Patches for Several Firefox Security Vulnerabilities Appear in Launchpad

A few days ago, several medium and low priority security-related bugs were handled for Firefox and many other Mozilla applications. These bugs affected all versions of Firefox from version 4, and all versions of Thunderbird from version 5. All patches for all these bugs were added to Launchpad.

While some of these attacks caused the application to crash, others would allow execution of arbitrary code through JavaScript. As Ubuntu’s LTS releases are supported for long periods, fixes for these bugs were released for Ubuntu 8.04, and also for Ubuntu 10.04, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10.

The Ubuntu Security Notice on this page lists down all the vulnerabilities that were addressed with updated Launchpad patches.

Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler,
David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia
Knous, and Rober Longson discovered several memory safety issues, which
could possibly be exploited to crash Firefox or execute arbitrary code as
the user that invoked Firefox. (CVE-2011-3660)

Aki Helin discovered a crash in the YARR regular expression library that
could be triggered by JavaScript in web content. (CVE-2011-3661)

It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. An attacker could potentially
exploit this vulnerability to crash Firefox. (CVE-2011-3658)

Mario Heiderich discovered it was possible to use SVG animation accessKey
events to detect key strokes even when JavaScript was disabled. A malicious
web page could potentially exploit this to trick a user into interacting
with a prompt thinking it came from the browser in a context where the user
believed scripting was disabled. (CVE-2011-3663)

It was discovered that it was possible to crash Firefox when scaling an OGG
<video> element to extreme sizes. (CVE-2011-3665)

You can find more about these vulnerabilities in the Ubuntu CVE tracker with the numbers 3658, 3660, 3661, 3663 and 3665. For Ubuntu 11.10 users, a Firefox 9 patch is available at this link. Alternatively, you can update your system with the latest version of all packages. Once the update is done, do not forget to restart Firefox, to apply the patch.

Mozilla Set to Earn Nearly 1 Billion from Google Search Deal

Mozilla-FirefoxEarlier this week, Mozilla announced a new search agreement with Google that will ensure that Google remains Firefox’s default search provider for at least the next three years. However, Mozilla had declined to share exactly how much Google had agreed to pony up for this privilege. Now, Kara Swisher has managed to learn the juicy details.

Contrary to speculation from so-called pundits and analysts, the renewal of the search partnership got delayed not because of lack of interest from Google, but due to intense competition from Microsoft. Even Yahoo, which also uses Bing’s results, was in the race. As a result of Microsoft’s heightened interest, Google was forced to provide a minimum revenue guarantee of 300 million per year for three years, which is almost a three folds increase from the previous agreement.

Mozilla will continue to have search partnerships with Microsoft Bing, Amazon, eBay, and Yahoo. However, it is the default search engine agreement that yields the maximum benefits for both sides. Opera’s default search agreement with Google will expire at the end of March, 2012. It will be interesting to see how much Opera Software, whose desktop browser is estimated to have less than 10% of Firefox’s market share, will be able to extract from a search deal.

Mozilla Signs New Search Agreement with Google

FirefoxMozilla has signed a new search agreement with Google that will last for at least three years. Under this multi-year agreement, Google Search will continue to be the default search provider for hundreds of millions of Firefox users around the world,affirmed Gary Kovacs, CEO of Mozilla. This announcement comes three weeks after the existing agreement had lapsed. The delay had prompted many pundits to promptly speculate about the impending demise of Mozilla, which makes up to 84% of its revenue from Google.

Even though Google’s own browser is flourishing, having an agreement with Mozilla is still crucial for it. In case, Google and Mozilla had failed to reach an agreement, Microsoft would have almost surely stepped in and inked a deal for Bing. Mozilla Firefox is still mighty enough to be impossible for Google to ignore. Allowing Bing access to hundreds of millions of additional eyeballs is something that Google would hardly prefer. In fact, Google has search agreements with far smaller browsers like Opera, which has less than 100 million desktop users. Additionally, niche search engines like DuckDuckGo have also begun striking revenue sharing deals with browser manufacturers. While the nitty-gritty of the deal might have caused the delay, Mozilla’s future was never really in jeopardy.

