Better Safe Than Sorry

Firefox 3.5.6 Available

The latest Firefox has a slew of security and stability fixes and you should upgrade ASAP.

Okey-dokey?

Firefox Update

Y'all better check yer Firefox to see that you are running version 3.5.5 - if you aren't then run a manual upgrade (Help - Check for Upgrades). You might also set Firefox to automagically download and install upgrades:

Damn Yer Quiz, Facebook!

I thought Facebook was a means where by one could (virtually) keep in touch with loved ones, friends and colleagues? A place to share pictures and thoughts? Now it appears cluttered with quizzes, games and virus-filled applications. Yeech. Greasemonkey to the rescue!

What? Never used Greasemonkey? Hmmm . . . You do use Firefox, right? Check this previous post.

Firefox Plugs Microsoft Security Hole

If you use Firefox (and you should, imho) you have probably already seen a pop-up alert informing you that it is blocking Microsoft`s .NET Framework Assistant and Windows Presentation Foundation add-ons that were stealthily installed by Microsoft earlier this year.

This hole was supposed to have been fixed earlier by having users edit the Windows registry - but this idea stunk because editing the registry is potentially dangerous. Microsoft later released a simple point and click removal tool - except this left behind the Windows Presentation Foundation plug-in which is what was just killed by Mozilla.

So, the confusion up to now has been addressed by both Mozilla and Microsoft to remove both nasty bits. Whew!

Critical Firefox 3.5 Security Flaw

The newest Firefox, version 3.5, includes Tracemonkey, a new feature designed to speed up Javascript scripts. A flaw within Tracemonkey could allow attackers to remotely install evil software when users visit compromised Web sites.

A simple fix is available until the next patch fixes the vulnerability:

1. Open up a new Firefox window and type ‘’about:config‘’ (without the quotes) in your browser's address bar
2. In the ‘’filter‘’ box, type ‘’jit‘’ and a setting called ‘’javascript.options.jit.content‘’ will appear.
3. If the setting is set to ‘‘true’’ it means the option is enabled.
4. If it is, double-click on the setting. This should change the option to ‘’false‘’ disabling it.

Twitter Awareness

The recent cross-scripting attack on the newest buzzword universe called Twitter is merely another bump on the rocky road through Interpipe 2.0

These XSS attacks are the bane of Web 2.0 and will cause disasters for individuals who refuse to become aware of their online surroundings. Compound this with users who remain clueless about what is running on their PC's and you have a large impediment in the push through to Web 3.0 applications.

Now add smartphones and netbooks to the mix ;(

For a fine write up on the Twitter XSS attack see: http://twittercism.com/protect-yourself-on-twitter/

Be sure to check out the fine tip from Twittercism about XSS busting using Firefox browser with the Add-on NoScript with screencaps from Better Safe Than Sorry here.

The Ultimate Greasemonkey Script

Oh baby! Where have you been all my life!

Greasemonkey has always been a killer add-on for Firefox. Little scripts that work within Firefox to address many of the issues folks have with various websites. Simple things like adding easy to print pages to sites that have so many graphic ads that printing was a paper and ink nightmare.

The problem was that one had to go to the giant repository of Greasemonkey scripts at Userscripts.org search for the one that might address your specific problem and install it.

Well, a new script called Greasefire does all this for you. Once installed the Greasemonkey icon appears, in a slightly different form then you are used to, in the Firefox taskbar.

From then on if you browse to a site that any Greademonkey scripts that are related to it the icon turns a lovely shade of red.

If you then right-click on the icon it will further inform you of how many scripts are available. In this case our example shows the enormous number of scripts available at the uber-geek site slashdot.org.

Clicking on the top line (the one indicating how many scripts are available) opens up a window giving descriptions of the scripts. Clicking the giant grey button on the right towards the bottom initiates the usual Greasemonkey install routine.

So, if you have not yet installed Greasemonkey and Greasefire get thee hence to Userscript.org and help yourself to some great Add-ons.

Severe IE Vulnerability

An unpatched vulnerability in Internet Explorer 7 (which also affects older versions of the browser as well) is on the loose. Microsoft has stated that IE 5.01 with SP 4, IE 6 with or without SP 1 and IE 8 (Beta 2) on all versions of the Window OS are affected. To complete the horror IE 7 on Windows XP SP 2 and 3 and Windows Vista with or without SP 1 are also vulnerable. Web sites are now actively exploiting the vulnerability. One has to merely view a Web site in order to have a Trojan horse program automatically downloaded to their machine. Once downloaded the evil doers can manipulate the rogue program to download other software which could perform actions such as sending spam emails or steal data. Since Microsoft's next patch is not due until January 13, 2009 one would be wise to use an alternative browser such as Firefox or Opera. Just sayin' . . .

Firefox Greasemonkey Targeted

A new type of malware that collects passwords for banking sites is in the wild. In this instance it only targets Firefox browser through the popular Greasemonkey script. The malware uses JavaScript to identify some 100 financial web sites (including PayPal). It then harvests logins and passwords which are forwarded to a server in Russia.

