Internet Censorship Ahoy!

You may have heard people talking/blogging/twittering about SOPA — the Stop Online Piracy Act. The recent SOPA-related boycott of GoDaddy was all over the news, with many people expressing their outrage over the possibilities of SOPA, but when I ask people about SOPA and its sister bill in the Senate, PIPA (Protect IP Act), many don’t really know what the bills propose, or what we stand to lose.

Obviously and it is no secret, that the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and other pro-copyright groups, lobby politicians and law enforcers for this and continue pushing very hard. It seems to me, that the industries distribution model is not working anymore, or perhaps the movies they are making are just crap? I have not been to the theater in six years, I find the cost to exorbitant in my opinion. (more…)

Windows Patch Tuesday – November 2011

It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.

Software updates: Adobe

Adobe is a vendor that often plays catch-up with security exploits; issuing emergency patches issued to fix zero-day vulnerabilities. But Adobe, like Microsoft, also has a regular Patch Tuesday update cycle. This regularly scheduled update is a way to give users and enterprises a predictable and stable timetable for Adobe updates.

For August’s Patch Tuesday, Adobe has issued update advisories covering to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.

The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flashversions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2. According to Adobe, they are not aware of any exploits “in the wild” for the issues addressed in the update. Digging into the vulnerabilities, the vast majority are for memory and five buffer overflows, four memory corruption and three integer overflow issues. There is also a single cross-site information disclosure issue that is fixed that could have potentially led to arbitrary code execution.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chromeusers should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

Windows users can furthermore use the Flash Player Settings Manager that is part of the Windows Control Panel to check for updates. Here it is furthermore possible to check the Flash Player version that is installed on the system. The path is Control Panel > Flash Player (32-bit) > Advanced. Users with a 64-bit version of Flash Player installed need to change the 32-bit to 64-bit in the path.

The same flaws exist in Adobe AIR for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here.

Adobe also shipped an update to its Shockwave Player that fixes at least seven critical vulnerabilities in the media player program. Adobe is urging users of Adobe Shockwave Player 11.6.0.626 and earlier  update to Adobe Shockwave Player 11.6.1.629.

I should note that you may not have or want Shockwave installed. I haven’t had it on my Firefox installation for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, it demands two separate installation procedures for IE and non-IE browsers.

To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

Comcast – Xfinity malware

Comcast says that it is re-engineering it’s software for new customers, for installation and to start new service with the ISP. The software is unfriendly to computer users in general as it changes the browser’s homepage to comcast.net, and blocks users from changing it to anything else. I have encountered “mandatory” software from ISPs before and have always skipped it to no ill effect. I have always hated these “internet installation disks.” Every time I have signed up for internet service, I throw the CD right into the trash. The CDs are worthless and anything but “necessary.” If you’re lucky, they simply connect to a web interface and register your router’s MAC address with the system. But nearly every one of these disks also throws in a bunch of crap that is annoying, unnecessary, and very frustrating. In my experience, the following things have been done by various “installation disks” handed out by ISPs:

• Changing your browser’s homepage
• Changing the suffix on Internet Explorer (i.e. every IE window title is “Internet Explorer — brought to you by Comcast”)
• Installing bloatware (such as “diagnostic tools” or various anti-virus and anti-spyware — not a problem unless you like to choose these products yourself and/or already have some installed and/or just don’t want them)

Those are just the things I remember seeing and it’s impossible to know what else they might be doing. They never ask permission for anything and always imply that using the disk is required to get your service working. I have never found an ISP that I couldn’t get my computer working on without their installation disk. In one case, I had to check the default gateway assigned to my router by DHCP and try connecting to it with a web browser in order to register my router. But that was many years ago. I haven’t had anything so complicated since. These days, you just need to plug in and you’re generally good to go (assuming you make use of an ISP provided modem, as I do — your mileage nay vary with your own modem, but it shouldn’t require the installation disk). In general, I consider these disks to be malware, as I do any application that makes changes to your computer under false pretense or without your express permission. I’ve helped a lot of Comcast customers — including myself — set up their new service or replace their cable modem. Activating a new modem with Comcast is still necessary to get out of the “walled garden,” from which any DNS query returns the address of the Comcast modem activation page. However, you have at least two available ways to get out of this:

• Choose the “installer” option, and provide your address and other account information. Comcast will activate the modem without a software installation, although you won’t generate a Comcast Email address (as if you care).
• Call Comcast. Tell them that you only have a work PC, and you cannot install software on it because you are not local Administrator. They will activate your modem and create an Email address for you.