Google Funded Browser Research Claims Chrome is Most Secure, Firefox is Least!

Google has recently funded a research, which identified Chrome as the most secure web browser and Firefox the least. The reputed security firm Accuvant, which counts Charlie Miller as one of its Research Consultants, carried out the research.  Charles Miller was the first to find vulnerabilities in the iPhone and Android G1. He has also been winning the  CanSecWest Pwn2Own for the last four years. That makes him quite the guy for this kind of a research.

firefox-logoThis research puts Google Chrome at the top, which has stayed unbeaten at Pwn2Own. Google funded this research knowing it will emerge at the top. Then, what was the real objective of this research? Of course, it was not about re-establishing facts. This research was aimed straight at Firefox.

Firefox has been the browser of choice for a majority of people. When Google Chrome started out, Firefox had a decisive user share. However, now, that Google Chrome is rising and has overtaken Firefox, Firefox is no more than a threat to Google Chrome. The only reason for conducting this research was to try to get people off the Firefox bandwagon. With most of the Internet using Google Chrome, Google would have a decisive control over the way people use the Internet.

The browser-security  comparison results  are available at this page with the following description:

The Accuvant LABS research team completed an extensive security evaluation of the three most widely used browsers Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer to determine which browser best secures against attackers. The team used a completely different and more extensive methodology than previous, similar studies. They compared browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques.

Accuvant has also pointed out areas where Firefox can improve its code base. Mozilla’s Director of Engineering Jonathan  Nightingale  has  responded to the research  saying,

Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We’re proud of our reputation on security, and it remains a central priority for Firefox.

Chrome Overtakes Firefox Globally

Ever since its launch, Google Chrome has been gaining market share at a steady rate. Now, StatsCounter is reporting that Google Chrome has finally managed to surpass Firefox globally. Chrome’s worldwide market share rose to 25.69%, while Firefox slipped to 25.23%. Microsoft Internet Explorer also continued its slide and fell to 40.63% at the end of November.

Browser-Market-Share-Nov

Google Chrome gained 21% over the past two years, while Internet Explorer, Firefox, and Opera lost 15.94%, 6.98, and 0.2% each. Safari also managed to gain 2.255 market share since November 2009. In India the figure are slightly different as Indian users have typically been more reactive to market changes than Americans. Only 26.9% Indians surf using Internet Explorer, while 34.29% and 34.75% rely on Firefox and Chrome respectively. Opera controls a shade above 2.5% of the market share in India.

Browser statistics tend to be wildly inaccurate and inconsistent. However, they are still good enough to gauge the market trend, and in this case the trend is clear. Google Chrome’s rise in popularity has been nothing short of spectacular. Introduced in late 2008, it has won the hearts of millions of web users with its focus on speed, security, and simplicity. Although Chrome is undoubtedly benefiting from Google’s deep pocket and wide reach, the Chrome team needs to be applauded for getting their priorities right. Within a short span of time Chrome has made its presence felt with its innovative drive and commitment to web standards.

Firefox on the other hand struggled to ship the ambitious Firefox 4 update, lost out in the browser speed wars, and seems to perennially lag behind Chrome. Many fans believe that Mozilla’s lack of vision is hurting Firefox, which was once the darling of the alternate browser crowd.

Firefox 8 Released: Introduces Better Add-on Security and Improved Performance

Firefox 8 is not officially slated to be released until November 8; however, the final builds for most platforms are already available on Mozilla’s ftp channels. Unlike the last few releases, Firefox 8 actually has a couple of new features that are worth looking into.

The biggest change is related to Firefox’s add-on installation and management procedure. On first launch, Firefox 8 presents users with a list of all the add-ons currently installed. Add-ons that were installed by third-party applications are disabled by default. If any third party application attempts to install a new extension, Firefox will seek the user’s permission before allowing the extension to be installed.

