Mozilla to Leave Bugs in Firefox 3?

Apparently, Mozilla will be fixing only 20% of the bugs currently on file for Firefox 3’s final release. There are now about 700 bugs marked “blockers” in the tracker, but only 140 of those will be fixed before the final FF3 release. (Blockers are bugs that justify delaying a release, by Mozilla’s terminology.) It’s surprising to me that Mozilla would be willing to leave as many bugs in; the planned bugfix schedule leaves around 550+ bugs still in the browser. Supposedly, they are prioritizing bugs based on their effect on everyday user experience, but I suspect the real reason they’re…

Read more

Microsoft Finally Patches URI Handler

So, the URI handler patch that Microsoft has finally finished testing and was pushed out via Windows Update yesterday. I guess that means the ShellExecute() function is now properly sanitizing links it gets from external programs. Which means a banner day for security, since many vulnerabilities in software applications have now been fixed at a central location. Microsoft also fixed a flaw in the Windows DNS server, eliminating one attack vector for man-in-the-middle exploits.

Read more

Leopard Has Other Problems, Too

Besides of disabling the firewall by default and not updating included software, Apple’s Leopard upgrade even has holes in its security measures — an ironic concept by any other name. For example, the “Library Randomization” feature (similar to Windows Vista’s Address Space Load Randomization) is supposed to keep code from predictably loading in the same memory spaces, making buffer overflow attacks much more difficult, but some parts of the operating system that should have been randomized are still in predictable locations, most notably the Dynamic Link Library. One of the security researchers putting Leopard through its paces notes that he’s…

Read more

Apple’s Spotted Firewall: Tsk Tsk

Apple has been selling the new Leopard OS X upgrade on its improved security, but it’s not as secure as you might think. By default, the firewall is set to off, the opposite of Windows Vista. (Why don’t people talk about XP anymore?) Even with the firewall enabled, incoming connections targeted at certain system services can still succeed; researchers were able to access the NetBIOS Naming Service over a LAN with full blocking enabled. Not the most ideal setup. UDP can’t even be turned off from within the OS controls. Apple also doesn’t include the latest versions of bundled open-source…

Read more

PDF Spam Malware

A new malware-distribution scam is sending out fake order-confirmation messages with “self-extracting” attachments (EXE files) that supposedly contain PDF order summaries, but really drop a Haxdoor/Goldun (depending on what antivirus program you ask) payload that can severely compromise your computer’s security, plus steal passwords, give a hacker control of your PC, and display ads. Some variants can also disable anti-virus and anti-spyware apps and firewalls. The scary part of this scam is the fact that it is constructed in such a way that lots of users will probably fall for it. It appears to prey on the modern public’s knowledge…

Read more

What Do I Do About a Vulnerability I Find?

If you discover a security vulnerability in the computer system at your workplace or school, do you report it? Whistleblowers seem to have a record of late for getting punished (expelled, fired) when they report a security problem. A student at Western Oregon University, for example narrowly escaped expulsion when he discovered a file containing names, SSNs, and GPAs for 50-100 students at the school. He sent a copy to the school newspaper, which ran a four-page special report on his discovery. The student was disciplined by the university, and an adviser to the newspaper was, according to another student,…

Read more

Microsoft and Privacy

Microsoft reportedly released results of a three-month phishing study conducted through an add-on to their Windows Live toolbar, the Phishing Detective. The software compared passwords used on various websites and reported URLs to Microsoft if the passwords for two sites matched. Admittedly, it is an interesting approach, and legitimate matches are easily weeded out, but it raises issues about how much Microsoft knows about you. Microsoft could theoretically profile all its toolbar users and keep track of what sites they have accounts at by what sites generate hits to the password-comparing program. Other companies like Google also collect the URLs…

Read more

Email Job Offers: Are They Real?

Ever since I got an email account at the University of Minnesota, I have received occasional offers from people claiming to be foreign princes or artists needing U.S. representatives or business contacts or the like. They request all kinds of information, such as name, address, nationality (strange, since they seem to know already I live in the USA), country (again, they already seem to know), marital status, occupation, and phone number. Since I have never, ever given out the address, I tend to wonder about these offers coming from anonymous Hotmail accounts registered under the United States’ .com domain. I…

Read more

WiFi Surfers Beware

Having just encountered this issue myself, I find it a good idea to reiterate this tip. When going to a business with free WiFi, such as Panera Bread, Dunn Brothers Coffee, Caribou, etc., make sure you know the name of the network to connect to, and that you only click on access point networks. I just logged on here at Panera Bread and was faced with two public networks: One named PANERA and one named Free Public WiFi. The former, which was an access point, is the real network, and the other, scammy-looking one (to me) was an ad-hoc network…

Read more

Gmail Security

I have found a petition on the Internet that advocates making Google change Gmail to use HTTPS by default. Gmail has a secure interface, but Google makes the unsecured interface the default. This is exposing your private correspondence to anyone who wants to read it as it is transmitted from Google’s servers to your browser. Please sign this petition; it will make all users of Gmail safer from online threats including phishing and identity theft.The link is here: http://www.petitiononline.com/gmailssl/petition.html

Read more