My reaction would be “It’s a $25 fee to install software on my PC and $15 per month to rent the space. I take cash or credit cards, otherwise I’ll need your social security number to verify your credit.”

I heard from someone who’d just signed up for Comcast’s Xfinity high-speed Internet service and soon discovered some behavior on his Mac that is akin to Windows malware — something had hijacked his Internet settings. The technician who arrived to turn on the service said that a software package from Comcast was necessary to complete the installation. My friend later discovered that his homepage had been changed to comcast.net, and that Comcast software had modified his Firefox profile so that there was no way to change the homepage setting. Here is the result.

Comcast initially blamed the problem on a bug in Firefox. Mozilla denies this, and says it’s Comcast’s doing.

“This is NOT a Firefox bug or issue,” a Mozilla spokesperson wrote in an email. “It is a Comcast method that applies preference changes to Firefox.”

Comcast spokesman Charlie Douglas acknowledged that the Xfinity software hijacks Firefox’s settings. He said the problem is limited to Mac users, and that permanency of the change was unintentional. He added that the company is in the process of correcting the installation software.

“Customers absolutely should be able to change their preferred homepage anytime,” Douglas said. “We’re obviously apologizing for any inconvenience we’ve caused users.”

I just tell them I’m not going to put their software on my computer, and insist they do it manually. You just have to remind them who the boss is, in this little endeavor. Firefox appears to be the only browser severely affected. Interesting. Even more interesting is how quickly they deleted my comment from the Facebook fanpage. This is the homepage Comcast insists I enjoy. Luckily Ryan Parman of ryanparman.com figured out what Comcast was doing and how to reclaim your homepage in Firefox. Here is the fix which worked for me. Please note the following about different browsers and what I’ve witnessed with Comcasts little sneak attack. Opera – did not show any signs that Xfinity/Comcast installed any malware on my computer nor did their installer change the home page. Safari – easily fixed by setting the home page back to the URL of your choice. Chrome – easily fixed as well by going into your preferences and simply changing the home page URL.

Word to the wise – Do not install any Comcast offered software, most specifically Constant Guard, Nortons or Symantec as you do not need it.

Java 6 Update 26 available

Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program.

The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.

The latest version is Java 6 Update 26 (v. 1.6.0.26), and is available either through the updater built in to Java (accessible from the Windows control panel) or by visiting java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.

Java’s broad install base has made it a major target for computer crooks. It certainly does not help that so many users fail to keep this very powerful program updated. If you have no use for Java, my advice is to get rid of it.

If you can’t bring yourself to do that, consider disabling the Java plug-in(s) in your browser of choice unless and until you need  the program.

Gmail – LinkedIn Assault

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution.

To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour— first wrote about these attacks almost four months ago.

Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.

Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.

The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?

Here are a few simple tips that can help you avoid becoming the next victim of these attack methods:

• Keep your software up-to-date. Legitimate, high-traffic Web sites get hacked all the time and seeded with exploit kits. Take advantage of programs like Secunia’s Personal Software Inspector or Filehippo’s Update Checker to stay abreast of the latest security updates.
• Be extremely judicious about clicking links in emails. Try to avoid responding to invites by clicking links in emails. I notice that Twitter has now started sending emails when someone re-tweets your posts: Avoid clicking on those as well. It’s safest to manage these accounts by visiting the sites manually, preferably using a bookmark as opposed to typing these site names into a browser address bar.
• Pay close attention to what’s in the address bar: Checking this area can prevent many email-based attacks. Staying vigilant here can also block far more stealthy attacks, such as tabnabbing.
• Consider using an email client, such as Mozilla’s Thunderbird, to handle your messages. It’s a good idea to have emails displayed in plain text instead of allowing HTML code to be displayed in emails by default.

Windows security wanes, while Malware waxes on four million websites

For Windows users there is a another problem that has been circulating around the web of late. Yea what else is new. I find these reports rather comical, as being a Linux user they do not apply to me period. Out of the three big browsers out on the block, Google Chrome, Firefox and Internet Exploiter. Google Chrome should be the safest one to use these days on the web.

If you are however a strict user of Firefox already, then I highly recommend the use of Firefox and the NoScript addon and your problem will be fixed. You’ll never even see the attack page in the first place. It’ll just be blank. Note to first-time users of NoScript: It is a WHITELIST, not a blacklist. Some sites are programmed into it, but 90% of them are not. You will have to approve various sites yourself. Yes this may seem like a pain, but 5-seconds of pain beats a being infected.

