Web Browser Security
Thirteen security vulnerabilities were fixed this week when Mozilla released Firefox 13.
Mozilla released patches for 12 vulnerabilities in Firefox 11, the newest version of its web browser.
Tuesday's monthly patch batch from Microsoft will be relatively light, with the software giant planning nine fixes -- four rated "critical" -- to address 21 vulnerabilities.
Borrowing a page from other web browser manufacturers, Microsoft soon will automatically upgrade Windows customers to the latest version of IE.
Google on Tuesday released Chrome 16, which includes fixes for 15 security vulnerabilities.
The Patch Tuesday bulletins, of which two are rated "critical" and six deemed "important," are due Oct. 11 at about 2 p.m. EST.
Mozilla released an update for its Firefox browser to address what it called a "rare" bug that caused add-ons to be hidden for some users after upgrading to version 7.
A San Francisco man who was charged with exploiting a flaw on the AT&T website to obtain personal information about Apple iPad subscribers has pleaded guilty, prosecutors said Thursday.
The latest version of Mozilla's Firefox web browser, version 5, was released on Tuesday with fixes for a number of vulnerabilities that could allow an attacker to crash a victim's browser, run arbitrary code on their computer, steal data or perform cross-site scripting attacks. Mozilla also fixed several security vulnerabilities in Firefox 3.6 this week, but ended support for Firefox 4, which was released just three months ago and received its only update, Firefox 4.0.1, in April. Users of Firefox 4 are being advised to upgrade to Firefox 5.
Google on Tuesday updated Chrome to close a zero-day flaw in the web browser's version of Adobe Flash Player, ahead of rival browsers Internet Explorer, Firefox, Safari and Opera - and even ahead of Adobe itself. Chrome 10.0.648.134 contains an updated build of Flash Player, which Google received for integration and testing as part of a collaboration with Adobe, an Adobe spokeswoman told SCMagazineUS.com on Thursday. Meanwhile, Adobe on Monday warned that attackers currently are exploiting the flaw through malicious Microsoft Excel files. The software maker is finalizing a fix and plans to patch Flash for Windows, Mac OS X and Linux next week.
The latest version of Internet Explorer, version 9, was released Tuesday with a much-discussed tool that allows users to opt out of having their web surfing monitored. In December, the Federal Trade Commission suggested browser manufacturers adopt such a capability as a means of safeguarding consumers' online habits. Microsoft's do-not-track feature, by default, alerts websites that the user's data is not to be tracked. While Mozilla announced it too would soon offer such an option in its Firefox browser, Apple and Google have not yet publicly announced plans. - GM
eHarmony has confirmed that a hacker recently gained access to a file containing user information, weeks after another popular dating site was compromised.
The credentials of nearly 30 million online daters are at risk following the exploit of a common website vulnerability. The exact circumstances of the incident remain in question.
Google, maker of the Chrome web browser, on Monday made a feature available that allows users to permanently opt out of online behavioral advertising tracking cookies.
A potentially exploitable zero-day vulnerability in Internet Explorer, detailed by a Google researcher who created a fuzzing tool to find browser flaws, is under investigation by Microsoft.
Mozilla on Thursday issued an updated Firefox web browser to fix 13 vulnerabilities.
Cybercriminals are exploiting a "critical" zero-day flaw in Mozilla's Firefox web browser to distribute malware, security firms are warning.
Mozilla on Tuesday released an updated version of its Firefox web browser to shore up a dozen vulnerabilities.
Google on Thursday acknowledged the two-year anniversary of its Chrome browser with a new stable channel version that addresses more than a dozen security vulnerabilities. The flaws may allow an attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information, or conduct spoofing attacks, according to an advisory posted by the US-CERT on Friday. Google, which provides monetary rewards for the disclosure of security bugs, paid out $4,337 in bounties for the vulnerabilities. The Chrome 6.0.472.53 stable channel update is available for Windows, Mac and Linux users. — AM
Google late last week fixed 11 security flaws in its Chrome web browser that could allow an attacker to execute arbitrary code, cause a denial-of-service, or conduct spoofing attacks, according to an advisory from the US-CERT. Google, which provides monetary rewards for the disclosure of security bugs, paid more than $10,000 to various researchers for the flaws. The Google Chrome 5.0.375.127 stable channel update is available for Windows, Mac and Linux users. — AM
A noted security researcher explains how sophisticated malware is created to elevate privileges on behalf of an attacker so security controls, such as anti-virus, can be disabled.
Apple on Monday issued Safari 5 and Safari 4.1 to close dozens of security vulnerabilities, some of which could allow an attacker to install malicious code on an affected system.
Opera Software has released an update for its web browser to address a vulnerability that has been classified as "extremely severe," according to the company's security advisory. Opera 10.53 corrects the flaw, which affects the browser for both Windows and Mac, and could allow an attacker to cause an application crash and execute arbitrary code, according to a separate advisory posed by the US-CERT. Users have been advised to update immediately. — AM
Mozilla this week updated two versions of its Firefox web browser to fix several security issues that could allow an attacker to execute arbitrary code or bypass security restrictions, according to the company's security advisories. Firefox versions 3.0.18 and 3.5.8 remediate three flaws that were rated "critical" and two rated "moderate" by Mozilla. The newest version of the browser, Firefox 3.6, is not affected. — AM
An attacker could leverage design flaws in Internet Explorer to read every file on a user's computer, according to researchers at Core Security Technologies
Mozilla on Tuesday released an update to its Firefox web browser, pushing out versions 3.5.7 and 3.0.17. The updates do not contain any security fixes, though the update fixed a "common stability issue," according to the release notes. Users can download the latest Firefox version here. — DK
Microsoft engineers are prepping a fix for a zero-day Internet Explorer version 6 and 7 flaw, while users are encouraged to apply workarounds as they await a patch.
Of all vulnerabilities in web technologies discovered in the first half of 2009, 90 percent were present in web applications.
Contrary to conventional wisdom, due to the way browsers handle cookies, an attack on a company's subdomain can net an attacker free reign over the principal production domain.
Sign up to our newsletters
SC Magazine Articles
- Long list of devices believed to be affected by NetUSB vulnerability
- Scammers target oil companies with sneaky attack
- CareFirst BlueCross BlueShield breached, more than one million individuals notified
- Study: Employees acknowledge risky security behavior, continue to engage in it
- Hack of airplane systems described in FBI docs raises security questions
- Hackers exploit Starbucks auto-reload feature to steal from customers
- Study: Nearly all SAP systems remain unpatched and vulnerable to attacks
- Former Nuclear Regulatory Commission employee arrested for alleged spear phishing campaign
- Millions of WordPress websites vulnerable to XSS bug
- FireEye first cybersecurity firm awarded DHS SAFETY Act certification
- Thousands of Bellevue Hospital Center patients notified of data breach
- Study: 86 percent of websites contain at least one 'serious' vulnerability
- Investigation ongoing in reported multimillion member Adult FriendFinder breach
- Report: $19M breach settlement between MasterCard, Target terminated
- FTC gives thumbs up to companies that cooperate during breach probes