Firefox 18.0.2

The latest version of Firefox apparently fixes some Javascript stability issues.

On a related note: is it just me, or are the release notes for Firefox kind of messed up? Looking at the page for the latest release, I notice the following:

  • The version being discussed doesn’t appear anywhere at the top of the page, in any headings, or in the page title.
  • The first reference to the version is in the list of issues fixed in the What’s New section, but issues fixed in previous versions appear as well.
  • What does appear in the page headings is “Notes (First offered to release channel users on February 5, 2013)”. Apparently this is telling us that the version being discussed was released on that date. But again, it’s not clear what version we’re talking about, unless you look at the page’s URL, which includes “18.0.2”.
  • The link to a complete list of changes takes us to a page that lists changes going back several months, in previous versions. It’s a massive list, again with no version information, despite being on a page with a specific version in the URL.
  • Comparing the complete list of changes for version 18.0.2 with the the list for version 18.0.1 shows that they are in fact identical. You have to go back to version 17.x to find a different list.

Confusing. To make matters worse, among all the Mozilla blogs, press releases and other related Firefox information on the Mozilla site, I’ve so far been unable to find a mailing list, feed or any other resource that simply announces new Firefox versions. I have to find out about new versions from SANS.

Latest SANS: Ouch! – Email Phishing Attacks

This month’s Ouch! newsletter (PDF) from SANS is about email ‘phishing’ attacks. According to Wikipedia,

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

It’s a worthwhile read, and describes different types of phishing attacks and what you can do to protect yourself from them.

Massive Java security update

Oracle/Sun has released update 13 for Java 7 (Java 7u13).

The update was originally scheduled for release on February 19, but given all the recent security issues, Oracle decided to get the latest patch out there as soon as possible.

The update includes fifty bug and security fixes. The issues addressed are listed on the associated Critical Patch Update Advisory. Oddly, the update version (7u13) is never mentioned once on that lengthy page.

Recommendations:

  • If you use Java, update it ASAP.
  • Don’t depend on the Java auto-updater to update Java: do it manually.
  • Don’t assume Java is now safe. Until security researchers like Adam Gowdiak give Java 7u13 a thumbs-up, assume it’s still vulnerable.
  • Disable Java plugins in your web browser unless you have no choice.
  • Continue to be extremely careful when browsing the web.

Plugins will be safer in future versions of Firefox

Presumably in response to the recent flood of Java vulnerabilities, the developers of Firefox (Mozilla) will be adding a new layer of security to all plugins, including the notororiously insecure Java, Flash and Adobe Reader.

Essentially, the new security will consist of additional prompts when plugins are triggered. So when a web site tries to run Java code, Firefox will prompt you to make sure you really want to allow the plugin to activate and run the Java code. You will be able to control which plugins and sites are affected.

Oracle/Sun recently made similar changes to Java itself, in an attempt to improve the overall safety of Java in web browsers. However, as security researcher Adam Gowdiak points out, those changes are ineffective: Java code can still run silently, bypassing the new safeguards. He writes:

… unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings …
Our Proof of Concept code … has been successfully executed in the environment of [the] latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 … and with “Very High” Java Control Panel security settings.

That said, recent … security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Microsoft blames device builders for Windows 8’s lackluster sales

According to The Register, Microsoft is accusing PC and handheld device manufacturers of not building enough Windows 8 devices. Despite publicly claiming that Windows 8 sales are similar to Windows 7’s at this point, the numbers being flouted are deceptive, in that they include sales to manufacturers. Internally, it seems clear that Microsoft is actually disappointed with Windows 8 sales and is looking for someone to blame.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.