All posts tagged ‘Security’

File Under: Browsers, Security, Software

Firefox 3.6 Beta 3 Gains Security Features, Loses Windows 7 Integration

Mozilla has released a third beta for Firefox 3.6 with more than 90 bugfixes since beta 2, which was released just last week. If you’d like to take beta 3 for a spin, head over to the Mozilla downloads page.

Although beta 3 doesn’t contain any significant new features, it does have some welcome bug fixes and is considerably more stable than the previous betas. There is one feature not found in previous releases — add-ons can now access Firefox’s built-in geo-location features.

Unfortunately for Windows 7 users, much of the Windows 7 integration — like Aero tab previews and jump lists — has been removed. It remains to be seen whether or not those features will make it in the final release or will be postponed for Firefox 3.7.

The good news is that more than half of all add-ons now work with Firefox 3.6, including the recently released Weave update and other popular add-ons like Ad Block Plus and Firebug.

One big change on Firefox’s backend being introduced in beta 3 is a new restriction on how third-party add-ons integrate with Firefox. The Firefox components directory is now off limits to third-party tools. According to the Mozilla Developer Blog, “there are no special abilities that come from [accessing the components directory].”

The move is mainly designed to make Firefox more stable by preventing add-ons from accessing lower level tools that could cause crashes.

As the Mozilla Links blog points out, current Firefox 3.6 nightly builds are labeled as “preb4,” which might mean we’ll see a fourth beta before Firefox 3.6 arrives in final form. If Mozilla continues to crank out new betas every week, look for beta 4 around Thanksgiving with the final release arriving during December.

See Also:

A Brave New Web Will Be Here Soon, But Browsers Must Improve

The great promise of HTML5 is that it will turn the web into a full-fledged computing platform awash with video, animation and real-time interactions, yet free of the hacks and plug-ins common today.

While the language itself is almost fully baked, HTML5 won’t fully arrive for at least another two years, according to one of the men charged with its design.

“I don’t expect to see full implementation of HTML5 across all the major browsers until the end of 2011 at least,” says Philippe Le Hegaret, interaction domain leader for the Worldwide Web Consortium (W3C), who oversees the development of HTML5.

He tells Webmonkey the specification outlining the long-promised rewrite of the web’s underlying language will be ready towards the end of 2010, but because of varying levels of support across different browsers, especially in the areas of video and animation, we’re in for a longer wait.

Most web pages are currently written in HTML version HTML 4.01, which has been around since the late 1990s. The web was mostly made up of static pages when HTML was born, and it has grown by leaps and bounds since then. Now, we favor complex web applications written in JavaScript like Gmail and Facebook, we stream videos in high-definition, we consume news in real-time feeds and generally push our browsers as far as they’ll go. These developments have left HTML drastically outdated, and web authors have resorted to using a variety of hacks and plug-ins to make everything work properly.

HTML5 — which is actually a combination of languages, APIs and other technologies to make scripted applications more powerful — promises to solve many of the problems of its predecessor, and do so without the hacks and plug-ins.

We’re already close. All the major browsers are providing some level of support for HTML5.

“There’s strong support already in Firefox and Safari. Even Microsoft IE8 has some partial support,” says Le Hegaret, referring to some code within HTML5 that enables the browser to pass information between pages.

Browser makers are approaching support incrementally, adding features little by little with every subsequent release. Some, like Mozilla, can build new features into the next release in a matter of months. For others, like Microsoft, it takes much longer.

Google Chrome is maturing extremely quickly and already supports most of HTML5. This is mostly because Google didn’t start from scratch — the company chose to use the open source Webkit rendering engine, the same one used by Safari. Still, this doesn’t mean both browsers support HTML5 equally.

“Video support between Safari and Chrome, despite the fact that they are both using the same underlying engine, is totally different because video support is not part of the Webkit project at the moment,” says Le Hegaret.

It’s actually this very issue — support for playing videos inside the browser — that continues to be one of main factors blocking the broad adoption of HTML5.

The way the specification is written now, website authors will have the ability to link to a video file as simply as an image file. The video plays in the browser without using a plug-in, and the author can create a player wrapper with controls.

But browser vendors are stuck arguing over which video format to support. Mozilla, Google and Opera are interested in the open source Ogg Theora video format. Apple has substantial investments in its Quicktime technology, so it’s pushing for the Quicktime-backed H.264 format. Microsoft wants people to use its Silverlight plug-in, so Internet Explorer isn’t supporting native video playback in the browser at all.

Google has voiced support for Ogg, but it has also recently made a bid to purchase On2, a company that makes a competing video technology. Rumor has it Google might release On2′s video technology under an open source license once the sale is complete.

Until these issues are sorted out, consumers and content providers alike are forced to rely on plug-ins. Le Hegaret says that while these plug-ins have certainly helped the web arrive where it is today, they continue to be a burden on the user.

Setting up any browser to support both H.264 and Ogg Theora requires at least one plug in, which harms the user experience.

“It’s hard today to ask people to install a plug-in unless the payoff is huge,” he says. “What’s driving the most successful plug-in, which is Flash, is video support. If you can’t see YouTube, your life on the web is pretty miserable. You’re missing a lot.”

Plug-ins aren’t just harder on web users, but they’re hard on web developers, too.

“Building with Flash or Silverlight in a way that lets you share information between the content appearing inside the plug-in and the rest of the page presents some challenges,” says Le Hegaret.

Unlike its predecessor, HTML5 has been designed with web applications in mind. The current HTML5 specification includes a media API that makes it easier to connect animations or video and audio elements — things traditionally presented within a Flash player — with the rest of the content on the page.

“You get a smoother application if you use HTML5. You’re not crossing a software layer. It’s all part of the same application.”

