G$earch

Firefox, Thunderbird security fixes released

Posted by Harshad

Firefox, Thunderbird security fixes released


Firefox, Thunderbird security fixes released

Posted: 20 Jul 2010 06:04 PM PDT

Mozilla published security repairs for Firefox and Thunderbird on Tuesday, which included updates for the legacy versions of both.

Firefox 3.6.7 for Windows, Mac, and Linux fixes 14 security bugs, including eight listed as critical, two high-level bugs, and four moderate ones. The critical bugs addressed problems such as DOM attribute cloning and remote and arbitrary code execution vulnerabilities in plug-in parameters, dangling pointers, and other miscellaneous memory safety hazards. Several stability repairs were also made. Full release notes for Firefox 3.6.7 are available.

Firefox 3.5.11 fixes the same bugs that were addressed in Firefox 3.6.7, although note that Mozilla encourages users to upgrade to Firefox 3.6.7.

Thunderbird 3.1.1 for Windows, Mac, and Linux repairs one critical bug that would crash the e-mail client, and five other bugs across the three platforms. The legacy version of Thunderbird was also upgraded to version 3.0.6, and addresses several critical-level bugs. As with Firefox, Mozilla advises users to upgrade to Thunderbird 3.1.1.

Prizmo's OCR scanner coming to the iPhone

Posted: 20 Jul 2010 11:30 AM PDT

Prizmo icon

Creaceed's Prizmo software impressed us a few months ago with an update that added camera tethering support and perspective correction to captured images. But the cherry on top was its optical character recognition (OCR) processing, which would pull out text from whatever had been scanned.

That same technology is on its way to a pocket-size version of the software, which should be available for the iPhone in just a few weeks (pending Apple's approval).

The app's crowning feature is that it can fix bad perspective, just like its desktop sibling, as well as let users snap photos without having to press the shutter button. Creaceed has devised a system through which users can simply say "take picture," so as to avoid any unintended shake or distortion from touching the screen.

Once images have been captured, the app will be able to process them for any text, which can be played back through a synthesized voice, copied to the user's clipboard, or sent to another app or cloud service, including Dropbox.

Creaceed is staying mum on the price of the app. The desktop version of the software, which remains exclusive to Macs, sells for $40.

Shots of Prizmo for iPhone

From left to right: snapping a photo then running it through Prizmo's perspective and OCR tools. (click to enlarge)

(Credit: Creaceed/CNET)

Originally posted at Web Crawler

Adobe Reader to block attacks with sandbox tech

Posted: 20 Jul 2010 08:00 AM PDT

Brad Arkin, director of product security and privacy at Adobe, explains how sandboxing will protect Adobe Reader customers from attacks.

Brad Arkin, director of product security and privacy at Adobe, explains how sandboxing will protect Adobe Reader customers from attacks.

(Credit: James Martin/CNET)

Adobe Reader will soon have an additional layer of protection against the many attacks that target the popular PDF viewer.

Adobe Systems is borrowing a page from Microsoft's and Google's playbook by turning to sandboxing technology designed to isolate code from other parts of the computer.

Adobe is adding a "Protected Mode" to the next release of Adobe Reader for Windows due out some time this year, said Brad Arkin, director of product security and privacy at Adobe. The feature will be enabled by default and included in Adobe Reader browser plug-ins for all the major browsers.

The company has no plans to add the feature to the version of its PDF (Portable Document Format) viewer for the Macintosh at this time because the vast majority of Adobe Reader downloads and exploits are on Windows, a spokeswoman said.

The sandbox mechanism will confine PDF processing, such as JavaScript execution, 3D rendering, and image parsing, to a confined area and prevent applications from installing or deleting files, modifying system information, or accessing processes.

While Adobe Reader can communicate directly with the operating system, applications running in the program cannot. If malicious code sneaks onto a computer by successfully exploiting a hole in Adobe reader, its impact will be limited because it will be contained within the sandbox.

"Even if an attacker is able to take over Adobe Reader you'll be protected," Arkin said. "This is an additional layer of defense that will help protect users in case they encounter a malicious or corrupted PDF."

Valid actions that are not permitted in the sandboxed environment, such as writing to a user's temporary folder or launching an attachment inside a PDF file using Microsoft Word, will be funneled through a secure broker process to block malicious activities.

The technology is based on Microsoft's Practical Windows Sandboxing and modeled after techniques used in Microsoft Office 2010 Protected View, Microsoft Office 2007, and the Google Chrome sandbox, Arkin said. Adobe consulted with Microsoft and Google on its implementation, he said.

Initially, code that makes so-called "write calls" to the computer to install software or change a file system will be sandboxed. Protected Mode will be extended later to include code that is "read-only" so that attackers will be prevented from being able to read sensitive information on a computer, according to Arkin.

While Adobe Reader Protected Mode will limit the impact of a successful exploit, it is not a "silver bullet" that can protect people from attacks like phishing, clickjacking, weak cryptography, and unauthorized network access, Arkin said.

In addition, the feature will only protect against transient keyloggers, which are stored temporarily in memory, under Windows 7, Vista, Server 2008, but not XP or Server 2003. And some assistive technologies, like screen readers for the visually impaired, may not be able to be used when Adobe Reader Protected Mode is enabled on Windows XP or Server 2003.

The sandboxing news comes as attacks on Adobe Reader continue to rise and attract the largest number of new exploits. Recent reports have found that Adobe Reader is at the top of the list for having the most exploited holes and that for Web-based attacks, suspicious PDF file downloads was the most common attack method, representing nearly half of such attacks. In addition, about 60 percent of the targeted attacks on organizations were aimed at users of Adobe Reader, according to F-Secure.

