July 17, 2012
The Mozilla organization today released version 14.0.1 of its Firefox Web browser for Windows, Mac OS X, and Linux. In addition to fixing numerous bugs, the new version incorporates some additional or changed features:
- The address bar (Mozilla calls it the “awesome bar”) now auto-completes typed URLs
- Google searches via the search box now use secure HTTP (
- Full-screen mode is now supported on Mac OS X Lion
- Plugins can now be configured to “load on click” (instead of at startup).
Further information on these and other changes is available in the Release Notes.
According to the Release Notes, the new release also fixes some security vulnerabilities; however, the Security Advisory Page has not been updated for 14.0.1 yet. I’ll update this post when the details are posted.
You can obtain the new version via the built-in update mechanism (Help / About Firefox / Check for Updates), or you can download a complete installation package, in a variety of (human) languages.
Update Tuesday, 17 July, 12:17 EDT
The Security Advisory Page has now been updated for this release, which includes fixes for 14 vulnerabilities. Mozilla rates the severity for five of these as Critical, and four as High.
Update Wednesday, 18 July, 11:09 EDT
Ars Technica has a short review of the new features in Firefox 14. It mentions one minor change which I had overlooked. Firefox will no longer display a site icon (“favicon”) in the URL bar; rather, it will display either a globe for standard HTTP connections, or a padlock for secure HTTPS connections. The reason for the change is to prevent
http://www.EvilSite.com from spoofing a secure connection by using a padlock as its site icon.
July 16, 2012
Back in the summer of 2009, I posted a couple of notes about Project Kaisei, an expedition to the Great Pacific Garbage Patch, a huge collection of plastic bottles and miscellaneous rubbish, concentrated by prevailing winds and currents into an area of the North Pacific ocean about the size of Texas. Since then, in addition to its usual accumulation of new trash, it has probably been enlarged by contributions from the March 2011 tsunami in Japan. A similar floating rubbish heap has been found in the Sargasso Sea, in the middle of the North Atlantic.
Now, according to a report at the “Design” blog at Wired, a company called Method, which manufactures “designer” cleaning products, has plans to introduce a new “Sea Minerals” soap product that will be sold in a package made, in part, from plastic retrieved from the Pacific. The plastic was collected in Hawaii by Method employees, assisted by volunteers from Sustainable Coastlines Hawaii and the Kokua Hawai’i Foundation. It will make up 10% of the material used for the container; the other 90% will be post-consumer recycled plastic.
Obviously, even if the collectors work with the utmost diligence, it will take them a very long time to make a dent in the existing Garbage Patch. Their hope is to raise people’s awareness of the problem, and perhaps to encourage the development of larger-scale solutions.
July 15, 2012
Back in October, 2009, I posted a couple of notes here about the idea of using a PC booted from a Linux Live CD for online banking (or other sensitive functions) to improve security. A Live CD is a bootable CD-ROM that contains a complete Linux distribution (the OS itself plus applications); the system is booted and run entirely from the CD, and the PC’s hard disk is not touched, Since everything runs from the CD, any malware on the PC’s hard disk will not have a chance to run. The topic had been discussed by Brian Krebs in a post on his “Security Fix” blog at the Washington Post. following a series of investigative reports on online banking fraud against small- and medium-sized businesses (SMBs). I was glad to see and endorse his recommendation,
Krebs is now writing an independent blog, Krebs on Security (there’s always a link in the sidebar), and has continued to investigate banking fraud. He has once again published a post suggesting the Live CD approach, and I still think it is a very sensible way to go for SMBs. My ideal solution, as I’ve written before, would be a dedicated machine with a hardened OS and no applications software except what is required for the banking function. But economics matter, and the Live CD solution gives many of the same benefits at significantly lower cost — and it costs almost nothing to try. The article includes a step-by-step guide to getting and using a Live CD, using the Puppy Linux distribution; it is a “light weight” distro, which should run well on any PC that can run a reasonably current version of Windows.
As Krebs points out in his article, the point is not that malware does not exist for other systems, but that the vast majority of it is targeted at Windows PCs.
All of the malware used in the attacks I’ve written about is built for Windows. That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. Right now, there are no indications that they are doing this.
If you are going for a swim, and you can choose between two beaches, one of which is infested with sharks and the other is not, does it really matter that much why the sharks prefer the first beach?