You can also disable proxies in the connections tab of your browser under advanced settings. LizaMoon uses a proxy server to redirect your browser. Disabling the proxy eliminates the popups and allow you to download a scanning tool like ESET’s online scanner tool or HitManPro’s scanner.

A new bit of malware has been making headway across the Internet, but is it really that big of a deal? You’ve probably seen the news that “Lizamoon,” an SQL injection attack designed to point your browser to a piece of fake security malware, had infected hundreds of thousands of pages across the Internet. And this includes links found within Apple’s iTunes itself… to a degree.

But here’s the deal: In order for the script to have any noticeable effect on your computer, you have to agree to allow it to work its unhealthy magic on your system, according to WebSense (video below).

LizaMoon example video and explanation

Simply visiting a site with injected code only redirects your browser to another site, and the social engineering takes over from there.

The simple solution: Don’t install unknown files! The more complex solution: Know what antivirus programs already exist on your system, and know what they look like when they scan for and find files. If something says you have malware on your system, and this something looks nothing like applications you already have on your system, be suspicious!

In this case, a successful Lizamoon redirect takes you to a dummy pages that looks as if a large antivirus/anti-malware scan is taking place on your computer. Go figure, the scan finishes quite quickly, and a user is alerted that his or her machine might be compromised by various Trojan horse attacks and other cleverly titled malware. If a user is still playing ball, he or she can click on the simulated option to “remove” these malware apps, which then pulls up a simple download window for a “malware-removing” executable.

Still with us? Here’s the deal: If you push some common sense into the mix, you’ll notice that this entire process seems a bit fishy to begin with. Step one: A virus scan for Windows Explorer appears in your browser window. Step two: It finishes in lightning speed. Step three: You have to download a file–apparently via Windows Explorer, but using your browser’s standard download file prompt–to finish the deal.

In short, Lizamoon can’t do a thing to your system unless you let it. So if you see sort of popup like the one’s I am showing here, do not click on anything! Just turn off your computer and reboot. If your already running a ESET NOD32 and or OpenDNS then you shouldn’t be able to visit any site that is compromised.

The SQL injection attack on the initial site you were visiting, which itself prompts the redirect to the bogus scanning site, only works on this first web site. Lizamoon doesn’t hang out in your browser, or continually redirect you to fake sites, or install itself on your computer in a manner that doesn’t first require you to perform the action yourself.

So what has Lizamoon taught consumers? Don’t let your browser con you into thinking that some kind of action is magically happening on your system, don’t trust this magical action if it takes less than 30 seconds to do or looks otherwise unknown to you, and run an up-to-date virus-scanner in the background of your system. Ta-da: Lizamoon defeated.

When you get hit by the infected website and are referred two things happen, you get hit with a popup box, and you lose control of both your browser and ctrl+alt+del functions. As with all browser windows you have the option to hit the red X to close everything down, but not this baby, touch anything on this baby and you spark up what is now a computer hijackers website. For those few moments the only solution is a log off or reboot. Blocking the hijacker with your firewall is a waste of time. The infection is designed to refer you to several thousand backup addresses that refers you to thousands of ever changing country specific domains like .ms, or .uk. The worst part is the address in the browser address bar is not the address of the web page you are looking at, the web page isn’t in .uk or .us but in Russia. The penultimate hop to the hijacker is a secure firewall server in the USA. The only way of shutting these hijackers out of your computer is by blocking the CIDR address of 212.124.96.0/19 with your firewall.

Don’t know which bothers me the most; the problem or people trying to turn a profit from it. If you run Windows simply hit the power button; after shut down, restart in safe mode and run restore. The malware is gone.

Those who want a secure operating system are better off just leaving Microsoft altogether, not to mention cost savings and other commonly-stated advantages as you do NOT have to purchase additional software to make Windows function safely. Windows does not seem to impress people all that much.

Linux is becoming dominant not just in phones but on desktops too. One adoption curve drives the other and people who own an Apple or Google phone sooner or later rethink their desktop operating system (a personal observation).

Win $20,000.00 *IF* you can exploit Google Chrome

Google will pay $20,000 to the first researcher to exploit its Chrome browser. The award is the largest ever for the annual challenge, which will kick off for the fifth time at this year’s Pwn2Own hacking contest at CanSecWest in Vancouver, BC, on March 9.