Unfortunately, the YouTubes of the world aren’t going to make a baseline switch from Flash to HTML5 unless they know there’s strong support for it in the browsers.

But they are testing the waters: Wikipedia is experimenting with HTML5 video support by serving Ogg Theora video to browsers that can handle it, and Flash to everyone else. YouTube and the video site Dailymotion have also set up special demo pages using this technique.

Le Hegaret says we’ll be in this period of transition — a dual-experience web where content sites serve HTML5 video along with a Flash fall-back — for a while.”

Web developers will continue to have to understand that not everyone is using the latest generation web browser, and that’s OK in the short term.”As far as being able to make the switch to a pure HTML5 web altogether, Le Hegaret says that’s only possible once browser vendors sort out their differences.

Once that day arrives, the final switch to HTML5 will be in the hands of the content providers. It’s up to them to begin coding for HTML5 standards and ditching support for old browsers.”

There are still a significant amount of people out there using IE6,” says Le Hegaret. “As a developer right now, you can’t really ignore it. Hopefully, in two or three years, you will be able to start ignoring IE6.”

See Also:

File Under: Mobile, Software & Tools

Popular WPA Wifi Security Scheme Cracked Open

wifi routerJust when you thought it was safe to go back in the water: a pair of researchers have announced a serious flaw in the WPA wifi encryption scheme, which was designed to keep your wireless traffic hidden from prying eyes.

Security researchers Erik Tews and Martin Beck have discovered a way to help those eyes pry a bit further into your traffic using a much faster means of break the Temporal Key Integrity Protocol (TKIP) key used by WPA. TKIP has long been vulnerable to dictionary attacks, but dictionary attacks take a long time. The method used by Tews and Beck takes a mere 15 minutes.

The good news is that Tews and Beck so far have not managed to crack the encryption keys. But since security-minded folks like Webmonkey readers probably long ago ditched WEP (an older wifi encryption scheme cracked years ago) in favor of WPA — thinking it was the secure alternative — this attack has some widespread implications.

On the bright side, the attack reportedly does not work with WPA2, which uses a different key protocol to encrypt traffic. If you’re worried, upgrade your router to support WPA2 (in a couple of years we’ll probably be telling you about a flaw in WPA2, but for now anyway).

The details of the Tews and Beck’ findings will be made public at next week’s PacSec conference in Tokyo.

[via Computer World]

See Also:

File Under: Software & Tools

Microsoft: Naive Web Surfers Are Their Own Worst Enemies

vistaMicrosoft is doing its best to keep your PC secure, but you’re screwing up its efforts by naively falling for Tony Soprano’s ever more sophisticated tricks and scams.

That’s the takeaway from Microsoft’s most recent Security Intelligence Report, which tracks threats, viruses, malware and more.

The latest Security Intelligence Report report is self-congratulatory about Vista’s improved security measures over XP, but unfortunately some of the biggest threats are coming from organized crime groups and use phishing techniques that Microsoft claims it can’t patch.

The result is a portrait of web security where the greatest threat, according to Microsoft anyway, is unsophisticated users and non-Microsoft software — like plugins from Apple and other third party vendors.

The number of vulnerabilities in Windows now represents only about 6 percent of the total disclosed vulnerabilities. The bulk of problem (more than 90 percent of disclosed vulnerabilities) is found in applications, especially web browsers and browser plugins.

Of course this is a Microsoft report and other companies are perhaps rightly skeptical. The New York Times quotes an Apple spokesman, Bill Evans, who rather drolly says that the data is not supported by users’ experience of infections.

Still, even if Microsoft’s conclusion is suspect, there’s no question that increasingly sophisticated phishing attacks are, and will likely continue to be, the biggest and most difficult threat the average user faces.

See Also:

File Under: Software & Tools

Flash Player 10 Solves Some, but not all ‘Clickjacking’ Attacks

FlashiconThe release of Flash Player 10 patched several security flaws that could used in “clickjacking” attacks — where an attacker uses an invisible overlay to hijack a web button or link. However, we’ve noticed a number of news outlets proclaiming that the Flash 10 update solves the clickjacking attack, but, sadly, that isn’t true.

Adobe’s John Dowdell posted a note on the subject and calls out PC World in particular, but numerous other write ups of Flash 10 suggested the same thing.

While Dowdell’s post is perhaps a tad overzealous in defending his employer, his basic point is true: clickjacking is a browser flaw, not a Flash flaw, not a Silverlight flaw and not an Ajax flaw.

Of course the Flash 10 update does help stop one small portion of clickjacking. Dowdell explains:

The changes in Player 10 just prevent the browser’s existing and unpatched clickjacking flaws from affecting the Flash cam/mic dialog… it’s something like Player calling out beyond the browser to the operating system to make sure Flash’s pixels are actually displayed, and the browser isn’t letting something else slide in on top to hide the dialog.

The problem is that similar attacks can be mounted using JavaScript with iFrame content and myriad of other means.

So yes, the Flash Player 10 update will help protect you against one form of clickjacking, but to proclaim that it patches “a critical security bug that could make the internet a dangerous place for web surfers,” as PC World did is worse than a disservice to readers, it’s just plain untrue.

The fact is clickjacking is a very serious flaw and no one has come up with complete solution (though the latest version of the Firefox add-on NoScript handles about 99 percent of the known cases). At the moment clickjacking isn’t widely exploited in the wild, but don’t expect that to last. It’s an easy attack to implement and very hard to stop, which is a recipe for disaster.

The unfortunate fact of the matter is, despite some attempts at reassuring headlines, the internet will likely always be a dangerous place for web surfers. By the time a solution for clickjacking emerges a new threat will come to light. The larger answer to the problem is to make sure users are informed, know about potential risks and minimize their exposure..

See Also: