Tag Archives: Firefox

Patches for Several Firefox Security Vulnerabilities Appear in Launchpad

A few days ago, several medium and low priority security-related bugs were handled for Firefox and many other Mozilla applications. These bugs affected all versions of Firefox from version 4, and all versions of Thunderbird from version 5. All patches for all these bugs were added to Launchpad.

While some of these attacks caused the application to crash, others would allow execution of arbitrary code through JavaScript. As Ubuntu’s LTS releases are supported for long periods, fixes for these bugs were released for Ubuntu 8.04, and also for Ubuntu 10.04, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10.

The Ubuntu Security Notice on this page lists down all the vulnerabilities that were addressed with updated Launchpad patches.

Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler,
David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia
Knous, and Rober Longson discovered several memory safety issues, which
could possibly be exploited to crash Firefox or execute arbitrary code as
the user that invoked Firefox. (CVE-2011-3660)

Aki Helin discovered a crash in the YARR regular expression library that
could be triggered by JavaScript in web content. (CVE-2011-3661)

It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. An attacker could potentially
exploit this vulnerability to crash Firefox. (CVE-2011-3658)

Mario Heiderich discovered it was possible to use SVG animation accessKey
events to detect key strokes even when JavaScript was disabled. A malicious
web page could potentially exploit this to trick a user into interacting
with a prompt thinking it came from the browser in a context where the user
believed scripting was disabled. (CVE-2011-3663)

It was discovered that it was possible to crash Firefox when scaling an OGG
<video> element to extreme sizes. (CVE-2011-3665)

You can find more about these vulnerabilities in the Ubuntu CVE tracker with the numbers 3658, 3660, 3661, 3663 and 3665. For Ubuntu 11.10 users, a Firefox 9 patch is available at this link. Alternatively, you can update your system with the latest version of all packages. Once the update is done, do not forget to restart Firefox, to apply the patch.

Mozilla Set to Earn Nearly 1 Billion from Google Search Deal

Mozilla-FirefoxEarlier this week, Mozilla announced a new search agreement with Google that will ensure that Google remains Firefox’s default search provider for at least the next three years. However, Mozilla had declined to share exactly how much Google had agreed to pony up for this privilege. Now, Kara Swisher has managed to learn the juicy details.

Contrary to speculation from so-called pundits and analysts, the renewal of the search partnership got delayed not because of lack of interest from Google, but due to intense competition from Microsoft. Even Yahoo, which also uses Bing’s results, was in the race. As a result of Microsoft’s heightened interest, Google was forced to provide a minimum revenue guarantee of 300 million per year for three years, which is almost a three folds increase from the previous agreement.

Mozilla will continue to have search partnerships with Microsoft Bing, Amazon, eBay, and Yahoo. However, it is the default search engine agreement that yields the maximum benefits for both sides. Opera’s default search agreement with Google will expire at the end of March, 2012. It will be interesting to see how much Opera Software, whose desktop browser is estimated to have less than 10% of Firefox’s market share, will be able to extract from a search deal.

Mozilla Signs New Search Agreement with Google

FirefoxMozilla has signed a new search agreement with Google that will last for at least three years. Under this multi-year agreement, Google Search will continue to be the default search provider for hundreds of millions of Firefox users around the world,affirmed Gary Kovacs, CEO of Mozilla. This announcement comes three weeks after the existing agreement had lapsed. The delay had prompted many pundits to promptly speculate about the impending demise of Mozilla, which makes up to 84% of its revenue from Google.

Even though Google’s own browser is flourishing, having an agreement with Mozilla is still crucial for it. In case, Google and Mozilla had failed to reach an agreement, Microsoft would have almost surely stepped in and inked a deal for Bing. Mozilla Firefox is still mighty enough to be impossible for Google to ignore. Allowing Bing access to hundreds of millions of additional eyeballs is something that Google would hardly prefer. In fact, Google has search agreements with far smaller browsers like Opera, which has less than 100 million desktop users. Additionally, niche search engines like DuckDuckGo have also begun striking revenue sharing deals with browser manufacturers. While the nitty-gritty of the deal might have caused the delay, Mozilla’s future was never really in jeopardy.

