Just a few days after I’ve updated my Firefox installation, here comes a new announcement on the release of Firefox 3.5 Beta 4. If you’ve been closely following Mozilla’s development of Firefox, you’d know that it won’t be long until the official Firefox 3.5 browser will be available. Still, if you couldn’t wait for the full version release, you might want to download the beta 4 version right now.
The news is great information indeed considering the appeal of Mozilla products and the latest developments in the Web applications field. The browser being a gateway to the internet, it is more or less like a generic operating platform for the internet.
Also, with the latest projects in seamless integration of offline applications with online utilities and incorporation of more dynamic media on the web, a lot of developments are happening at Mozilla.
Offline-online applications integration will be emerging as the next arena of brand wars with Adobe and Microsoft pushing for their AIR (Adobe Interactive Runtime) and Silverlight platforms respectively. Mozilla has a similar effort known as Prism. Google also has a set of APIs for offline-online syncing called Google gears.
The new joiners from the Humanized team are expected to bring a lot of innovation to Mozilla products.
Mozilla rolls out patches in FireFox 18.104.22.168
The released update patches several vulnerabilities including the one on the directory traversal. The total patches numbers to 10 including three critical vulnerabilities.
Firefox 22.214.171.124 patches critical flaws that could result in Web browsing history and forward navigation stealing; privilege escalation that could allow cross-site scripting exploits; and crashes with evidence of memory corruption.
“A few of these Firefox bugs are viewed as critical, namely due to privacy concerns. One in particular deals with Firefox’s convenient session restore feature and how that functionality can be used by an unauthorized user to access certain sensitive information,” said Mike Haro, a senior security analyst at Sophos.
Just encryption alone can’t prevent data loss
Encryption makes data unintelligible to the prying eye but that alone may not be sufficient to consider the data loss problem solved. A large problem relates to the security measures used to protect the keys used to encrypt data and they also deserve equal confidentiality.
Modern encryption can be regarded as unbreakable but if its use becomes common the attention of criminals will shift to the other weak links – people, and the keys used to encrypt and decrypt the data, said Richard Moulds, executive vice president of strategy at NCipher.
‘Most of the information that is lost today is not actually as a result of attacks at all, it’s as a result of information just simply being mislaid or lost. Clearly information needs to be encrypted as it goes over the internet because the internet’s a wild and scary place,’ he told a NetEvents forum in Barcelona.
Perhaps a combination of several factors including biometric techniques must be considered to bolster security considerations.
Bots are breaking CAPTCHA
In what could appear as a milestone for automated image recognition, Websense security firm reports that bots have been successful at cracking the CAPTCHA programs and create automated accounts. While it is still debatable as to whether the bot does the whole recognition part automatically or is the content being channeled for recognition elsewhere, the fact is the CAPTCHA’s are also not completely capable at blocking bots.
Bots sprawling across the web have majored into revenue earners as well. The strength of the Storm worm for instance has been approximated to millions of zombie PCs. The scale of (profitable) attacks they can launch is cause for much worry.
Live Mail, and rivals like Yahoo Mail, are favourite targets for spammers because the services are free, their domains cannot be blocked by blacklisting anti-spam tools and the millions of accounts they control make it easy for the spamming addresses to hide in the crowd, Hubbard said.
The bot’s success rate shows that CAPTCHA is in danger. Unfortunately, there’s no single technology waiting in the wings that could step in to replace it, especially in high-volume settings like Live Mail or Yahoo Mail.
Mozilla bug spreading
Mozilla has escalated the threat ranking for the vulnerability reported last week in the traversal of the directory structure for add-ons. The bug would allow for stealing of session information.
The bug affects more than 600 of the add-ons for the Firefox browser and remedies against the bug are to use the NoScript extension to prevent running of any exploit or using extensions that are packaged in .jar files.
A fix for the bug was set to be released on Feb 5th.
IM based attacks up 78% YoY
Instant messenger based attacks have seen a phenomenal rise this past year. The attack methodology has also seen several new-comers – multi-staged and multi-vector attacks that use e-mail in conjunction with IMs. They are also targeting P2P networks on a large scale.
An excerpt from the article on TechWorld:
IM attacks are a relatively recent phenomenon, but have grown drastically in number in recent months. In July Akonix said the number of threats over the past 12 months was up 78 percent on the previous year.
New IM worms identified in January include MSNChristmas, MSNVB, Perin and Raiodin, Akonix said.
Keeping online messengers fully updated and keeping a keen eye on the messages and the links received could go a long way in preventing infection from such attacks.
Man in the middle attacks possible on Gmail and other Google hosted services
Rob Graham, a security researcher brought to light a vulnerability in the SSL implementation on Google hosted services that could allow a hacker to make the services not encrypt the session ids that are used to authenticate users online. The implementation allows for man in the middle attacks.
The attack is a threat at WiFi hot spots or when connecting over other unsecured access points.
Mozilla Labs is making available a new plug-in to Firefox that lets users create themes for their browsers without requiring any coding. The extension is intended to make the theme creation, application and sharing process as easy as drag and drop.
The themes extension makes it easy for users to apply new themes instead of having to download and apply separate themes as separate plug-ins. Also, the extension will support sharing of themes. No online tool now a days seems to be complete without an option that lets users interact and share their creations in a seamless manner. With an open and extensible architecture Mozilla has immense advantages from supporting social models within the browser framework.
You can download the plug-in for the themes from here.