This contest is a nice cheap way to find problems with your browser. You end up getting lots of very talented people to look at your code for you. They have the additional benefit of not being the original programmers. This helps them have a new perspective on the code.

Note: Two things that bother me is that they do not include any popular Linux distributions, nor do they offer the Opera browser as a contender. An inquiry to the organization provided a response that, “Linux and Opera, do not hold significant market share.” I am still scratching my head with that statement. Anyways, here are the details.

Target: Web Browsers

This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:

• Microsoft Internet Explorer
• Apple Safari
• Mozilla Firefox
• Google Chrome

Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.

At this year’s Pwn2Own, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down Microsoft’s IE, Mozilla’s Firefox, Apple’s Safari and Chrome. The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards. ‘We’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000,’ said Aaron Portnoy, the manager of the sponsor, HP TippingPoint’s security research team, which set the contest’s rules Wednesday in a blog post written by Portnoy.

New this year is Google’s participation. The company is the first browser vendor to put money into the prize kitty. “Kudos to the Google security team for taking the initiative to approach us on this,” Portnoy said.

The rules for Chrome are slightly different than for the other browsers because it’s the only one of the four that uses a “sandbox,” an anti-exploit defense. A sandbox isolates system processes, preventing or at least seriously hindering malware from escaping an application — in this case Chrome — to wreak havoc on the computer.

To exploit a sandboxed program like Chrome, researchers require not one but two vulnerabilities: The first to allow their attack code to escape the sandbox, and a second to exploit a Chrome bug.

Other software developers have followed in Chrome’s footsteps to try to make their applications more secure. Last year, for example, Adobe added a sandbox — derived in part from Google’s work — to its popular Reader program.

To walk off with Google’s $20,000 on Pwn2Own’s first day, a researcher must find and exploit two vulnerabilities in Google’s code. Only on the second and third days of the contest can researchers employ a non-Chrome bug, say one in Windows, to break out of the sandbox. A successful attack on the second and third days will still put $20,000 in the researcher’s pocket, but only $10,000 of that will come from Google; TippingPoint will pony up the other $10,000.

Google’s participation in this year’s Pwn2Own may be a mark of its confidence that Chrome can’t be hacked. Although Chrome has been one of the browser targets at Pwn2Own since 2009, no researcher has exploited the browser and grabbed the cash.

IE, Firefox and Safari have fallen to attackers each of the last two years, sometimes in an embarrassingly short amount of time. In 2009, one researcher — a German computer science major who gave only his first name, Nils – hit the trifecta by exploiting all three browsers and taking home $15,000 total, $5,000 for each hack.

Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldn’t commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.

“Pwn2own now offering 20k for attack on Chrome,” said Miller on Twitter. “Must be hard, glad Mac OS X doesn’t sandbox their browser.”

Miller is a Mac hacking authority — he co-authored The Mac Hacker’s Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner — and has exploited Safari each of the last three years. As he pointed out, Safari is not sandboxed.

TippingPoint will also run a mobile hacking track at Pwn2Own next month that will let researchers try to exploit smartphones running Apple’s iOS, Google’s Android, Microsoft’s Windows 7 Phone and RIM’s BlackBerry OS.

Successful smartphone attacks will be awarded $15,000.

Mozilla to release Firefox 4 next month, maybe

Damon Sicore, Senior Director of Platform Engineering at Mozilla, has announced that the company is almost ready to ship Firefox 4. On its mailing list, Mozilla has revealed it has around 160 hard blockers to fix, before proceeding to Release Candidate stage. Both the RC and the final version would arrive in February, according to Sicore.

Mozilla was originally planning on having Firefox 4 out by the end of last year, but it had to delay the release till 2011. Last month, Firefox 4 Beta 8 was released for Windows, Mac OS X, and Linux 32-bit/64-bit, with support for 57 languages. Mozilla’s roadmap says it still wants to release a Beta 9, a Beta 10, and at least one Release Candidate build before the final version.

Mozilla’s Firefox recently overtook Microsoft’s Internet Explorer to become the most popular browser in Europe. Worldwide though, the browser’s market share has largely stagnated.