Google Funded Browser Research Claims Chrome is Most Secure, Firefox is Least!

Google has recently funded a research, which identified Chrome as the most secure web browser and Firefox the least. The reputed security firm Accuvant, which counts Charlie Miller as one of its Research Consultants, carried out the research.  Charles Miller was the first to find vulnerabilities in the iPhone and Android G1. He has also been winning the  CanSecWest Pwn2Own for the last four years. That makes him quite the guy for this kind of a research.

firefox-logoThis research puts Google Chrome at the top, which has stayed unbeaten at Pwn2Own. Google funded this research knowing it will emerge at the top. Then, what was the real objective of this research? Of course, it was not about re-establishing facts. This research was aimed straight at Firefox.

Firefox has been the browser of choice for a majority of people. When Google Chrome started out, Firefox had a decisive user share. However, now, that Google Chrome is rising and has overtaken Firefox, Firefox is no more than a threat to Google Chrome. The only reason for conducting this research was to try to get people off the Firefox bandwagon. With most of the Internet using Google Chrome, Google would have a decisive control over the way people use the Internet.

The browser-security  comparison results  are available at this page with the following description:

The Accuvant LABS research team completed an extensive security evaluation of the three most widely used browsers Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer to determine which browser best secures against attackers. The team used a completely different and more extensive methodology than previous, similar studies. They compared browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques.

Accuvant has also pointed out areas where Firefox can improve its code base. Mozilla’s Director of Engineering Jonathan  Nightingale  has  responded to the research  saying,

Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We’re proud of our reputation on security, and it remains a central priority for Firefox.

Chrome Overtakes Firefox Globally

Ever since its launch, Google Chrome has been gaining market share at a steady rate. Now, StatsCounter is reporting that Google Chrome has finally managed to surpass Firefox globally. Chrome’s worldwide market share rose to 25.69%, while Firefox slipped to 25.23%. Microsoft Internet Explorer also continued its slide and fell to 40.63% at the end of November.

Browser-Market-Share-Nov

Google Chrome gained 21% over the past two years, while Internet Explorer, Firefox, and Opera lost 15.94%, 6.98, and 0.2% each. Safari also managed to gain 2.255 market share since November 2009. In India the figure are slightly different as Indian users have typically been more reactive to market changes than Americans. Only 26.9% Indians surf using Internet Explorer, while 34.29% and 34.75% rely on Firefox and Chrome respectively. Opera controls a shade above 2.5% of the market share in India.

Browser statistics tend to be wildly inaccurate and inconsistent. However, they are still good enough to gauge the market trend, and in this case the trend is clear. Google Chrome’s rise in popularity has been nothing short of spectacular. Introduced in late 2008, it has won the hearts of millions of web users with its focus on speed, security, and simplicity. Although Chrome is undoubtedly benefiting from Google’s deep pocket and wide reach, the Chrome team needs to be applauded for getting their priorities right. Within a short span of time Chrome has made its presence felt with its innovative drive and commitment to web standards.

Firefox on the other hand struggled to ship the ambitious Firefox 4 update, lost out in the browser speed wars, and seems to perennially lag behind Chrome. Many fans believe that Mozilla’s lack of vision is hurting Firefox, which was once the darling of the alternate browser crowd.

Firefox 8 Released: Introduces Better Add-on Security and Improved Performance

Firefox 8 is not officially slated to be released until November 8; however, the final builds for most platforms are already available on Mozilla’s ftp channels. Unlike the last few releases, Firefox 8 actually has a couple of new features that are worth looking into.