So, short of disabling or uninstalling Greasemonkey your best defence is the usual: do not download anything, including Firefox add-ons, from any site other than Mozilla's, do not visit dubious sites located in dubious domains (such as .ru) and always have your firewall, anti-virus, router and brains active ;)

Firefox Update Available

Get it while it's hot. This update fixes one bug: ‘’where users were unable to retrieve saved passwords or save new passwords‘’.

Yikes.

Click on ‘’Check for Updates‘’ from the Help menu to update and don't forget to restart Firefox for the update to take effect.

 

Patch your Flash NOW

RealPlayer Exploit

User of Internet Explorer under Windows are vulnerable to drive-by downloads simply by visiting an evil Web page. As usual, it is an unknown and unpatched ActiveX component that is causing the problem. Note that both Microsoft Outlook and Outlook Express clients are also at risk. Best practices? Uninstall RealPlayer, use an alternative browser such as Firefox or Opera and use another email client such as Thunderbird or Penelope. Those who just can't part with RealPlayer should visit http://service.real.com/realplayer/security/en/ and (when available) download and install the patch. Ryan Naraine over at ZDNet.com has a great write up with info and fixes.

Google: 1 in 10 Websites Unsafe

Especially if you use Internet Explorer as opposed to Firefox or Opera. The chance of being nailed by a "drive-by download" is almost non-existent when using any browser other than Internet Explorer. Do yourself a favour and try a safer alternative.

Firefox Password Manager Compromised

It seems a flaw in the way Firefox handles passwords is enabling evil doers to create Phishing holes at sites where .html is allowed such as myspace.com - no fix has been issued but Secunia is advising users to disable the "Remember passwords for sites" option in Firefox preferences.

Firefox 2.0 Released

All the downloads are here: http://www.mozilla.com/en-US/firefox/all.html.

MySpace.com + IE Flaw + Known Exploit = Chaos

It appears Internet Explorer is again being exploited by evil Windows Metafile (.WMF) images. Worse, these images reside on MySpace.com with some 50+ million users. This exploit quickly follows the most recent Microsoft Update forcing drastic action from someone.At out-of-cycle patch from Microsoft or a third-party fix from a two-person shop in Guyana all works for me. Until a fix appears use an alternative browser such as Opera or Firefox.

MS PowerPoint Attachment Trouble

If you receive an email from an unknown Gmail address and it contains an MS PowerPoint presentation then delete it.

Firefox mailto: exploit

This exploit could cause your default email client to launch allowing spam to escape. Or it could simply slow down your PC. The quick 'n dirty fix is here.

Firefox Update Available

The latest version of Firefox that includes several important security updates is available. Click Help . . . Check for Updates.

Firefox 1.5.0.1 Update

At around 6:00 EST the following appeared on my screen:

Woo-hoo! Firefox is doing its first auto-update. I had plum forgot that it was going to happen.
After Firefox restarted the following loaded showing all is well:

Excellent!

The Thirty Day Rule

An old Javascriprt vulnerability in all Firefox versions prior to 1.0.5 has taken on a new life since the code to take advantage of it has been published on the web. Those of you who are still happily using older versions should upgrade. Best Practices: Always upgrade to the latest version of software at about the thirty daymark after its release because . . . a) This gives any bugs in the release time to be found by all those early adopters allowing the developers time to patch the bug. b) Not enough time has passed that evil virus writers have released exploits. c) Authors of plugins and other add-ons (such as Firefox extensions) will have had time to patch their products.

Aardvark

Phishing with Google Desktop & Internet Explorer 6

If you use Google Desktop and Internet Explorer 6 you run the risk of exposing information on your PC to evil web site operators. The details are here: http://www.theregister.co.uk/2005/12/03/google_desktop_vuln/. The solution? The usual - use Firefox or Opera ;-)

Firefox 1.5 Released

The latest and greatest Firefox browser has been released. If you still use Microsoft Internet Explorer do yourself a favour and try the latest Firefox - you'll be more secure and enjoy a host of features you just don't find with IE. The download is here: http://www.mozilla.com/firefox/.

Windows Live Accepts Reality

Firefox 1.0.7 Released

It's new. It's improved. You should download it from http://www.mozilla.org/products/firefox/.

Firefox Vulnerability Reported

Firefox appears to have a problem handling URLs that contain a certain character in the domain name. This can be exploited to cause a buffer overflow. This results in a possible compromised system. The only solution thus far is to "avoid untrustworthy sites". Uh-huh. You may want to switch to your install of Opera until the patch is released. What, you don't use Opera? You've never even tried it? Oh, c'mon, what are ya new? Get it at http://www.opera.com.

