrator.
Real Player kept its name in the news with a security update of its own. While it lacks its once ubiquitous presence, it is another thing to watch for.
Firefox released 3.6. Fortunately , this was about new features not security fixes.
Apple not wanting to feel left out released a mega security update rolling up multiple patches.
Wireshark 1.2.6 came out with a couple of security updates.
If you’re responsible for patching in the enterprise looks like you picked the wrong month to stop sniffing glue.
For home use, I use the Secunia Personal Software Inspector in advanced mode. They are now a bit better about prompting you to exclude directories like i386 to avoid nagging you about things that aren’t a problem.
Another Christmas gift from a software vender.
Mozilla has released updates for Firefox. The current version is now 3.5.6 and 3.0.16.
Their security advisories are here.
There are three updates rated as critical.
I usually skip over the Mac versus PC adds, but due to the hazards of watching football live I caught one today.
It was about the hardware innovations of the Mac. Kind of silly since last time I checked my hardware was from Dell not from Microsoft.
How about Macs software innovations. Apple went all out with XProtect in Snow Leopard.
Here is Sophos’ writeup
When files are downloaded through the following applications:
- Entourage
- Safari
- Firefox
- Thunderbird
- iChat
- and other programs that use LSQuarantine
XProtect is invoked.
Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:
Skype
Adium
BitTorrent
and Finder (via USB keys, network share, etc …)
Then you’re sort of out of luck.
- source: Sophos
But hey, you’re not missing that much anyway. This “feature” only scans for the hash of 2 Mac trojans according ZDnet’s Zero Day blog.
Now that is innovation.
Firefox recently announced that a soon to be released version will check for Flash updates in addition to updating Firefox. That should be helpful for end users.
As with any news people of course have their own axe to grind and put their own spin on things. Wolfgang Kandek writes about this development in a Qualys blog adding “Now we just need to convince Hillary Clinton to let the Department of State use Firefox.”
I dont see how this change would cause an enterprise to switch browsers. In an enterprise this Firefox Flash update reminder should be pretty much worthless. If an Enterprise has deployed Firefox then it has probably deployed Flash for Firefox. If its deployed Flash for Firefox, than the company should be deploying updates for it. Enterprises have patch cycles and testing. They often disable built in update mechanisms and deploy updates through SMS/Patchlink/Bigfix/etc. Is it possible for enterprises to disable this functionality, perhaps through FirefoxADM?
Far from being the crowning achievement in Firefox security, I think this Flash update checker could potentially be a problem. I notice the screenshot taken by Wolfgang does not show a SSL site in use when the user is prompted to upgrade. It seems to me that this Flash update mechanism is prime for Phishing. Spyware for Firefox has already masqueraded recently as a Flash update. I think this update mechanism’s delivery method as shown in Wolfgang’s screenshot primes phishing victims.
For the third time in the past 30 days, there is a Firefox update including security fixes. Firefox 3.0.10 is out.
“And you want to be my latex salesman”
I dont mean to get all Jeff Jones here, but it seems to me there is a bit of tarnish on that “security king” crown that people give to Mozilla.
Software is going to have bugs. I’m glad Mozilla patches them but more than once a month is getting a bit annoying. Its highlighting a problem that Mozilla doesn’t seem to care about. Enterprise patch deployment.
Mozilla loves to brag that their users apply patches. That’s the problem, you’ve got to use it to get prompted to update it. Even then the end user may turn off checking for updates.
Currently to get Firefox/Thunderbird updates to occur, I can either pray or send out emails, or use NAC to block their access to the network until Firefox is patched.
I can’t believe I’m saying this, but Quicktime and JAVA may have the better idea. JAVA has an always running updater process. I believe Quicktime (via Apple Software Updater) is using Scheduled tasks .
I’d love to just be able to use a logon script or NAC to be able to run C:\program files\Mozilla Firefox\updater.exe which would then prompt the user if a Firefox update was necessary. I’ve searched the Internet to see if this is possible. So far no dice.
Share your thoughts on keeping Firefox updated in the enterprise in the comments.
(Ok, a typo in the subject, but it was funny so left it in)
The Technet blogs require registration to comment, and don’t allow me to use my Microsoft Live account to log in, much less openID. I didn’t feel like registering for yet another “community” so I left without commenting.
The ISA server product team blog at Technet wrote about a case where the customer Cannot Browse a HTTPs Site Published by ISA Server 2006 without using TLS 1.0 on Internet Explorer
I chuckled reading that headline because I’ve been there before.
When I upgraded to ISA 2004, I installed from scratch and applied a recommended hardening policy. I tested it with my computer using Internet Explorer and Firefox, and went home happy. I couldn’t understand why I received email from my manager reporting that people couldn’t get in.
I figured out relatively quickly that my system had TLS 1.0 enabled and the systems that couldn’t access using IE did not. That lead me to the FIPS compliant setting in group policy. I actually blogged about this in 2006.
The problem also occurs if you configure that setting on the clients. In January 2008, I also wrote about this setting and the FDCC and what a mistake I thought it was to require clients to turn it on.
I ran into an interesting problem on Tuesday.
I installed Extended Validation SSL certificates on three of our IIS servers, and the ISA front end. Yes, yes, I know. “EV SSL is a scam.” They weren’t that expensive at Digicert and I thought it would be cool to turn the address bar green.
After implementing, I found Firefox computers and non-corporate computers with IE 7 could see the address bar turn green successfully when I browsed to my newly secured site. Surprisingly, IE7 from corporate owned computers could not.
What I realized is that IE7 on XP uses the phishing filter to verify that the site is EV validated. The phishing filter is not on by default for the Internet Explorer Intranet zone. We have *.ourdomain.org in the Intranet zone, therefore no green bar for IE7 XP users.
Vista and IE7 works fine because it supports OCSP.
This is where it got kind of annoying. I expected group policy to be able to enable the phishing filter for the intranet zone. Unfortunately, Microsoft hasn’t provided that for XP. This blog seems to be accurate – http://www.frickelsoft.net/blog/?p=80
So my choices are create an ADM and import it, or open my XP group policy in Vista. This will upgrade the policy, I”ll be able to see the option to enable the phishing filter in the intranet zone, and it will apply to IE7 on XP computers. I’ve been a bit leery of “upgrading” my policies in this way ever since I opened Group Policy from a XP computer and then I couldn’t open the policies at the Windows 2000 Domain Controller (until a patch was deployed from Microsoft).