The biggest change is related to Firefox’s add-on installation and management procedure. On first launch, Firefox 8 presents users with a list of all the add-ons currently installed. Add-ons that were installed by third-party applications are disabled by default. If any third party application attempts to install a new extension, Firefox will seek the user’s permission before allowing the extension to be installed.

Firefox-8-Add-on-Management
Firefox-8-On-Demand-Tab-Loading

There is also a new option that forces Firefox to load tabs only when they are activated, while restoring windows and tabs from the previous session. This is a handy option that should reduce the start-up times for Firefox 8. However, it is disabled by default and needs to be enabled from Options –> General.

Firefox-8-Add-on-Security

Other significant changes in Firefox 8 are: addition of Twitter to the search bar, improved tab animations, improved performance and memory handling when using HTML5

At the time of writing, Firefox 8 for Windows x64 was yet to be uploaded; however, you can find the new stable build for almost all other platforms here.

Mozilla Firefox Gets Bing’ed – Microsoft Introduces Firefox with Bing

There had been some speculation earlier that Firefox was going to dump Google search  as its default search engine and replace it with Microsoft’s Bing, since Google came out with its own browser, Chrome. However, the Mozilla team immediately clarified stating that the default search will remain Google powered, but will add Bing to the pre-existing list of search services likes Wikipedia, Amazon, Yahoo and others.

Yet, Microsoft  wasn’t  pleased about it, and were looking forward for an alternative. In a blog post, Microsoft announced that it has teamed up with the Mozilla team to release a new version of Firefox with Bing, which includes Bing as the default search engine. Well, don’t get too excited about that. This will be released as a separate version along with the default version which is powered by Google search.

Firefox With Bing

It’s just that there are two same versions of Firefox with a different search provider. In other words, Firefox with Bing is exactly the same as normal Firefox. The new version will receive security and version updates at the same time as the normal Firefox.

According to the Bing team, the Bing powered version of Firefox has something called “AwesomeBar” – where you can type in URLs (Web addresses) as well as search queries. Perhaps Microsoft wasn’t aware of it that this feature has been already available in the previous versions of Firefox and is also available in every other browser. Needless to say, Microsoft has always been into this – replicating ideas and giving it another name.

Something to note – In November 2011, Mozilla’s contract with Google will expire. However, we aren’t sure if the contract will be renewed or Mozilla is just going to dump Google. Or it could be the other way round also.

For Mozilla, the partnership with Microsoft is certainly a good deal. Firefox is still the most popular browser, however stats indicate that it is slightly declining month-by-month, but on the other hand, Google’s Chrome is gaining popularity progressively. This, however, makes me think that Google might not be interested in renewing their contract with Firefox.

Also Read:  Why Is Chrome Winning And Firefox Losing Market Share?

2011 Browser Statistics

Did you know? Google Chrome has been the most used browser on Techie Buzz

Sebastian Anthony from Extreme Tech explained how browsers make money, and Firefox being the most popular browser, generated 97 percent ($104 million) of its revenue from royalties paid from the Firefox search box, out of which 86 percent ($85 million) came from Google alone. Now, if Google does not renew its contract with Firefox, then it could be a direct challenge for Microsoft’s Bing as well as for Firefox in the browser wars.

You can download Firefox with Bing from  FirefoxWithBing.com.

[Statistics via]

Remove Installed Greasemonkey Scripts in Firefox and Google Chrome

scripts are lightweight JavaScript files which add additionally functionality to browsers such as and . In the past we have talked about several interested Greasemonkey scripts which are both useful and help solve problems. One of the most recent one was removing Black bar in Google.

However, there are times when the Greasemonkey script you install might not work as expected or cause problems on other websites. If you are facing a similar problem you can easily uninstall the Greasemonkey script and get rid of the problem.

Google Chrome allows users to install Greasemonkey scripts as extensions so to uninstall scripts on Google Chrome, you will have to follow the steps given in How to uninstall apps and extensions in Google Chrome. However, if you are Firefox user and want to uninstall a Greasemonkey script, you will have to follow the steps given below.

