Many years late, Microsoft is celebrating the news that Internet Explorer 6 (IE6) use in the US has officially dropped below one per cent of internet visits. In March, Microsoft assembled a team to push for the destruction of IE6, and have succeeded in reducing the market footprint of the browser. Currently 7.7 per cent of worldwide internet site visits use IE6, according to Microsoft, but the figure is now 0.9 per cent in the US.
So Redmond threw a party to celebrate. (more…)
As Android devices become the status quo and are on the rise, it’s time to consider how best to put your smartphones and tablet PCs to work. Here is a selection of Android apps that I find to be helpful. My favorites are Google Reader & Tasks, as they work in conjunction with Google’s Chrome browser.
With hundreds of thousands of apps, Android Market has the right ones for you. When you download apps, they’re delivered directly to your device—instantly. You can also find your next first-rate read, a hot new album, or a flick from a catalog that includes everything from movie blockbusters and best selling e-books to more than 8 million songs.
An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows and Mac systems.
The Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.”
Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X systems. (more…)
Search engines from Microsoft and Yahoo! Have once again been caught displaying ads that direct users to malicious content, some that infects them with malware that’s hard to detect and get rid of, researchers said. I see that they put as much thought into who is allowed to advertise as they do in making a stable operating system.
Queries such as “FireFox Download,” “Download Skype,” and “Download Adobe Player” typed into the sites returned links promising to deliver the software requested but instead attempted to hijack people’s computers, GFI Labs researcher Christopher Boyd said in a blog post published Friday. Clicking on the links takes users to pages that look like the software maker’s official site, except for the URL.
Users who downloaded and installed the software are in for a nasty surprise.
“As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects,” Boyd wrote. Microsoft and Yahoo were in the process of removing the malicious ads, he said.
It’s not the first time widely used search engines have been caught displaying ads intended to harm their millions of users. Ad services used by Google and Yahoo have repeatedly been duped into serving content that punts malware and other threats.
Criminals often go to elaborate lengths to pose as legitimate marketers in an attempt to get links to their toxic wares in front of as many eyeballs as possible.
“Microsoft’s Security Team has identified the source of this malware attack and is blocking those sites from loading additional malware,” the company said in a statement. “We are continuously monitoring our sites to protect customers; and also working with law enforcement authorities to find and prosecute the people responsible for these types of attacks.”
A Bing Forum thread has Wil from Bing telling a webmaster that it can take between 3 and 6 weeks to have a malware label removed from the search results.
This is in comparison to Google which normally can remove a malware label within 24 hours.
I am not sure if this is a special case or if most Malware reviews take 3-6 weeks at Bing. Wil from Bing said:
Your issue is already being reviewed. Malware re-evaluation requests take 3-6 weeks to finalize our review and create a new reputation ranking of the page/site. A representative will get in touch with you for updates.
When you are presented with Malware via Bing, Bing disables the link but does allow the searcher to ultimately visit the page at their own risk. I’d assume 99.999% of those searchers run.
Bing has a detailed post on Malware on their blog with more information.
Malware and hacked sites are a huge issue in search. Google has been very good at handling it for the most part recently and is excellent at removing the malware or hacked label quickly after the site is fixed. Bing takes 3-6 weeks? Well, that seems excessive. Maybe I am reading it wrong?
This is why I tell people to NOT use Internet Explore. If you must continue using Windows unfortunately, then please by all means use ESET NOD32 in conjunction with HitManPro.
What many users don’t realize, however, is that the Web browser is the most important security defense our computers have — and yet 60 percent of the browsers accessing the Internet today are outdated. An outdated browser ends up impacting everyone’s security, privacy and performance.
I wrote about Microsoft warning us *rolls-eyes* last week, in that we were not using a “secure” browser like Internet Explorer” GASP!..the horror of us ignorant consumers!
To help users understand the importance of the browser you use, the Online Trust Alliance (OTA), a Web-industry trade group based in Bellevue, Wash., that promotes security and trust in online marketing and commerce, recently unveiled the “Why Your Browser Matters” initiative.
“The ‘Why Your Browser Matters’ initiative provides users overall recommendations to upgrade their out-of-date and legacy browsers for a more safe, more private and more compelling online experience,” said Craig Spiezle, executive director of OTA. “The Initiative is all about communicating with computer users to make them realize that an updated Web browser is one of the most important security steps you can take. It’s as important as running anti-virus/anti-malware software.”
Spiezle is quick to point out that while there is no magic bullet when it comes to computer security, the browser is on the front line of defense because it is used so frequently.
“Modern browsers detect malicious websites and phishing URLs, analyze downloads and support a broad suite of privacy features,” Spiezle said. “It’s critical to have these at your disposal when it comes to protecting yourself online, as well as protecting your machine in general.”