Firefox-8-Add-on-Management
Firefox-8-On-Demand-Tab-Loading

There is also a new option that forces Firefox to load tabs only when they are activated, while restoring windows and tabs from the previous session. This is a handy option that should reduce the start-up times for Firefox 8. However, it is disabled by default and needs to be enabled from Options –> General.

Firefox-8-Add-on-Security

Other significant changes in Firefox 8 are: addition of Twitter to the search bar, improved tab animations, improved performance and memory handling when using HTML5

At the time of writing, Firefox 8 for Windows x64 was yet to be uploaded; however, you can find the new stable build for almost all other platforms here.

Mozilla Firefox Gets Bing’ed – Microsoft Introduces Firefox with Bing

There had been some speculation earlier that Firefox was going to dump Google search  as its default search engine and replace it with Microsoft’s Bing, since Google came out with its own browser, Chrome. However, the Mozilla team immediately clarified stating that the default search will remain Google powered, but will add Bing to the pre-existing list of search services likes Wikipedia, Amazon, Yahoo and others.

Yet, Microsoft  wasn’t  pleased about it, and were looking forward for an alternative. In a blog post, Microsoft announced that it has teamed up with the Mozilla team to release a new version of Firefox with Bing, which includes Bing as the default search engine. Well, don’t get too excited about that. This will be released as a separate version along with the default version which is powered by Google search.

Firefox With Bing

It’s just that there are two same versions of Firefox with a different search provider. In other words, Firefox with Bing is exactly the same as normal Firefox. The new version will receive security and version updates at the same time as the normal Firefox.

According to the Bing team, the Bing powered version of Firefox has something called “AwesomeBar” – where you can type in URLs (Web addresses) as well as search queries. Perhaps Microsoft wasn’t aware of it that this feature has been already available in the previous versions of Firefox and is also available in every other browser. Needless to say, Microsoft has always been into this – replicating ideas and giving it another name.

Something to note – In November 2011, Mozilla’s contract with Google will expire. However, we aren’t sure if the contract will be renewed or Mozilla is just going to dump Google. Or it could be the other way round also.

For Mozilla, the partnership with Microsoft is certainly a good deal. Firefox is still the most popular browser, however stats indicate that it is slightly declining month-by-month, but on the other hand, Google’s Chrome is gaining popularity progressively. This, however, makes me think that Google might not be interested in renewing their contract with Firefox.

Also Read:  Why Is Chrome Winning And Firefox Losing Market Share?

2011 Browser Statistics

Did you know? Google Chrome has been the most used browser on Techie Buzz

Sebastian Anthony from Extreme Tech explained how browsers make money, and Firefox being the most popular browser, generated 97 percent ($104 million) of its revenue from royalties paid from the Firefox search box, out of which 86 percent ($85 million) came from Google alone. Now, if Google does not renew its contract with Firefox, then it could be a direct challenge for Microsoft’s Bing as well as for Firefox in the browser wars.

You can download Firefox with Bing from  FirefoxWithBing.com.

[Statistics via]

Remove Installed Greasemonkey Scripts in Firefox and Google Chrome

scripts are lightweight JavaScript files which add additionally functionality to browsers such as and . In the past we have talked about several interested Greasemonkey scripts which are both useful and help solve problems. One of the most recent one was removing Black bar in Google.

However, there are times when the Greasemonkey script you install might not work as expected or cause problems on other websites. If you are facing a similar problem you can easily uninstall the Greasemonkey script and get rid of the problem.

Google Chrome allows users to install Greasemonkey scripts as extensions so to uninstall scripts on Google Chrome, you will have to follow the steps given in How to uninstall apps and extensions in Google Chrome. However, if you are Firefox user and want to uninstall a Greasemonkey script, you will have to follow the steps given below.