Manage User Scripts Greasemonkey

Step 1: Click on the arrow next to the Greasemonkey icon and click on "Manage User Scripts"

Disable Greasemonkey Scripts

Step 2: Click on "Disable" button to disable the script temporarily or click on the "Remove" button to remove the script completely.

That’s it. Once you have disable or removed the script, just refresh the webpage and your problem will be solved.

NoScript Now Available For Firefox Mobile On Android

If you’re looking for added security when browsing on your Android device, look no further than NoScript. The popular Firefox extension has now been made available for Firefox Mobile. It’s called NoScript Anywhere.

Browsers have become extremely complex. With more and more platform-agnostic webapps appearing, users have been living and working inside a browser instead of a desktop. Google has been pushing Chromebooks that provide a full web experience using nothing more than their Chrome browser. Safari has gone mobile. Firefox has gone mobile. Opera has gone mobile. All these mobile browsers are gaining popularity, yet nobody has been addressing the issue with modern browsers: security.

NoScript allows users to selectively block Java, Javascript, Flash from executing without permission.  It provides XSS (Cross Site Scripting) and ClickJacking protection using integrated plugins. The add-on has been completely re-written to support a mobile interface. Once installed, NoScript immediately starts blocking harmful web applets using the default recommended options. More advanced settings such as whitelisting, blacklisting, and granular permissions will be editable on a desktop and can be synchronized via Firefox Sync — keeping all your devices up-to-date, whether a mobile device or full blown desktop/laptop.

NoScript Anywhere allows the plugin to be installed without restarting Firefox Mobile. It provides an option for disabling automatic playback of Flash and Java applets, instead, a placeholder can be clicked to initiate execution of the plugin.

Naturally, NoScript Anywhere is based on the extremely popular open source NoScript extension written by  Giorgio Maone,  who also created the  FlashGot Download Manager.  The work started at the beginning of 2011, it took short 9 months of incubation before being completed and available for public use.  

The majority of mobile browsers are based on WebKit, but are proprietary and different across the board by manufacturer. Android’s browser is based on Chromium, iOS’s based on Safari and BlackBerry’s based on a moldy flaming banana peel.

Firefox Mobile will hopefully become extremely popular among all smartphone users, and we will see NoScript Anywhere usage increase, making the web just a little bit safer for everybody.

Opera Browser Vulnerable to Memory Corruption Exploit

In the raging browser wars, features, security and stability are paramount to competing. Opera might want to get a serious handle on things with the next release they push.

There is a memory corruption bug that has been present in Opera 10, 11 and the pre-release of 12 on Windows XP SP3. The vulnerability exists within SVG (Scalable Vector Graphics) layout handling. By nesting SVG functions within XML calls, an attacker is able to crash Opera. While crashing a browser might not seem like a huge deal to some, couple it with code injection and you have an exploit that can lead to complete remote code execution, and then it’s game over.

The exploit, which was discovered over a year ago, was reported to Opera but never fixed. Jose Vasquez, the original author, has published full details on the vulnerability as well as written and released a complete Metasploit module. Metasploit is a security framework for penetration testing, allowing a large number of security professional to collaborate on software and service vulnerabilities.

What might seem like a benign crash of your browser, might turn out to be an attacker positioning themselves to take control of your computer and network. Although it’s been previously broken, Jose also indicates it may be possible to bypass DEP, which is an active security feature provided by Microsoft,  specifically made to prevent unwanted code execution.

In an interview, Opera’s co-founder,  Jon Stephenson von Tetzchner indicated their number of users grew from 50 million in 2009 to over 150 million in just one year. There are a lot of users who are potentially vulnerable to exploitation of this bug. When Opera 11.51 was released, major security and minor stability issues were the reason for the update. If we consider that  this bug has been present since 10.50, disclosed to Opera over a year ago, and still left unfixed — many users may want to look at switching to the very popular Chrome  or Firefox 7  until Opera fixes this issue.

