Saturday, December 13, 2008

Browser Bullets: #3

Browser related items from the past week.

Commentary provided at no charge…


Yep.  Firefox 3.1 beta 2 was released this week to the public and curious.  I duly updated my systems. It’s stable and fast on my systems.

  • First look: Firefox 3.1 beta 2, now with private browsing – ars Technica – Good master-review of the newest features and additions in this version.
  • Firefox 3.1 nightly finally gets linking in source viewer – ars Technica – Very minor but cool feature.  When you view source in a webpage, the source-code URL’s are now hyperlinked so you can do direct jumps as needed and no-longer need to copy/paste them into the address bar.
  • Privacy, tabs and web content overhaul in Firefox 3.1 Beta 2 - Mozilla Links – Wonderful detailed review of the finer updates and changes making their debut in 3.1 b2 including enhanced program updating information, new session-restore dialog window and feedback provides bad-site recovery isolation, multiple-bookmark management, tagging refinement, among many others.
  • Mozilla Project Weekly Status: December 8th -Firefox Extension Guru’s Blog – What’s next!
  • Tip: Dragging Current Page to Bookmarks Folder - Firefox Extension Guru’s Blog – Firefox 3.1b2 now brings “tab-tearing” to Firefox.  That could be a good thing but many Firefox users are likely to find a realm of issues getting used to this new “feature”.  Previously I drag-n-dropped tabs into bookmark folders for my bookmark capture.  Now with tab-tearing, this creates all manner of havoc. New Firefox windows for tabbed pages littered my system.  The Guru’s tip? Instead of using the tabs to bookmark, drag-n-drop the favicon for the page on the address-bar. Simple and it works.  Now if I can just unlearn my previous bookmarking habit.

First Ever Firefox Malware Attack? NOT!

  • Firefox extension used as password stealer? – SANS ISC. First wind blew in regarding a rogue Firefox Add-on.
  • Firefox Malware? – meandering wildly blog – Johnath provides information on the attack vector (users have to be tricked to download and install the bad .xpi file) identification (look in you extensions Add-on list).  From that post:
  • Does This Mean that Firefox is Insecure?

    No, and here’s why:

    • This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
    • This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.

    The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.

    Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.

  • Trojan.PWS.ChromeInject.B – BItDenfender write up on the technicals.

Of course they make a really lame statement trying to appear cutting-edge in their response.

It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox's chrome environment.

Many other tech-sites took up the salaciousness of this statement and in typical security consciousness on the web ran with that as the hook.

Umm. Not even close.

Lest we forget so soon, installation of malware into Firefox has been a rare, but not-unheard occurrence for regular Firefox users and watchers.

  • Firefox add-on contains malware - heise open source UK – Remember this one from May 2008? It contained malware in a Vietnamese language pack add-on for Firefox on the servers of the Mozilla project and had been floating around since at least February 2008.
  • FormSpy - Spyware program hooks into Mozilla Firefox - Harry Waldron - Corporate and Home Security.  This bad-boy dates all the way back to July 2006 and in fact is remarkably similar to the current version in that its purpose is “…monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms”

As Johnath pointed out, users who don’t download unsolicited software/add-ons via email enticements and who use common sense are in no way to be fooled. Those users who do this regularly probably already suffer from bigger problems, the least of which should be blamed on Firefox or any “vulnerabilities” of this particular sort.

Finally, attempting to bring calm to this misguided train-wreck is Dancho Danchev who hasn’t forgotten previous attempts with malicious xpi file add-ons.  He suggests the damage is likely to be minimal at best. From his Password stealing malware masquerades as Firefox add-on post over at ZDNet.

Despite the novel approach used, the malware would have made a huge impact if it were released several years ago when E-banking authentication was still in its infancy since plain simple keylogging is one part of the session hijacking tactics used. And while they will indeed obtain the accounting data, this is no longer sufficient for a successful compromise of a bank account. In comparison, the techniques used by sophisticated crimeware like Zeus, Sinowal and Wsnpoem undermine the majority of two-factor authentication mechanisms used by E-banking providers, since once you start doing E-banking from a compromised environment nothing’s really what it seems to be anymore.

Enough said.  Lest I begin to sound like an Apple fanboy.


A number of goodies here.

  • Official Google Blog: Google Chrome (BETA) – Official Google Blog – Recent updates have convinced Google to remove the beta designation on Chrome.  Well deserved.
  • Google Code - Browser Security Handbook landing page – Great write up from Google on issues related to web-browser security.  This is not Chrome specific and provides a wonderful read for technically minded folks on browser security.
  • Google’s Chrome Team Mulls Local File Restrictions – InformationWeek. Thinking here is that Chrome might be better locked down in the way it is allowed to handle and execute local web-page format files on the system.  It is sensitive for Web-hosted page files, but security permissions might be looser locally and could be used for malicious purposes.
  • Chromium Nightly Updater v1.2 – I don’t use Chrome, but Chromium instead and the nightly updates in particular.  Since the internal updater doesn’t function very good with these, I use this to help me keep an eye on the latest versions.  This update adds a number of great and needed features:
      • Now checks the last 5 builds to see if one of them is working instead or just the last one.
      • Better informational messages.
      • Fixed: The URL to the page listing the latest builds was changed by the Chromium devs, thus causing the updater to always report it [the build] as not working.
      • Fixed: In certain situations the build status could be reported incorrectly.
      • A few other minor improvements and bug fixes.

  • Just another chromium updater - Google Chrome Forum – Alternative version that does the same thing but has a different layout and some different features.
    • retrieve logs/builds information partially.
    • get the latest 20-30 revision record with availabe download links in just 20s.
      (this depends on your net speed, the faster your network is,the more records you get.)
    • upper-casing keywords(update, bump, fix... etc) in revision logs
    • simple download function.
    • copy file link to clipboard on doubleclick on the links

  • Chromium Updater v1.01 – One last updater that is pretty simple. Run, downloads latest versions and installs the update. As a control-freak I want to do the unpacking and installing myself, but for those who don’t care, perfect.

In other IE Vulnerability news…

Yes, I do know about that current “0-day IE exploit” thing, but this isn’t related to that one.

This involves XSS weakness found in IE 8 Beta 2.

Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities – cgisecurity blog.  Reported by Rafel Ivgi, I can only hope this one gets fixed in the next IE 8 Beta release. As explained in the first link, quoted from the source second link:

"Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely allows transferring data across domains, allowing them to interact with each other.

The Anti-XSS filter has been found to have some security holes in the current implementation. Microsoft decided to filter "Type 1 XSS" which is free text send to the server being reflected to the user and therefore injecting HTML code into the website's page. They chose not to handle certain situations such as injection into a JavaScript tag space, which would be extremely difficult to filter. The software giant also chose not to filter injection into HTTP headers, which will drive hackers to focus on discovering CRLF vulnerabilities."

There you go!

--Claus V.

1 comment:

Anonymous said...

"Now if I can just unlearn my previous bookmarking habit."

And I am sure that is going to be case of 'easier said than done'!