Here is the full message, posted on mozilla.dev.planning:

We’ve worked tremendously hard on Firefox 4, and it’s time to ship it. I’m seeing the same burst of excitement and activity that we’ve seen in the endgame of every release. Over the past several days, component leads have again reduced their blockers by identifying hard blockers and those we can live without. We’ve around 160 hard blockers remaining, and historically it has taken us six weeks to reach RC once we have 100 blockers left. We must press hard now.

To Finish:

1) We have to reach Release Candidate status as quickly as possible, ideally finishing the hard blockers by the beginning of February and shipping final before the end of February. We’ll need your help to balance these targets against the need to build a high quality product.

2) Bug counts demand another beta. We’ll drive the beta bugs to zero and ship another beta. If we can’t get them to zero in reasonable time, we’ll repeat, deliberately. It depends on how quickly we can drive down the list of hard blockers that need beta feedback. This is our top development priority, since it pushes the rest of our schedule.

3) We need *everyone* to help in testing. Specifically: Do not disable Flash, Silverlight, or other major plugins as we need as many people testing these as possible. Windows users: We need to know if you are affected by hardware acceleration causing crashes or other issues. Don’t just assume that someone else has filed a bug already. Make sure. Ask someone if you don’t know how. This is very important.

MOST IMPORTANT: We must ship the best possible product we can. If a blocker needs more time, tell release drivers and component leads immediately. If you disagree with a blocking call, say so loudly. Do not be timid. This is your product, we need you to own it.

I know you’re all tired and stressed. You all do incredible work every day, and you’ve built an amazing product. Stay focused. Be nice to each other. Firefox 4 is gonna kick ass, and you should be fiercely proud of it.

On a side note, I have been using Google Chromium, which a the open-source web browser for almost a year now, it’s faster then Firefox 3.6 and less prone to crashing, it can update itself and install plugins without restarting.  I also pulled the analytics report for this website during 2010 and looked at the percentages of people using what browser, interesting knowing how little Internet Exploiter is used these days.

Xmarks Sync to be Discontinued

Sadly, Xmarks will be shutting down our free browser synchronization service on January 10, 2011. This page contains details on how to transition to recommended alternative services. For more detail on why we’re closing our doors, please see our blog post. Learn more at http://www.xmarks.com/about/shutdown . [Updated: since our announcement several companies have expressed interest in acquiring the Xmarks service. More details in James' blog post (http://blog.xmarks.com). If you would pay $10 per year to continue to use Xmarks, please pledge your support here:http://www.pledgebank.com/XmarksPremium .]

Best regards -Team Xmarks

What you need to know:

• Browser Sync Alternatives

  While you may have to give up cross-browser sync when Xmarks goes away, there are a lot of good browser-specific sync options available:

  Browser	Sync Alternative	Xmarks Data Types Supported	Price
  	Firefox Sync (Mozilla)	Bookmarks, passwords, history, tabs	Free
  	Chrome Sync (Google)	Bookmarks	Free
  	Windows Live Essentials (Microsoft)	Bookmarks	Free
  	MobileMe (Apple)	Bookmarks, passwords	$99/year

  You can also create an html backup of your bookmarks at any time by using the Export feature at my.xmarks.com.

• Service End Date and User Support

  Xmarks Sync for Firefox, Chrome, IE, Safari, and iPhone will continue to operate until January 10, 2011. Email support is no longer available, but our user support forums on GetSatisfaction will continue to be a place for users to help each other.

• Uninstalling Xmarks Extensions (Sync, Thumbnails, and SearchTabs)

  Instructions for uninstalling Xmarks can be found on this wiki page.

• Privacy and Your Data

  We understand that you have entrusted us with the task of storing your personal browser data and we take that responsibility very seriously.

  • We will never sell or release your personal data, and we will make sure to delete all user data once the Xmarks service shuts down.
  • If you’d like to take immediate action, click here to immediately delete your account and user data. (Make sure you have all your data first!)
• Other Shutdown Questions

  Please see our Shutdown FAQ if you have questions you don’t see answered above.

• More Sync Options

  If you have need of syncing more than just bookmarks between computers, here are two great services we recommend you try out. Both offer a free plan with no payment obligation.

  Evernote lets you save entire webpages, including text, links and images. It keeps everything synchronized across your computer, phone and the web. In addition to storing webpages, Evernote also allows you to take notes, store to-dos, snap photos and more.		SugarSync is easy, secure online file sync and backup. Keep your files, photos, and music stored in the cloud so you can access them anytime. Works with PC and Mac plus mobile devices like iPhone, iPad, Android, and more. Try it Free!