Manage User Scripts Greasemonkey

Step 1: Click on the arrow next to the Greasemonkey icon and click on "Manage User Scripts"

Disable Greasemonkey Scripts

Step 2: Click on "Disable" button to disable the script temporarily or click on the "Remove" button to remove the script completely.

That’s it. Once you have disable or removed the script, just refresh the webpage and your problem will be solved.

NoScript Now Available For Firefox Mobile On Android

If you’re looking for added security when browsing on your Android device, look no further than NoScript. The popular Firefox extension has now been made available for Firefox Mobile. It’s called NoScript Anywhere.

Browsers have become extremely complex. With more and more platform-agnostic webapps appearing, users have been living and working inside a browser instead of a desktop. Google has been pushing Chromebooks that provide a full web experience using nothing more than their Chrome browser. Safari has gone mobile. Firefox has gone mobile. Opera has gone mobile. All these mobile browsers are gaining popularity, yet nobody has been addressing the issue with modern browsers: security.

NoScript allows users to selectively block Java, Javascript, Flash from executing without permission.  It provides XSS (Cross Site Scripting) and ClickJacking protection using integrated plugins. The add-on has been completely re-written to support a mobile interface. Once installed, NoScript immediately starts blocking harmful web applets using the default recommended options. More advanced settings such as whitelisting, blacklisting, and granular permissions will be editable on a desktop and can be synchronized via Firefox Sync — keeping all your devices up-to-date, whether a mobile device or full blown desktop/laptop.

NoScript Anywhere allows the plugin to be installed without restarting Firefox Mobile. It provides an option for disabling automatic playback of Flash and Java applets, instead, a placeholder can be clicked to initiate execution of the plugin.

Naturally, NoScript Anywhere is based on the extremely popular open source NoScript extension written by  Giorgio Maone,  who also created the  FlashGot Download Manager.  The work started at the beginning of 2011, it took short 9 months of incubation before being completed and available for public use.  

The majority of mobile browsers are based on WebKit, but are proprietary and different across the board by manufacturer. Android’s browser is based on Chromium, iOS’s based on Safari and BlackBerry’s based on a moldy flaming banana peel.

Firefox Mobile will hopefully become extremely popular among all smartphone users, and we will see NoScript Anywhere usage increase, making the web just a little bit safer for everybody.

Opera Browser Vulnerable to Memory Corruption Exploit

In the raging browser wars, features, security and stability are paramount to competing. Opera might want to get a serious handle on things with the next release they push.

There is a memory corruption bug that has been present in Opera 10, 11 and the pre-release of 12 on Windows XP SP3. The vulnerability exists within SVG (Scalable Vector Graphics) layout handling. By nesting SVG functions within XML calls, an attacker is able to crash Opera. While crashing a browser might not seem like a huge deal to some, couple it with code injection and you have an exploit that can lead to complete remote code execution, and then it’s game over.

The exploit, which was discovered over a year ago, was reported to Opera but never fixed. Jose Vasquez, the original author, has published full details on the vulnerability as well as written and released a complete Metasploit module. Metasploit is a security framework for penetration testing, allowing a large number of security professional to collaborate on software and service vulnerabilities.

What might seem like a benign crash of your browser, might turn out to be an attacker positioning themselves to take control of your computer and network. Although it’s been previously broken, Jose also indicates it may be possible to bypass DEP, which is an active security feature provided by Microsoft,  specifically made to prevent unwanted code execution.

In an interview, Opera’s co-founder,  Jon Stephenson von Tetzchner indicated their number of users grew from 50 million in 2009 to over 150 million in just one year. There are a lot of users who are potentially vulnerable to exploitation of this bug. When Opera 11.51 was released, major security and minor stability issues were the reason for the update. If we consider that  this bug has been present since 10.50, disclosed to Opera over a year ago, and still left unfixed — many users may want to look at switching to the very popular Chrome  or Firefox 7  until Opera fixes this issue.