IT Security Blog

Web Browser Security

By

There can be no assurance of complete security based on the choice of browser used.  Each of the more popular browsers has its specific vulnerabilities that can be potentially attacked by malware and viruses.  Even software features that are supposed to provide functionality to the chosen web browser may initiate vulnerabilities in a system. 

Computer users can use several browsers by assigning one per nature of transaction.  It is important however to understand which browser supports a particular feature and their corresponding risks.  Each one has to be properly configured so as to minimize possible vulnerabilities.  Browsers are typically pre-installed in computers.  Owners of newly-acquired computers just need to learn how to securely configure them through documentation provided by vendors.  Additional information can be requested from them should the need arises. 

The Microsoft Internet Explorer (IE) browser is an application that comes with the Microsoft Windows Operating System.  Its removal is not recommended primarily due to practicability and its continued leadership in relation to the number of users.  Enabling greater security for the web browser can be done through the security tab. 

The Mozilla Firefox browser has many features similar to Internet Explorer.  There is a specific menu that can help IE users to better understand the difference between the two.  Settings for Mozilla Firefox can be edited while the corresponding options for other required changes are provided. 

The Google Chrome web browser was first used as a beta version for Microsoft Windows.  It has overtaken Mozilla Firefox as second place with the most recent study of worldwide usage share.  To date, it has managed to prevent exploitation of whatever security vulnerabilities exists.  A recent Accuvant Study ranks Google Chrome first, IE second and Mozilla Firefox third for best browser security.

Is Your Latest Firefox Safe?

By

It hasn’t been a month since the latest Firefox Update was released, but it has already caused a considerable stir. As with a lot of software releases (and usually with Internet browsers), Firefox 3.6 comes with a flaw. This isn’t really all that surprising, is it?

Anyhow, this flaw was discovered by Evgeny Legerov, the founder of Intevydis. This is a company that specializes in providing IT security solutions for various situations. The flaw discovered by Legerov was taken so seriously by the German government that it issued advisories to the effect that users should stop using this version of Firefox until Mozilla gets it fixed. To Mozilla’s credit, they were right on top of things – they went ahead of schedule and fixed the problem. More from eWEEK:

According to Mozilla, the Web Open Font Format (WOFF) decoder contains an integer overflow in a font decompression routine. As a result, too small a memory buffer could be allocated to store a downloaded font, and an attacker could exploit the situation to crash a victim’s browser and execute arbitrary code on the system.

The fix is contained within Firefox 3.6.2, which was initially scheduled to be released March 30. After the German advisory however, Mozilla announced it was moving up the release date. While security researchers are divided on the idea of switching browsers every time a vulnerability appears, it was not the first time a government had made the recommendation.

So is the latest version safe? Only if you download 3.6.2!

zp8497586rq

Safe Eyes Mobile

By

iphoneHave an iPhone? Or maybe you have another smartphone. Personally, I am setting my eyes on the Google Nexus One. It’s just as pretty and from most accounts, it is even more functional than the Apple iPhone.

In any case, most everyone has a smartphone now and that means that their children are getting exposed to mobile computing as well. If you think that it’s such a headache to ensure that children are protected when they go online on laptops and home computers, then think again. It’s even more of a hassle to make sure they are safe on mobile platforms!

One thing you can do about the iPhone is to use the built-in parental control. More than that, however, you can check out Safe Eyes Mobile, a web browser made specially for the iPhone. It gives you additional control on top of the parental controls that the iPhone has.

Forrest Collier, CEO of InternetSafety.com endorses this mobile web browser:

“Apple has gone a long way toward child-proofing the iPhone with the new parental controls in the iPhone 3.0 software, but those controls apply only to content that Apple itself distributes through iTunes and the App Store. They don’t address the #1 source of objectionable material: the Internet. If you combine Apple’s parental controls with a browser that blocks pornography and other offensive websites, however, you can completely protect your child from harmful content both online and off.”

At the end of the day, these are excellent tools but I believe that your parenting skills will still emerge as the most important factor.

Google Chrome Even More Secure

By

google-chrome-logoFrom Internet Explorer to Mozilla Firefox to Google Chrome – that’s the path that many computer users have followed in the past years. Personally, I have stuck to Mozilla but I do use Chrome every now and then when I want things to go much faster. But did you know that Google’s streamlined browser has its share of security issues as well?

This is not really that surprising. After all, most any product you see in the market will be exploited by those who want to do so. In any case, Google has come out with updates to their browser, making it more secure for us users.

The most recent update for Google Chrome fixes some issues on how the browser handles Javascript and XML. For the Javascript engine, the fix makes sure that an infected web site will not allow malicious Javascript to run arbitrary code. You and I know very well that the phrase “run arbitrary code” simply translates to “install malware.” With this problem supposedly fixed, Chrome is definitely safer.

Another fix deals with the possibility of a web page using XML to, again, run arbitrary code. This happens when the malicious XML crashes a Chrome tab.

Last, the Chrome update will not allow you to connect to “HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms.” The reason for this is that these algorithms are prone to hacking and that it is relatively easy to pose as a fake HTTPS site.

For more detailed info, read it from Google’s own blog.

Photo courtesy of Ivan Zlatev

Mozilla E-Store Hacked

By

mozilla_firefox_readerszoneThis piece of news is not so good for Mozilla. It had to shut down the operations of its online store late on Tuesday because of an alarming finding. The fact is that the firm that Mozilla had hired to deal with their backend operations has suffered a security breach. Mozilla immediately issued a statement about the issue:

Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach. Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised.

And just to be sure, the company immediately shut down the international version of their online store. While this was not really necessary since the international edition is being maintained by a separate company, Mozilla still shut it down as a precaution. As of this writing, there is no news yet as to the whether the security breach has been fixed. Indeed, Mozilla did not even really divulge details as to the nature and extent of the breach. I guess it is enough that they owned up to the issue and that they took immediate steps to stop the problem before it became serious.

And in case you were not aware of what Mozilla offers in its online store, this is where you can get T-shirts, coffee mugs, backpacks, mouse pads, and all sorts of other things that you can buy with the popular Mozilla logo prominently printed on them.

Moral of the story? Even one of the best IT companies in existence today is prone to hacking. Us “mortals” should learn from this.

Get Your Firefox 3.5.1

By

firefox-logoThis is the first minor point release in the 3.5 series of Firefox. The main reason for this patch is a security flaw in the TraceMonkey JavaScript engine of the browser. We have “zbyte” to thank for the discovery of this flaw. This Firefox user reported that his browser kept on crashing each time he tried to type text in an input box on the site apport.ru. Zbyte sent this bug report in on July 9, and less than a month later, Firefox developers were able to find the reason for the bug AND send out a fix as well.

Anyhow, the TraceMonkey JavaScript engine is a huge development on Mozilla’s part. With the bug concerning the engine, however, Firefox users are left vulnerable to exploits. In fact, a malicious web site can take advantage of this bug and execute arbitrary code. The developers reacted quickly, though, with Firefox 3.5.1 as the result.

By the way, soon after the bug was fixed, news circulated that there is another bug. This is utterly believable – bugs abound anyway. In fact, researchers Berry-Byrne and Andrew Hayes discovered this bug in the “escape” function. The good news is that they strongly believe that this bug is not exploitable. That means that while those who encounter this bug just might be bugged about it (no pun intended), we are not in danger – security wise.

In any case, you might want to get the latest patch for Firefox, if you have not already.