Security

More Ramblings on Pocket

Ah yes, Pocket the third-party feature nobody wanted, but Mozilla decided they would integrate into Firefox anyway. Well, that is not really fair to say. Apparently about 220K Firefox user (less than 1% of the user base) have downloaded Pocket when it was only an add-on. Mozilla makes it sound like it is no big deal saying that its impact on memory is minimal. Um okay, but I don’t think most users are concerned about the resources Pocket uses. They are upset about the integration of a third-party service as in from another company (NOT Mozilla) into their Firefox browser without their consent. A…

Read More

Favicon Bug

This is a really an odd one and it affects both Chrome and Firefox (possibly Safari as well), but NOT Internet Explorer. If you have had unexplained crashes while/after visiting a WordPress (WP) site, it is possible it could be caused by this bug. The good news is this bug has been reported to Mozilla [Bug 1174811] and it was patched on Wednesday (June 17th). Just not sure yet when it is going to be pushed out. Firefox 39 is due out in less than two weeks (June 30th), but then there could also be a 38.0.6 release between now and then (though…

Read More

Turn Firefox into a Security Information Powerhouse

“The majority of things that happen when you load a website in your browser of choice happen in the background. Unless you have installed security extensions in the browser or software on the system, you may be completely unaware of the connections that are initiated when a page is loaded in the browser.“While you can check that manually using the browser’s developer tools (hit F12 and switch to network for that), it is only displaying information to you while the page is loading.“The Firefox web browser is probably the browser with the best selection of extensions that provide you with…

Read More

Mozilla plans to phase out non-secure HTTP

Last night Mozilla announced on The Mozilla Security Blog: Deprecating Non-Secure HTTP. There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Governmentcalling for universal use of encryption by Internet applications, which in the case of the web means HTTPS. After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. While they don’t specify in details as to “removing capabilities from…

Read More

Firefox 37.0.2 Released

Mozilla released an update to the Firefox 37 branch on Monday, April 20th with the Firefox 37.0.2 release. This update addressed these issues: Google Maps may render incorrectly in some cases Stability fixes for select graphics hardware and feature sets Mozilla Foundation Security Advisory (MFSA) 2015-45: Memory corruption during failed plugin initialization Depending on their update settings, users will be prompted to update within the next 24-48 hours. Users can also manually update by going to the Firefox Help Menu and selecting About Firefox and follow the prompts to update. Alternatively users can also down and manually install the update…

Read More

CNNIC Certificates

I thought I had done a post earlier in regards to Mozilla Revoking Trust in one CNNIC Intermediate Certificate. Turns out I had not. Also had planned on posting more about this earlier this weekend as Mozilla took further actions against the CNNIC certificate authority on Thursday, April 2nd. I did mention this briefly in the Firefox 37.0.1 Released post, but wanted to take a moment and explain about this in a little more detail. About 2-weeks ago on March 23rd, from the Mozilla Security Blog: China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China…

Read More

Firefox 37.0.1 Released

Mozilla released an emergency update to Firefox 37 on April 3, 2015 with Firefox 37.0.1. This update did address start-up crashes due to graphics hardware and third party software. However, there were two security fixes to address a couple recently released Mozilla Foundation Security Advisories (MFSA): MFSA 2015-44 Critical: Certificate verification bypass through the HTTP/2 Alt-Svc header [Firefox 37 Desktop] MFSA 2015-43 High: Loading privileged content through Reader mode [Firefox 37 Android/Firefox 38 Beta (Desktop)] The now disabled HTTP/2 Alt-Svc header aka Opportunistic Encryption For Firefox was introduced in the Firefox 37 from earlier in the week. There has been several security issues/breaches…

Read More

Firefox 36.0.4 Released

Mozilla released another emergency security update for Firefox 36 on March 21, 2015 with Firefox 36.0.4. This update has more Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest. Depending on their update settings, users should be prompted shortly to update to Firefox 36.0.4 or can also force the update by going to the Firefox Help Menu and selecting About Firefox then follow the prompts. Alternatively, users my also go to getfirefox.com and download and install the latest version of Firefox there. The next scheduled release for Firefox is March 31st with Firefox 37.

Read More

Firefox 36.0.3 Released

Mozilla released an emergency security update for Firefox 36 on March 20, 2015 with Firefox 36.0.3. This update has Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest. Depending on their update settings, users should be prompted shortly to update to Firefox 36.0.3 or can also force the update by going to the Firefox Help Menu and selecting About Firefox then follow the prompts. Alternatively, users my also go to getfirefox.com and download and install the latest version of Firefox there. The next scheduled release for Firefox is March 31st with Firefox 37.

Read More

Getting Superfish out of Firefox

From the Mozilla Security Blog: First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click “More Information…”.  If you see “Verified by: Superfish, Inc.”, you are infected with Superfish, and you should follow these instructions to remove it. The Superfish adware distributed by Lenovo has brought the issue of SSL interception back to the headlines.  SSL interception is a technique that allows other software on a user’s computer to monitor and control their visits to secure Web sites — however, it also enables attackers to…

Read More