Rogers Yahoo Software Centre

I received an email from my ISP, Rogers.com, letting me know about a new bundle of security applications that are free for subscribers. So far so good. I launch the URL and am taken to the sign-in page and finally to the welcome page, where the whole process screeches to a halt because I am using Firefox and not Internet Explorer. Not supported. You must upgrade to IE 6.

Not bloody likely am I downgrading. I use Firefox and Opera, thanks.

So, I decide to at least fire up my IE 6 (oh, yes, I have it for just these wonderous occasions) and see what Rogers-Yahoo is offering for security.

None of my business it appears! Oh, you get anti-spyware, anti pop-ups, etc but it does not say whose software. I spend my time educatng people to check that what they download is legit and not spyware or virus filled and here my own ISP is keeping its clients in the dark.

Finally, the (limited) info explains that, "As part of the installation process, we will need to check your computer to determine what Rogers Yahoo! software is currently installed."

My goodness, I don't like the sound of that. Do you suppose they may actually be checking to see if the applications on the CD they insist you install upon joining Rogers is still there?

Good intentions badly carried out.

Firefox Version 1.0.6 Released

Hot on the heals of release 1.0.5 Mozilla has introduced the better, faster, stronger . . . um, actually this release merely patches the previous release which buggered a bunch of extensions. So, if after installing version 1.0.5 all your extensions failed you should upgrade.

Mandatory Greasemonkey Update

Users of Greasemonkey are strongly urged to either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely. A security flaw allows any website which matches at least one user script (even * scripts) to read any local file on your machine, or to list the contents of local directories.

Scribe Firefox Extension

Adds Word Processor like functionality to web forms, including opening and saving form entries as files.

Excellent. Never again will you lose submitted data into the ether when the form you send craps out. Forgotten form data on topics of interest will be recoverable. Ah, extensions . . .

Are Ya Yellow?

After upgrading your Firefox check the update icon to the right of the Help. If it is green or yellow (see below) then click it to update your extensions and/or themes.

Software Install In Firefox

Firefox can be made to disable the installation of software, allow all software to be installed or selectively allow named web sites to install software.

In our case we assume that since you are reading this your install has failed because Firefox has software install presently disabled. We will now turn it on for this site only.

First, copy the domain address that you wish to add - "addons.update.mozilla.org" (without the quotes)

Just above the Window on the left you should see text similiar to the graphic on the left.

At the extreme right of the text (above) you will see a button entitled "Edit Options..." similiar to the graphic on the right - Click it.

Place a check in the box for "Allow web sites to install software" then click the "Allowed Sites" button on the right.

Here you can see that sites may be added or removed. The safest and easist way to surf is to disable the ablity of sites to install software except for specific sites you know to be safe. To access this window at other times click Options - Web Features.

In the "Address of web site:" window paste the text you earlier copied and click the "Allow" button. Now click the "OK" button.

That's it - now when you come back to this site Firefox will allow it to install software. When you happen upon other safe sites you can selectively add them to the list of allowed sites.

Installing Firefox Extensions

Firefox adds to its functionality by making it possible for anyone to add what are called "extensions" to the browser. These extensions are available at the Mozilla site here - The easiest way to be informed of new extensions is to add the following feed to your RSS aggregator.

I suggest you check out the existing extensions - many are very useful for specific purposes.

On the other hand there exists the Abe Vigoda Status Extension - but who are we to judge?

Time to install Formfox - Open this link in a new tab.

About half way down the page you will see a tan box with the words Install Now - Click it.

The Software Installation dialogue box will initially grey out the Install Now button forcing you to consider the security implications of what you are doing. Since this site is known safe we will continue. Once the Install Now button turns its regular colour we can click it to continue the installation.

The Install Now button has turned its regular colour and it has a big green check mark so click it to continue. The dialogue box (below) will pop up.

To be able to use the extension you must restart Firefox as indicated in the Extensions dialogue box. Before you do check the last two pics below. To access this dialogue box at other times click Tools - Extensions. From here you can Update extensions, uninstall extensions and check for new extensions.

Here we have an example of the Formfox extension at Google.ca - With the mouse hovering over the Google Search button we can see that the form will indeed be sent to http://www.google.ca/search and NOT http://www.russian-mafia.ru !

Every so often - and ALWAYS after upgrading Firefox itself - click the icon to the right of the Help text button - Firefox will check all the sources for your installed extensions and if there are updates or newer versions it will prompt you to install them. In some instances updates to extensions will take time and for a period after installing an updated Firefox some extensions won't work - indeed there have been extensions that have remained broken and were eventually uninstalled :-(

Firefox Extension: Formfox

Mozilla Firefox 1.02 Released

Time to update the 'ole browser. Click on the update button and follow the instructions.
>
>

Merriam-Webster Firefox Tools

Firefox IDN Spoofing Flaw Fix

No More Internet for Them

Internet Explorer Flaw Now 'Extremely Critical"

The 10 Immutable Laws of Security

Portable Firefox on a USB Drive

MyDoom variant exploits IE flaw, again