July 15, 2012
I’ve mentioned SELinux (Security Enhanced Linux) here before; developed by the US National Security Agency (NSA), it is not a Linux distribution in the usual sense, but a set of modifications to the stock Linux operating system to provide more robust security capabilities, especially mandatory access control. (The NSA also has a similar project, SEAndroid, for the Android mobile operating system.) I’ve recently discovered some additional resources on the technical architecture and history of SELinux, and thought some readers might find them helpful.
IBM’s developerWorks site has released a couple of papers on SELinux in the last few weeks. The first, Anatomy of Security Enhanced Linux, by M. Tim Jones, discusses some of the mechanisms and techniques that are used in SELinux. It also has a brief comparison and discussion of other Security-enhanced systems, such as Solaris 10 (formerly Trusted Solaris) and Trusted BSD. The second paper, SELinux: History of its Development, Architecture, and Operating Principles, by Evgeny Ivashko, It has a historical overview of the projects development, and its relations to other security projects and initiatives. Both of these papers, which are intended for a technical audience, are also available as downloadable PDFs, and contain “Resources” sections with links to additional information.
The NSA also maintains a comprehensive SELinux site, which contains background information, documentation, and download links. As the main article indicates, SELinux is not intended to be a security panacea, but as an example of how a mainstream OS can be given better security features.
This work is not intended as a complete security solution. It is not an attempt to correct any flaws that may currently exist in an operating system. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system.
If you are interested in running SELinux, or just interested in the general topic of OS security, I think you will find some interesting reading.
July 12, 2012
Google has released a new version of its Web browser, Chrome 20·0·1132·57, for all platforms (Linux, Windows, Mac OS X, and Chrome Frame). The new version fixes three security vulnerabilities in Chrome, all of which Google rates as High severity. More details on the flaws patched are in the Release Announcement.
Because of the security content of the new version, I recommend that you update your systems as soon as you conveniently can. Windows and Mac users should get the new version via the built-in update mechanism. Linux users should get the updated package from their distributions’ repositories, using their standard package maintenance tools.
You can check the version of Chrome that you have by clicking on the tool menu icon (the little wrench), and then selecting “About Google Chrome”.
July 10, 2012
It’s time for Patch Tuesday again! In keeping with its usual schedule, Microsoft has released this month’s batch of security bulletins and patches for Windows and related software. For July, there are nine bulletins, for 15 identified vulnerabilities. Six of the bulletins are for Windows and its components; three of these have a maximum severity rating of Critical, and the other two are rated Important. All supported versions of Windows are affected. (For a breakdown of bulletins by severity and Windows version, please see this month’s preview post.)
There are also four bulletins that affect Microsoft Office, including Office for Mac and InfoPath. One of these is rated Critical; the rest are rated Important. Two of the four also apply to other Microsoft software; the affected packages are SharePoint Server, Groove Server, Visual Basic for Applications, Office Web Apps, and SharePoint Services & Foundation.
Further details, and download links, are in the Security Bulletin Summary for July 2012. Microsoft says that four of the patch installations will definitely require a system restart, and that four of the others may require one, depending on the configuration of your system. There is one, MS12-051, which Microsoft says “does not require a restart”. When I first read this, I was initially impressed. I had begun to doubt that it was possible to construct a patch for Windows software that could not possibly require a re-boot; then, however, I noticed the bulletin title, “Vulnerability in Microsoft Office for Mac”. Ah, well …
As always, I recommend that you update your systems as soon as you conveniently can.
Update Tuesday, 10 July, 0:05 EST
The Internet Storm Center at the SANS Institute has published its usual review bulletin on this month’s Microsoft patches.
July 10, 2012
Back in January, I posted a note about some new research in nanoscale memory, from IBM Research’s Almaden lab, in which the research team had managed to construct a magnetic memory device using only a dozen atoms per bit. (In comparison, the densest commercial magnetic memories currently use ~1 million atoms/bit.)
IBM ‘s site now has a page available that gives some more background on the research, including a short video from Andreas Heinrich, the principal investigator from IBM Almaden. There’s also a link to a downloadable fact sheet [PDF]. The experimental memory device is assembled using a scanning tunneling electron microscope, invented by IBM Research, Zürich in 1981 (and for which IBM scientists Gerd Binnig and Heinrich Rohrer received the Nobel Prize in physics in 1986).
This technology is still at a very early stage of investigation, but the possibilities are intriguing. Maybe Moore’s Law will keep working longer than we thought.