Is Firefox Serious About Blocking the Java Plugin?

Firefox is the second most popular web-browser and it has held this title for too long. Projected figures show that it is going to  lose the title in December. However, an ongoing discussion by Mozilla might accelerate the fact. The discussion is on whether Firefox should allow the Java plugin, which is used for almost all  transactions  (not just online banking transactions) across the world.
java-plugin
A new attack has been identified that decrypts web-traffic and can dig through sensitive and personal information being sent over a transaction. The attack has been termed as  the BEAST (Browser Exploit Against SSL/TLS) attack  and it has been demonstrated successfully in a proof-of-concept hack.

Dan Goodin from The Register  talks about the BEAST exploit:

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the  secure sockets layer technology  that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

The Public Key Infrastructure has three core services to take care of- Authentication, Integrity and Confidentiality. Authentication makes sure that the people at either end of the transaction are indeed who they claim to be. Integrity ensures that the data being transmitted is sent and received in the same form without alteration. Confidentiality deals with hiding the data from prying eyes, making the data  comprehensible  only to the people at either end. The BEAST attack goes after confidentiality and breaks it successfully.

The bug  689661 on Bugzilla at Mozilla lists out a favorite solution of blacklisting all versions of the Java plugin. This will affect all corporate businesses (ones that are transaction based) and some regular features of services that explicitly rely on the Java plugin, ones like Facebook video chat.

Currently, the only web-browser that is attempting to secure against this attack (without removing Java support) is Google Chrome.

(Image source)

Firefox 7 for Desktop and Android Released!

Yesterday, the Mozilla team has released the seventh version of its popular browser for both desktop and mobile.

On the desktop side, there are not many changes visually. The only visible change is that the http://’ prefix is hidden from the user by default. Most of the changes are internal, and won’t be visible to the end-user. According to the Mozilla developers, the most important change is the reduced RAM usage. The press release states that the new version consumes around 20-30% less memory compared to its predecessor.

Other features include improved start-up and tab loading times, hardware accelerated Canvas to speed up HTML5 based animations and games. The overall stability and security of the new version is also improved compared to its predecessor.

On the mobile side, Firefox for Android has also been updated to version 7. The new version includes improved copy and paste functionality, built0in language detection tool, and WebSockets API. Sadly, Firefox for Android still lacks a major feature Flash support.

The latest version of Firefox can be downloaded from Mozilla.org. Android users can download the latest version from the Android Market.

If you are wondering why Firefox is gaining version numbers so quickly, it is because the Mozilla team has shifted to a new 6-weeks build timeframe. The Alpha build of Firefox 8 is already available for download.

Firefox for Honeycomb Tablets Design Revealed

Mozilla has been very keen on entering the tablet market with their browser and just like for mobile, the browser will provide a unique experience for tablets.

Firefox Honeycomb Browser

Today, one of the design team members at Firefox; Ian Barlow, revealed some new designs for Firefox that will run on Honeycomb based tablets. Most of the design has evolved from the mobile version of Firefox, however, it has been modified to take advantage of the larger screen sizes of tablets.

Firefox Honeycomb Tablets Awesomebar

The Awesomebar on Firefox for Tablets will continue to use tabbed menu to allow for quick access to bookmarks, history and synced desktop activity on the tablet.

Firefox Honeycomb Tablets Tabs

Additionally, Firefox for tablets will display more UI elements on the screen rather than hiding it like they did it on the mobile version of the browser. This will allow you to quickly perform tasks like opening new tabs or scrolling through them.

Overall the design for the tablet version of Firefox looks pretty good and I would definitely like to try it out. However, there is no date on when the tablet version will be released and it might only be compatible with Honeycomb and higher versions of the tablet. Ian has also posted some more mockups of the design of Firefox for tablets on his account, which can be viewed by visiting this link.