Modern browsers try to provide security for users in three different ways, explained Roger Thompson, chief emerging threats researcher for ICSA Labs in Mechanicsburg, Pa.
For example, said Thompson, all modern browsers have “blacklists” of known malware sites and try to prevent users from visiting them. This method works well if the malicious sites are well-known, but online criminals try to move websites around by changing domain names and IP addresses faster than security researchers can update the blacklists — so sometimes this doesn’t work.
Some browsers, such as Google Chrome, also run applets and executable code in a “sandbox,” meaning that the code and applets can’t affect other parts of the browser or the operating system. Again, this doesn’t always work.
And all modern browsers have a somewhat regular patch cycle, in which developers fix vulnerabilities to prevent direct attacks.
A good illustration of how a browser can act as the first line of defense is with regard to shortened URLs, or Web addresses.
URL-shortening services such as bit.ly, tinyurl.com or is.gd are handy to use when including links in instant messages, text messages or Twitter posts. Unfortunately, URL shorteners also mask the actual URLs they lead to, and give no warning that links might be drive-by downloads or exploits waiting for unsuspecting victims.
Fortunately, some enterprising software developers have created a way to find out where you’re going.
“There are plug-ins available for Chrome and Firefox that will automatically expand short URLs to their actual address when viewing pages containing such links,” said Harry Sverdlove, chief technology officer of Bit9, a Web security company in Waltham, Mass. “These are useful when using Facebook or Twitter from a browser, common places where malicious links are hiding in short URLs.”
How to protect yourself
As Thompson pointed out, browser vendors are good about providing updates and patches that improve security by fixing vulnerabilities that bad guys exploit. But after that, it’s up to the user himself to take action by actually downloading the updates, or upgrading the browser to the latest version.
You can check the version number of your browser by going to the Help button on your browser’s menu and checking the “About” section. (On a Mac, click the name of the application next to the apple icon in the upper left of the screen.) Often, the “about” pop-up window will prompt you to check where there might be updates available.
For those who use Internet Explorer, Spiezle has this important piece of advice: ”If it says Internet Explorer 6 … run, do not walk to the nearest free download of Internet Explorer 9.”
(If you’re still running Windows XP, update to Internet Explorer 8, the latest version you can install.) Which is the highest version you can run on Windows XP, unless someone figures out a hack for it, which they will. I rather you run Google Chrome.
Internet Explorer 6 has been the target of a number of malicious attacks over the past decade; newer versions of Internet Explorer are much more secure.
Does it matter which browser you use? Spiezle and Thompson disagree on that question.
While Thompson said that today’s browser upgrades have leveled the playing field when it comes to security, Spiezle pointed out that there still are differences among them, and each user has to assess which is best for his own uses.
“You need to look at not only the security features, but also privacy features, as well as support for the latest technologies,” Spiezle said.
Here is the link for a good start, https://otalliance.org/browser/ At first I was thinking that this was another Internet Explorer centered website, but at least they mention the alternatives.
It’s hard to believe it’s been only three years since the Google Chrome browser debuted. According to the latest market share statistics from usage-tracking firm Net Applications, Chrome now has 15.51 percent of the desktop browser market–a meteoric rise for an app that entered a crowded market dominated by neighborhood bully Microsoft Internet Explorer.
Chrome is third among desktop browsers, behind number one IE (over 55 percent of the market), and Mozilla Firefox (nearly 23 percent).
What’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.
That’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.
Is the Web better with Chrome? Satisfied users of other browsers would certainly disagree, but I think so. I switched to Chrome from IE last year and haven’t looked back.
I only hope that Google’s breakneck update schedule doesn’t pile on too many new features that turn Chrome sluggish. The browser’s peppy performance is its most appealing trait.
I totally dumped Firefox when for a few reasons: 1. Foxmarks Sync was ungainly slow. 2. Speedial was broken. 3. Sage RSS was broken and not being developed.
If your not using Google Chrome now, please try it for a week and see how you like it.
Laughable at best, Microsoft has unveiled a website aimed at raising awareness of browser security by comparing the ability of Internet Explorer, Mozilla Firefox, and Google Chrome to withstand attacks from malware, phishing, and other types of threats.
The website doesn’t do any security checks at all, it just reads the ‘User Agent’ data from your browser, so if you use Firefox 7.0.1 masquerading as Internet Explorer 9 gets 4 out of 4. Microsoft is leading people into a sense of false security. The site does no “testing”, it just matches your browser to whatever it has in its lookup table.
Care to take a guess what they say about IE 9? This is pure Microsoft marketing at it’s best. EPIC FAIL, false security is no security at all. Really, you would have to be an idiot to fall for this…Can you say, FALSE ADVERTISING?
