I installed the Facebook Connect Plugin for MovableType. Its supposed to allow you to login using Facebook credentials and share the comment back to your Facebook wall. The login seems to be working sort of ok in Firefox (once I allowed all the Facebook javascript to run). But in IE, its not working at all. I’m not sure if that is because I am using AJAX comments or if its caused by something else.
That is the state is going to remain in for a while.
Posts tagged ‘Firefox’
Facebook Connect Plugin
Firefox/Seamonkey/Thunderbird Vulnerabilities
Patches are out for Firefox, Seamonkey and Thunderbird to resolve vulnerabilities that would allow credential theft, information disclosure, and arbitrary code execution
These issues are present in:
Firefox 3.0.3 and prior
Firefox 2.0.0.17 and prior
Thunderbird: 2.0.0.17 and prior
SeaMonkey 1.1.12 and prior
Firefox 3.0.2
Firefox 3.0.2 is out with 5 associated security vulnerabilities.
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
Firefox 2.0.16 and 3.0.1 released
Firefox 2.0.16 and 3.0.1 is out to fix the following security vulnerabilities.
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter
UPDATE – looks like 3.0.1 isn’t out just yet. Keep your eyes open for it. http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
Firefox 2.0.15
Firefox 2.0.15 is out today. Open Firefox, select Help and Check for Updates.
This update fixes 12 security vulnerabilities, 3 of which are described as critical.
To update, open Firefox, select Help and Check for Updates or install Firefox 3.
Getting Updates
We’re still in a world where you have to be interested and involved in order to keep your computer updated.
Rod Trent of MyitForum complained last week that he didn’t get notified of a needed Adobe Reader update until he actually opened Adobe Reader.
It is a problem. If you don’t use the application, you don’t get notified of an update. In many cases you’re still vulnerable just by having the software installed. Those in security might say “if you’re not using it uninstall it.” That doesn’t seem practical to non-security people. Some might say, “the application leave a service running to notify me of updates”. Is that what we really want? I dont want my applications to leave an updater running all the time. I kill most autolaunches when I’m packaging software.
Firefox prompts for updates when it is used. They brag that it is the most updated browser. That’s because the people doing the checking were looking at Google search logs which only collected information from people using the browser. If they used the browser they were thus prompted to update.
One solution I push is the Secunia Personal Software Inspector. Its one application that checks all (most of) your software for vulnerable or obsolete versions. While its not perfect for the non-computer literate, it would be a great option for someone like Rod who knows computers well, but might not remember that Adobe Reader is installed and needs to be updated.
I will say that Secunia’s online scanner was completely botching the Adobe Reader detection when I looked at it earlier this week, but the installed software version was working correctly or at least not broken in the same way.
Iconix Phishing Protection
A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.
New Adobe Flash Vulnerability
There were multiple reports today of an unpatched Adobe Flash vulnerability currently being exploited.
Symantec Bugtraq reports that this exploitation is fairly widespread.SQL injection has been used to insert code onto otherwise legitimate websites that results malware loading to exploit Flash.
Not a lot to be done. You could crawl into the Firefox/noscript cave. I’d suggest having that as an option, but in general keep the antivirus updated and make sure you you’re Flash is patched so you aren’t exploited by old attacks. Buckle your safety belts it could get bumpy.
UPDATE:
Further reports indicate that this is not a zero day vulnerability. It is exploiting unpatched versions of Flash. Make sure every browser installed is running the current version of flash. IE and Mozilla based browsers use a different Flash install.
Secunia Personal Software Inspector 0.9.0.1
Secunia has released Personal Software Inspector (PSI) 0.9.0.1. As I’ve blogged about before Secunia PSI is software for the home user that reports software that is vulnerable or no longer updated by the manufacturer.
The change log here lists a few interesting improvements.
- Improved intelligence to make it even easier for non-technical users to patch their applications. Special rules for Adobe Flash and Sun Java have been implemented.
