WastedTimes

[mimi_44]

Hackers Focus Efforts on Firefox, Safari

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

So forget the idea that just because you've switched to a new browser, you're magically safer. You may be for a time, but to stay safe with any software, you need to keep current with fixes.
Firefox Holes

In a somewhat dubious recognition of Firefox's growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes. The folks at Mozilla recently released two Firefox updates in less than six weeks, fixing a total of five critical security vulnerabilities. All five can be exploited by planting a poisoned JavaScript file in a Web site and waiting for you to stumble across it.

In an actual attack--neither the Safari nor the Firefox bugs have elicited one so far--a bad guy could take over your PC or steal your navigation history.

The latest versions of Firefox--2.0.0.13 on--will stop all five bugs. Mozilla's Thunderbird and SeaMonkey are also at risk (if you have JavaScript enabled), so download updated versions.
Safari in the Wild

Safari 3.1 patches 13 holes affecting Mac OS X, Windows XP, and Windows Vista.

Think you're safe because you don't have Safari? You may have it without realizing it. Apple now distributes its browser with iTunes updates. Forget to uncheck a box in one of these updates, and it's there.

The Safari holes could allow an attacker to trick you into thinking that a fake site is really your bank site, or to take over your PC via a poisoned page. Download Safari 3.1.

Office Bugged Again
micros0ft recently released four patches that fix a dozen dangerous holes in Office. I warned you about one of those holes--a zero-day attack on Excel--in April. Be sure to apply the patches, if your system doesn't install them automatically. Get the four new Office patches and more info. (You are not affected if micros0ft Office 2007 is the version you use.)

No sooner had micros0ft shipped those patches than the company acknowledged the existence of yet another bad Office bug that needs patching. And this one is urgent because some users have already been attacked.

Luckily, Windows Vista, Windows Vista SP1, and the beta version of Windows XP SP3 are not at risk because they ship with a newer version of the affected "Jet" database. But earlier versions of Windows are vulnerable, as are all supported versions of Office, including Office 2007.

Becoming a victim of the bug involves saving two files to your PC's hard drive--one a mail-merge file that uses the database engine. There was no patch at press time. For more information, read micros0ft's advisory.
POSTED by: PC World Friday, April 25, 2008

P.S. I use Flock. Any info or remarks on it?

[Mop]

I was wondering when this would happen.

No one is safe these days from hackers it seems.

What goes on in their minds I wonder.

shiit happens. Every day.

Flock. Never heard of it.

[peiratns]

What is that M$ propaganda?
The author of this article, whoever s/he is affiliated to, is not mentioning that F/OSS such Firefox are developed much faster and because they are open to scrutiny their bugs can be found easily by the community of developers/users and corrected in speeds that M$ and the rest of proprietory software developers can only imagine in their dreams.

What a bunch of Bull:

Quote:

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

[jkf]

There are bug fixes done all the time in Firefox and its peers, you can even
download the daily interim betas before they collect enough fixes and make
a public release.

The Open Source community will not and cannot hide fixes that are put in so
they are much more trustworthy than change notices that microshit puts out.

For the most part, a person cannot verify what exactly got changed in IE except
for taking microshit's word for it, unless you work for them and work in the IE
development area.

As for Firefox, anyone can view the exact line of code that was changed, if
anything was really changed, and its documented so that others can verify
that it was and why it was done.

We have to be careful about putting 100% trust in these stories in that they are
starting to sound an awful lot like the news reporters that are cooking up good
stories or adding a few extra twists into their stories to create sensationalism
so people would take notice and they can build up their names. The difference
being, what happens to celebrities do not affect our lives directly in most part...
But most bad things that happen to our computers will imediately give us
severe grief and most of these people writing these articles aren't that
computer savvy as they pretend to be.

You can never assume that there were no problems found for IE...
maybe there were problems found in IE but not reported because it
hasn't been fixed yet and that would be embarrassing to them ...

[peiratns]

J. you are making some excellent points there:

Quote:

The Open Source community will not and cannot hide fixes that are put in so they are much more trustworthy than change notices that microshit puts out. For the most part, a person cannot verify what exactly got changed in IE except for taking microshit's word for it, unless you work for them and work in the IE development area.

Touche! F/OSS by default makes the source code available to all to study, learn and modify as they please. When an F/OSS project has many users/developers (e.g. Firefox) bugs are discovered very quickly. Malicious code also can not be hidden easily due to the fact that many people can examine the code. Imagine now in M$ a disgruntled programmer that decided to mess with IE. How long will it take the rest of the M$ team to find out? Think about it!

Quote:

We have to be careful about putting 100% trust in these stories in that they are starting to sound an awful lot like the news reporters that are cooking up good stories or adding a few extra twists into their stories to create sensationalism so people would take notice and they can build up their names.
...these people writing these articles aren't that computer savvy as they pretend to be.

When I read the title of the article "Hackers Focus Efforts on Firefox..." I expected to read about development efforts on Firefox or something along this line. The author of the article better do some research on the meaning of "hacker". Mass media twisted the true meaning of the word. When you read an article that uses the word "hacker" to have the meaning of "cracker" then stop reading it, or if you want to continue read it from a very skeptical position. Loaded articles are always biased.

P.

PS: F/OSS= Free/Open Source Software

PS2: Mop, Flock is here: http://flock.com/ . It's based on Firefox.

[jkf]

Mop @ Thu May 01, 2008 5:18 pm wrote:

Flock. Never heard of it.

Flock is a modified Firefox that has integrated enhancements for those
that don't want to use a separate application for handling the tasks.

I checked Flock version 1.1.2

it reports that it is built on
Firefox/2.0.0.14
Gecko/20080418
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)

So it should cover the above mentioned firefox fixes.

Check your Flock version by doing Help -> About Flock

If the Firefox version in Flock is equal to or greater than 2.0.0.13,
then it should be OK.

The more I think about this article, it looks like old info regurgitated, as the
latest Firefox is 2.0.0.14 released April 16, 2008, about a week before the
article date. Even Firefox 2.0.0.13 which was release on March 25, 2008
is a month older than the article and it had fixed those problems already....
If this article came out in March... then it might have been fresh news...

Flock Release Notes: http://www.flock.com/release-notes/1.1.2/

I have found a 1.1.3 and even a change page at flock.com that
doesn't really tell you what the difference is... might be a beta...

[mimi_44]

Quote:

If the Firefox version in Flock is equal to or greater than 2.0.0.13,
then it should be OK.

Thanks for the info on Flock jkf.