Your Browser Matters gives the latest versions of Firefox and Chrome a paltry 2 and 2.5 points respectively out of a possible score of 4. Visit the site using the IE 9, however, and the browser gets a perfect score. IE 7 gets only 1 point, and IE 6 receives no points at all.
The page is designed to educate users about the importance of choosing an up-to-date browser that offers industry-standard features. The ability to automatically warn users when they’re about to download a malicious file, to contain web content in a security sandbox that has no access to sensitive parts of the computer’s operating system, and to automatically install updates are just three of the criteria.
The site dings Firefox for a variety of omissions, including its inability to restrict an extension or a plug-in on a per-site basis, its failure to use Windows Protected Mode or a similar mechanism such to prevent the browser from modifying parts of the system it doesn’t have access to, and its lack of a built-in feature to filter out malicious XSS, or cross-site scripting, code. Among other things, Chrome lost points for not using Windows features that protect against structured exception-handling overwrite attacks.
Readers still stuck in the rut of critiquing Microsoft security based on products released a decade ago are likely to be unimpressed. The reality is that over the past few years, Redmond has endowed Windows and IE with measures such as ASLR, or address space layout randomization, and DEP, or data execution prevention, that significantly reduce the damage attackers can do when they exploit buffer overflows and other bugs that are inevitable in any large base of code. Apple didn’t pull ahead of Microsoft on this score until earlier this year with the release of its Mac OS X Lion.
It didn’t take long for Mozilla developers to take issue with the critique.
“Microsoft’s site is more notable for the things it fails to include: security technologies like HSTS, privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered,” Johnathan Nightingale, Mozilla’s director of Firefox engineering, said in a statement. He said: “Mozilla is fiercely proud of our long track record of leadership on security.
The company called out a pair of developer-oriented additions to Chrome 14 and noted new support for Mac OS X 10.7, aka Lion, including full-screen mode and vanishing scrollbars.
Google last upgraded Chrome’s stable build in early August. Google produces an update about every six weeks, a practice that rival Mozilla also adopted with the debut of Firefox 5 last June.
Fifteen of the 32 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s four-step scoring system, while 10 were pegged “medium” and the remaining seven were marked “low.”
None of the flaws were ranked “critical,” the category usually reserved for bugs that may allow an attacker to escape Chrome’s anti-exploit sandbox. Google has patched several critical bugs this year, the last time in April.
Six of the vulnerabilities rated high were identified as “use-after-free” bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were “out-of-bounds” flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet.
Google paid $14,337 in bounties to nine researchers, including $3,500 to “miaubiz” and $2,337 to Sergey Glazunov, another regular bug finder.
The company’s security team also credited others, including researchers who work for Microsoft and Apple, for “working with us in the development cycle and preventing bugs from ever reaching the stable channel.” Some of those researchers were also awarded bounties, but Google did not spell out the amounts of those awards.
As per its practice, Google barred access to the Chrome bug-tracking database for the 32 vulnerabilities to prevent outsiders from obtaining details on the flaws. The company only opens the database after users have had time to update the browser.
Google also added a pair of developer-only features to Chrome 14, including support for the Web Audio API (application programming interface) and for “native client,” an open-source technology that runs software written in C and C++ within Chrome’s security sandbox.
The Mac version of Chrome 14 also supports Lion’s new approach to scrollbars, which appear only when a user is actively scrolling through the browser window. Chrome 14 also now runs in Lion’s full-screen mode, triggered via the icon in the upper right of the browser or by pressing Ctrl-Command-F.
Chrome 14 can be downloaded for Windows, Mac OS X and Linux from Google’s Web site. Users already running the browser will be updated automatically.
Adobe is a vendor that often plays catch-up with security exploits; issuing emergency patches issued to fix zero-day vulnerabilities. But Adobe, like Microsoft, also has a regular Patch Tuesday update cycle. This regularly scheduled update is a way to give users and enterprises a predictable and stable timetable for Adobe updates.
For August’s Patch Tuesday, Adobe has issued update advisories covering to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.
The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flashversions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2. According to Adobe, they are not aware of any exploits “in the wild” for the issues addressed in the update. Digging into the vulnerabilities, the vast majority are for memory and five buffer overflows, four memory corruption and three integer overflow issues. There is also a single cross-site information disclosure issue that is fixed that could have potentially led to arbitrary code execution.
To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chromeusers should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.
Windows users can furthermore use the Flash Player Settings Manager that is part of the Windows Control Panel to check for updates. Here it is furthermore possible to check the Flash Player version that is installed on the system. The path is Control Panel > Flash Player (32-bit) > Advanced. Users with a 64-bit version of Flash Player installed need to change the 32-bit to 64-bit in the path.
The same flaws exist in Adobe AIR for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here.
