Browser

http://www.opera.com/products/desktop/security/

In Opera 9.5, Fraud Protection is enabled by default, automatically detecting and warning you about fraudulent Web sites. Fraud Protection is powered with phishing information from Netcraft and PhishTank, and Malware protection from Haute Secure.


Opera now supports EV Certificates. Issued under stricter criteria, they provide added assurance for EV enabled web sites, that they are who they claim to be.

http://www.opera.com/download/

{ 0 comments }

Nitesh Dhanjani released his research on issues within Apple’s Safari browser today.

Apprantly Apple has decided not to fix two of the issues and gave Dhanjani permission to discuss them with the security community.

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

The implication of this is obvious: Malware downloaded to the user’s desktop without the user’s consent.

Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple’s response was positive:

…we have been investigating the potential for a “safe” mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

{ 0 comments }

Mozilla Security Blog

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions.

Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.

Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.

A new language pack will be available shortly. Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.

More information is available in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=432406

{ 0 comments }

IEBlog

Windows XP SP3 contains some new updates, and a number of bug fixes and security improvements. You can learn more about XPSP3 features by reading the white paper located here. We expect XPSP3 will be publicly available shortly and want you to have this information prior to its final release to the web.

Internet Explorer 6 Users
Internet Explorer 7 Users
Internet Explorer 8 Beta 1 Users

Before upgrading to XPSP3 see the following.
IEBlog: IE and Windows XP Service Pack 3
Microsoft KB 950717: Steps to take before you install Windows XP Service Pack 3

{ 0 comments }

Opera has released version 9.27 for Windows which addresses a highly critical and a moderate vulnerability in the web browser.

Secunia Advisory: SA29662
Release Date: 2008-04-03
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Opera Advisory 881: Newsfeed prompt can cause Opera to execute arbitrary code.
Opera Advisory 882: Resized canvas patterns can cause Opera to execute arbitrary code.

Download Opera 9.27

{ 0 comments }

March 25, 2008

Fixed in Firefox 2.0.0.13
MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
High
MFSA 2008-18 Java socket connection to any local port via LiveConnect
High
MFSA 2008-17 Privacy issue with SSL Client Authentication
Low
MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
Moderate
MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
Critical
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
Critical

Download from Mozilla
Or use browser, Help > Check For Updates.

{ 0 comments }

Apple

Engineers designed Safari to be secure from day one.

Secunia Advisory: SA29483
Release Date: 2008-03-24
Safari Address Bar Spoofing and Memory Corruption Vulnerabilities

Highly critical
Impact: Spoofing
System access
Where: From remote
Solution Status: Unpatched

Description:
Juan Pablo Lopez Yacubian has discovered two vulnerabilities in Safari, which can be exploited by malicious people to conduct spoofing attacks or potentially compromise a user’s system.

1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar.

The vulnerabilities are confirmed in version 3.1 for Windows. Other versions may also be affected.

{ 2 comments }

Joe Wilcox Too Much Safari 3.1 Nonsense

Every developer shipping updaters should follow Apple’s approach. Are you listening Adobe?

You have got to be kidding, suggesting Adobe listen up and push more crud our way?

February 28, 2008.
PayPal warns: Steer clear of Apple’s Safari browser

{ 0 comments }

Apple is taking advantage of its Software Update program, in my case for iTunes, to barge its way onto computers and push Safari 3.1 Web browser for Mac OS and Windows XP/Vista.

It’s bad enough I have to take QuickTime along with iTunes, but really this is too much. The nag comes up with every reboot.

Apple, did I ask? Thanks but no thanks, the updater is now gone.

Edit: If you do the same, be sure to check frequently for Apple security updates.

{ 0 comments }