Mozilla Firefox 10 Released, Includes Security Update

Tweet This


Mozilla released Firefox 10 today, including a major update that will make both developers as well as Firefox users happy -- default compatibility of almost all add-ons.

Although default compatibility of add-ons will make a lot of people happy, this change is "prioritized as a P1 and part of achieving 'silent update'." as indicated in the feature tracking entry of "Add-ons Default to Compatible" in Mozilla Wiki.

Security Update

"Title: Frame scripts calling into untrusted objects bypass security checks
Impact: Critical
Announced: January 31, 2012

Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0, Thunderbird 10.0, SeaMonkey 2.7

Description:  Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts."

What's New

The Release Notes include new and fixed features in version 10.  The numerous Bug Fixes are in the link available in References.

• NEW -- The forward button is now hidden until you navigate back
• NEW -- Most add-ons are now compatible with new versions of Firefox by default
• NEW -- Anti-Aliasing for WebGL is now implemented (see bug 615976)
• NEW -- CSS3 3D-Transforms are now supported (see bug 505115)
• HTML5 -- New element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
• HTML5 -- Full Screen APIs allow you to build a web application that runs full screen (see the feature page)
• DEVELOPER -- We've added IndexedDB APIs to more closely match the specification
• DEVELOPER -- Inspect tool with content highlighting, includes new CSS Style Inspector
• FIXED -- Mac OS X only - after installing the latest Java release from Apple, Firefox may crash when closing a tab with a Java applet installed (700835)
• FIXED -- Some users may experience a crash when moving bookmarks (681795)

Known Issues

• Two-digit browser version numbers may cause a small number of website incompatibilities (see 690287)
• If you try to start Firefox using a locked profile, it will crash (see 573369)
• For some users, scrolling in the main GMail window will be slower than usual (see 579260)
• Some synaptic touch pads are unable to vertical scroll (see 622410)
• Firefox notifications may not work properly with Growl 1.3 or later (see 691662)
  Unresolved on v10 Resolved in v11
• Under certain conditions, scrolling and text input may be jerky (see 711900)
• Silverlight video may not play on some Macintosh hardware (see 715396)

The upgrade to Firefox 10 will be offered through the browser update mechanism.  However, as the upgrade includes a critical security update as well as many bug fixes, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Mozilla Firefox Release Notes
• Security Advisory MFSA 2012-05
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

When imitation isn’t a form of flattery

Tweet This

Rogues (fake antivirus programs) have been around for many years.  Members of the security community and people who have been on the Internet for a number of years will recall the various "SpyAxe", "SpyTrooper" and associated rogues in 2005 that we relied so heavily on the smitRem tool developed by "noahdfear" to remove. 

Over the years, the rogues have evolved, many with rootkit components.  Just like clever phishing e-mails, the rogues are also very convincing with legitimate-looking windows as they attempt to convince people to fork over hard-earned money in order to "clean" the infected computer.

Today, we are faced with not only rogues imitating Microsoft security software but also scammers telephoning unsuspecting people, attempting to obtain remote access to their computer.  These scammers misrepresent themselves as calling on behalf of Microsoft or as Microsoft technicians.

As illustrated in When imitation isn’t a form of flattery, by Jasmine Sesso, MMPC Melbourne, Microsoft is not only adding the rogues to detection but also warning customers that Microsoft will NEVER call anyone to tell them that their computer is infected.  As clarified in the article:

• "Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.

• We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.

• Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up."

Note:  Never click on the rogue pop-up window.  Even attempting to close the window by clicking the "X" will result in giving permission to continue with the installation.  Instead, use the keyboard command Alt + F4 to close the window.  Follow with an updated scan with your onboard antivirus software.

Please also note this excellent advice included in the article:

"We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."

Read the full article on the MMPC Blog: When imitation isn’t a form of flattery.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Data Privacy Day 2012

Tweet This

Data Privacy Day is an annual international celebration designed to promote awareness about privacy and education about best privacy practices.

The 2012 international celebration of Data Privacy Day is scheduled for January 28. 

Why the concern about privacy?

What may begin as a casual Facebook update or an innocuous tweet could easily come back to haunt you down the road.  Unlike writing something on the bathroom wall, which can be easily painted over, what we do online is permanent.  This includes status updates or comments on a friend's wall in Facebook, tweets, e-mail and online chats.

All of these on-line activities contribute to your online reputation -- a reputation that can impact being accepted to the college or university of your choice or a future employment opportunity.

Disclosing too much information online can also lead to identity theft, resulting in the loss of personal data, such as passwords, user names, banking information, or credit card numbers.

Protect Your Privacy

Take steps now to protect your privacy.  

Don't share too much personal information online.  Having your date of birth, address, where you went to school, mother's maiden name, and other personal information available to the public is the first step to identity theft.

The public does not need to know every location you "check-in" to via your smart phone and neither do the burglars! 

Take advantage of the enhanced security and privacy features available in the browser you use.  (See my article, Internet Explorer 9, Privacy and Security Enhancements, for tips on protecting your privacy and security.) 

Use caution accepting friend requests in social media venues such as Facebook.  Just because someone sends a friend request, it is not necessary to accept it.  Be certain the person is someone known to you.

Parents need to monitor the online activities of their children.

Resources

Take advantage of the helpful resources below which include information on privacy settings for Microsoft products and excellent advice from Sophos on Facebook privacy.

• Microsoft Press Pass: Microsoft Provides Tips to Help Protect Your Online Image
• Microsoft Privacy: Privacy Settings and Technology
• Sophos: Facebook Security - Best Practices For Protecting Yourself On Facebook
• Sophos, Naked Security: Facebook’s ticker privacy scare, and what you should do about it
• Stay Safe Online: Data Privacy Day
• The Washington Post: Google tracks consumers’ online activities across products, and users can’t opt out

Related:  Data Privacy

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...