Adobe also shipped an update to its Shockwave Player that fixes at least seven critical vulnerabilities in the media player program. Adobe is urging users of Adobe Shockwave Player 220.127.116.116 and earlier update to Adobe Shockwave Player 18.104.22.1689.
I should note that you may not have or want Shockwave installed. I haven’t had it on my Firefox installation for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, it demands two separate installation procedures for IE and non-IE browsers.
To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.
Comcast says that it is re-engineering it’s software for new customers, for installation and to start new service with the ISP. The software is unfriendly to computer users in general as it changes the browser’s homepage to comcast.net, and blocks users from changing it to anything else. I have encountered “mandatory” software from ISPs before and have always skipped it to no ill effect. I have always hated these “internet installation disks.” Every time I have signed up for internet service, I throw the CD right into the trash. The CDs are worthless and anything but “necessary.” If you’re lucky, they simply connect to a web interface and register your router’s MAC address with the system. But nearly every one of these disks also throws in a bunch of crap that is annoying, unnecessary, and very frustrating. In my experience, the following things have been done by various “installation disks” handed out by ISPs:
- Changing your browser’s homepage
- Changing the suffix on Internet Explorer (i.e. every IE window title is “Internet Explorer — brought to you by Comcast”)
- Installing bloatware (such as “diagnostic tools” or various anti-virus and anti-spyware — not a problem unless you like to choose these products yourself and/or already have some installed and/or just don’t want them)
Those are just the things I remember seeing and it’s impossible to know what else they might be doing. They never ask permission for anything and always imply that using the disk is required to get your service working. I have never found an ISP that I couldn’t get my computer working on without their installation disk. In one case, I had to check the default gateway assigned to my router by DHCP and try connecting to it with a web browser in order to register my router. But that was many years ago. I haven’t had anything so complicated since. These days, you just need to plug in and you’re generally good to go (assuming you make use of an ISP provided modem, as I do — your mileage nay vary with your own modem, but it shouldn’t require the installation disk). In general, I consider these disks to be malware, as I do any application that makes changes to your computer under false pretense or without your express permission. I’ve helped a lot of Comcast customers — including myself — set up their new service or replace their cable modem. Activating a new modem with Comcast is still necessary to get out of the “walled garden,” from which any DNS query returns the address of the Comcast modem activation page. However, you have at least two available ways to get out of this:
- Choose the “installer” option, and provide your address and other account information. Comcast will activate the modem without a software installation, although you won’t generate a Comcast Email address (as if you care).
- Call Comcast. Tell them that you only have a work PC, and you cannot install software on it because you are not local Administrator. They will activate your modem and create an Email address for you.
My reaction would be “It’s a $25 fee to install software on my PC and $15 per month to rent the space. I take cash or credit cards, otherwise I’ll need your social security number to verify your credit.”
I heard from someone who’d just signed up for Comcast’s Xfinity high-speed Internet service and soon discovered some behavior on his Mac that is akin to Windows malware — something had hijacked his Internet settings. The technician who arrived to turn on the service said that a software package from Comcast was necessary to complete the installation. My friend later discovered that his homepage had been changed to comcast.net, and that Comcast software had modified his Firefox profile so that there was no way to change the homepage setting. Here is the result.
Comcast initially blamed the problem on a bug in Firefox. Mozilla denies this, and says it’s Comcast’s doing.
“This is NOT a Firefox bug or issue,” a Mozilla spokesperson wrote in an email. “It is a Comcast method that applies preference changes to Firefox.”
Comcast spokesman Charlie Douglas acknowledged that the Xfinity software hijacks Firefox’s settings. He said the problem is limited to Mac users, and that permanency of the change was unintentional. He added that the company is in the process of correcting the installation software.
“Customers absolutely should be able to change their preferred homepage anytime,” Douglas said. “We’re obviously apologizing for any inconvenience we’ve caused users.”
I just tell them I’m not going to put their software on my computer, and insist they do it manually. You just have to remind them who the boss is, in this little endeavor. Firefox appears to be the only browser severely affected. Interesting. Even more interesting is how quickly they deleted my comment from the Facebook fanpage. This is the homepage Comcast insists I enjoy. Luckily Ryan Parman of ryanparman.com figured out what Comcast was doing and how to reclaim your homepage in Firefox. Here is the fix which worked for me. Please note the following about different browsers and what I’ve witnessed with Comcasts little sneak attack. Opera – did not show any signs that Xfinity/Comcast installed any malware on my computer nor did their installer change the home page. Safari – easily fixed by setting the home page back to the URL of your choice. Chrome – easily fixed as well by going into your preferences and simply changing the home page URL.
Word to the wise – Do not install any Comcast offered software, most specifically Constant Guard, Nortons or Symantec as you do not need it.