So what do you think of the design mockups of Firefox for tablets? Do you like it? Do you think you would prefer it over the Android browser? do drop in  your thoughts through your comments.

The Pitfalls of Firefox’s Rapid Release Cycle [Editorial]

If you have been following the recent Firefox releases, you are probably already aware that Mozilla is now following a rapid release cyclefor Firefox. Frustrated by the innumerable delays that plagued the release of Firefox 4, Mozilla decided to take a leaf out of Google’s book, and release a new version of Firefox every six weeks. Unfortunately, the new quick-fire release policy creates some major issues that Mozilla doesn’t seem to be willing to tackle.

Firefox-Rapid-Release

The first problem is that it makes version numbers redundant. A major version number bump normally indicates the introduction of major new features along with significant enhancements to existing features. However, the biggest new feature in Firefox 6 domain highlighting in the address bar, is something that wouldn’t excite even the most passionate Firefox user. Firefox 5 was even worse.

The biggest feature in Firefox 5 is that the Do Not Trackfeature, which we have discussed in a fair amount of detail in the past, is now more accessible. It is now available under the Privacytab, instead of being buried under Advancedoptions. Yep, the biggest user-perceivable change in Firefox 5 is a minor interface tweak.

Of course, this alone isn’t such a big problem. Undoubtedly, it’s annoying and stupid. However, Firefox’s auto-update does a good job at making the update process hassle free. Add-on compatibility was another issue that I was worried about. However, Mozilla seems to be doing something right in this area. All the add-ons I used were compatible with Firefox 6 at launch. At the time of writing, 99% of the top extensions, which constitute 95% of the total extension usage, are compatible with Firefox 6.

Unfortunately, there is one issue that Mozilla doesn’t seem to have a solution for. The rapid fire update policy means that every year we will be witnessing eight to nine major version trunks of Mozilla. However, Mozilla isn’t willing to support the older version trunks. If you are on version 4, which was released just a few months back, then tough luck. Mozilla won’t be providing any further updates to the 4.x trunk. Updating to newer versions might not be a big issue for home users, but it is a major undertaking for enterprises. Each major update has to be tested for regressions and other issues before it can be deployed. Mozilla’s reluctance to support older trunks mean that enterprises stand the risk of being left vulnerable to serious security vulnerabilities over extended periods.

Enterprises are notorious for their reluctance to switch to newer and better browsers. It’s only recently that some of them have begun to opt for Firefox. However, with the new rapid release cycle, Mozilla will almost certain succeed in making all of them revert to Microsoft Internet Explorer, since Google Chrome also follows the same quick-fire release cycle and Opera has too many website compatibility problems (often due to factors out of its control) to be considered seriously. In contrast to Mozilla, Microsoft will be supporting Internet Explorer 9 till January 2020.

Google Toolbar Works in Firefox 5 and Firefox 6 – Here Is How To Enable It

A few weeks ago, Google said that they would be discontinuing Google Toolbar for Firefox 5 and will only continue supporting . However, in spite of that, the Google Toolbar continues to work in Firefox 5 and .

Google Toolbar for Firefox 5 and Firefox 6

I have been using the Google Toolbar in 5 and Firefox 6 for a few months now without issues, however, it does come with a caveat. Since Google has officially said that support for Google Toolbar is only available through Firefox 4, Firefox automatically disables the on Firefox 5 and Firefox 5.

Also Read: Firefox 5 Review | Firefox 6 Review

In order to enable the Google Toolbar in Firefox 5 and Firefox 6 you will first have to install the Add-on compatibility reporter extension in Firefox and restart the browser.

Change Google Toolbar Compatibility Firefox 5 & Firefox 6

Once you have done that head over to the “Add-ons” and you will be able to run Google Toolbar in Firefox 5 and Firefox 6. Firefox will still report that the add-on is incompatible with the newer versions, however, you can continue using it without issues. If you need more help with this read our earlier guide on How To Run Older Add-ons in Firefox.