Things got so bad last year that F-Secure researchers urged people to avoid using Adobe software and security experts suggested that Adobe should learn some lessons from Microsoft, which improved its secure software development efforts in 2002 after being plagued by security holes and exploits.

Just last month, Adobe plugged 17 critical holes in Reader and Acrobat, including one being exploited in the wild.

In the wake of the security problems with Adobe Reader, there is more competition from PDF viewer alternatives like Foxit Reader and Nitro PDF Reader.

Even Google has gotten in on the act by integrating its own fully sandboxed PDF viewer into developer versions of Google Chrome.

Back in January, in a post on CNET sister site ZDNet, independent security researcher Dino Dai Zovi pretty much challenged Adobe to adopt sandboxing technology to stem the tide of attacks.

"Seat belts do not prevent car crashes, but they make deaths less likely in case of a crash," Dai Zovi said in an interview on Monday. "Sandboxing doesn't prevent code execution vulnerabilities, but it makes it much harder to achieve anything meaningful from them."

He noted that Chrome is the only one of the major Web browsers that has not been successfully compromised in the annual Pwn2Own contest at the CanSecWest security show.

In a presentation at CanSecWest in March, Charlie Miller, principal security analyst at Independent Security Evaluators, showed how easy it is to find bugs in software using a common method called fuzzing. He told CNET that he found 33 different bugs in Adobe Reader, of which about a dozen were probably exploitable, illustrating perfectly the difficulty Adobe faces keeping up with the attacks.

With sandboxing, successful attackers will be forced to find two bugs--in Adobe Reader and in the sandbox--instead of just one, Miller said.

"It's the same approach Microsoft took five years ago or so," he said. "Maybe that sandbox will be enough to make attackers look at some other software to attack, something that is easier."

Adobe's announcement was also praised by Mark Dowd, director of Azimuth Security. He was asked by Google to evaluate the security of its sandboxing technique in Chrome and found ways to break out of the Chrome sandbox that Google then fixed.

"I think this was pretty much required for Adobe Reader to protect against a large wave of malicious PDFs that have been found in the wild and are doing a lot of damage," he said. "This proactive step shows that Adobe is committed to the security of their products."

Originally posted at InSecurity Complex

Jessica Dolcourt's 10 favorite iPhone apps (CNET 100)

Posted: 20 Jul 2010 04:00 AM PDT

Editors' note: Each day for 10 business days, CNET personalities you know and love will publish slideshows of their 10 personal favorite iPhone apps. With each post, you get a chance to vote for your own favorite app. Two weeks from now, we'll collect the full list of 100 apps and announce the 10 that you, our readers, love the most.

Jessica Dolcourt (Credit: Corinne Schulze/CNET Networks)

Senior Associate Editor Jessica Dolcourt's collection of her favorite 10 iPhone apps marks a first for the CNET 100: it contains not a single iPhone game.

Jessica is not fooling around, here. She wants to get stuff done. From Photoshop.com to Dictionary.com, to the brand-new Firefox Home, Jessica's favorite iPhone apps reveal the aspirations of a woman on a mission.

But Jessica isn't just a workhorse. Willing to pay for top-notch TV, Jessica uses Hulu.com to distract herself at the gym, and she throws in a cocktail app for after hours. She may even use one of these apps to schedule a late-night movie. See her slideshow for more on why these 10 apps keep Jessica ticking:

Once you've seen all of Jessica's picks, return to this poll to let us know which app is your favorite, then check back each day on iPhone Atlas to see app choices from the rest of the CNET crew.

Originally posted at iPhone Atlas

VeriSign adds malware scanning to SSL services

Posted: 19 Jul 2010 11:28 AM PDT

(Credit: VeriSign)

VeriSign is adding malware scanning to its authentication services for Web site operators, the company announced on Monday.

The "VeriSign Trusted" check mark seal indicates to Web surfers that VeriSign has verified that the site represents the organization or company that it purports to be and that it is using encryption to protect communications between the site and its visitors. Now, existing and new VeriSign SSL customers will have their sites scanned daily to check for malware as well, at no extra cost, said Tim Callan, vice president of product marketing at VeriSign.

The company also is adding its seals to Web search results on shopping search engines Pricegrabber and TheFind, as well as on Google and Bing for people using AVG's LinkScanner software. "We are aggressively pursuing deals with other search engines," Callan said.

If VeriSign discovers malware on a customer Web site, it will remove the seal and notify the site administrator via e-mail. Site administrators can see a report detailing what code was found and where via a VeriSign management console. When the malware is removed VeriSign will scan the site to verify that and then replace the seal.

The increase in drive-by-downloads in which Web surfers are infected with malware just by visiting a site prompted VeriSign to add this additional level of security for its customers, he said.

"Our seal and our service is widely understood to be the most recognized, most prominent indicator of a safe Web experience," Callan said. "In order for our seal to still mean what people think it means we needed to offer this service moving forward."

The service enhancement is also a way for VeriSign to differentiate its SSL certificate services from the dozens of other companies offering similar services. "We view ourselves as the Mercedes Benz of this category," Callan said. "We are making sure we are best of breed."

The malware scanning will be rolled out in stages to all VeriSign branded SSL certificate customers worldwide between now and the end of the year, he said.

Users of AVG LinkScanner will now see results on Google and Bing with the VeriSign SSL seal.

(Credit: VeriSign/AVG)

Originally posted at InSecurity Complex

0 comments:

Post a Comment