- The Secunia PSI is now able to determine if the detected Adobe Flash versions are an ActiveX Control (IE), a Firefox plug-in, an Opera plug-in, or a general Operating System plug-in.
- The Secunia PSI is now able to determine if the detected Sun Java versions requires an uninstall (the Sun Java installer does not automatically uninstall old versions when you upgrade to their latest version).
- When hovering your mouse over an application name the Secunia PSI will now always display the exact path to where the application is installed.
Keeping third party application patched is critical for computers used on the Internet.
Flash and Firefox
As I wrote about last week there is a critical vulnerability in Flash that needs to be patched. For the past couple of years, I’ve been updating the Flash IE plugin and ignoring the Flash plugin for other browsers. In our environment IE7 is currently supported. My feeling is if you know enough to install non-sanctioned browsers, you know enough to maintain them. (When the vulnerability scanner finds out of date software like that which we didn’t supply we notify the user to patch it).
This time around, I was thinking of patching the Flash for Mozilla/Opera/Netscape as well. The last Flash update I pushed disabled the Flash update checker through a mms.cfg file. If an IT department is managing the Flash install, as we are for the Flash plugin for IE, than we dont want users updating on their own. I’ve also found that update message causes calls to the helpdesk. Its easier if users only get update messages from us. The problem with this plan is I suspect the mms.cfg I dropped on the client is preventing the user from receiving flash update messages for the Mozilla/Opera plugin. Because of this concern I decided to take a look at installing the Flash plugin for Mozilla/Opera browsers.
As you have probably gathered from this post, Adobe Flash has one install for IE and other for “plugin based browsers” (Mozilla/Opera). As all companies should, we use Adobe’s free license for distributing internally. This provides us with access to MSI builds that aren’t’ funkified with nasty added toolbars.
The best practice for installing Flash is to close all programs that use Flash prior to installation. In addition to web browsers this includes IM programs like AIM that use Flash in the advertisements. In my experience, with the IE Flash install you can get away without doing this. You can run the install silently. Flash will automatically update whenever the browser is closed.
When updating Flash for Firefox, I tried this same technique. Unfortunately this is not working. After installing Flash in Mozilla with no errors, I went to http://www.adobe.com/go/tn_15507 to test what version I’m running. It says I’m running 9.0.47.0 instead of 9.0.115.0. I closed Firefox and reopened it, no change. I rebooted it. No change.
Add Remove programs indicates “Adobe Flash Player 9 Plugin” is at version 9.0.115.0. Every copy of NPSWF32_FlashUtil.exe on the system is at 9.0.115.0. NPSWF32.dll in %windir%\system32\macromed\flash is at 9.0.115.0. its only NPSWF32.dll in c:\program files\mozilla firefox\plugins that isn’t with the program. This is a serious problem because if you didn’t go to the version test website, you would believe you are patched, and most vulnerability scanners will believe you are patched.
Even if you later figure out what has happened you are in a pickle. Once you have installed Flash 9 Plugin and gotten into this situation, you can’t run the patch again. Its already installed. A repair didn’t seem to work for me either. You really should have closed Firefox before performing the Flash update to avoid this issue.
If you find yourself in this situation, you’ll need to follow the instructions at http://www.adobe.com/go/tn_14157 (make sure you close everything that uses flash). Then run the flash test using the appropriate browser to verify that its really gone. Then reinstall (make sure you close Firefox this time)
If I’m going to package this for an enterprise, I’m going to need to check for Firefox being open and either prompt the user to close it or kill the process prior to installing this update. Another possibility mentioned by my brother is to deploy the msi package via AD so it installs at boot.
It looks like I’m not the only one who has problems with Flash and Firefox. Michael Horowitz in his Cnet blog “Defensive Computing” wrote about it here.
He also comments about all the old versions of Flash. Frequent readers may recall that I’ve been wondering about those myself. I found this Adobe FAQ that indicates it is not necessary to remove the older versions of the IE ActiveX plugin. But this fails to answer the question about the the Mozilla type plugins. I’m fine leaving the old versions.
What a pain.
