Google Expands Unsafe Site Reporting

For some time now, Google has published its Transparency Report, which gives a high-level overview of how Google relates to events in the world at large. The report has historically included several sections:

• Traffic to Google services (current and historical, highlighting disruptions)
• Information removal requests (by copyright holders and governments)
• Requests for user data (by governments)

This information can be interesting in light of current events. For example, at this writing, Google reports ongoing disruptions to their services in Pakistan, China, Morocco, Tajikistan,Turkey, and Iran.

Now, according to a post on the Official Google Blog, a new section will be added to the Transparency Report. The report is an outgrowth of work begun in 2006 with Google’s Safe Browsing Initiative.

So today we’re launching a new section on our Transparency Report that will shed more light on the sources of malware and phishing attacks. You can now learn how many people see Safe Browsing warnings each week, where malicious sites are hosted around the world, how quickly websites become reinfected after their owners clean malware from their sites, and other tidbits we’ve surfaced.

Google says that they flag about 10,000 sites per day for potentially malicious content. Many of there are legitimate sites that have been compromised in some way. The “Safe Browsing” section of the Transparency Report shows the number of unsafe sites detected per week, as well as the average time required to fix them.

Google, because its search engine “crawlers” cover so much of the Web, has an overview of what’s out there that few organizations can match. I think they are to be commended for making this information available.

Security Updates in Thunderbird 17.0.7

Mozilla has released a new version, 17.0.7, of its Thunderbird E-mail client, for Windows, Linux, and Mac OS X.  This release includes fixes for eight identified security vulnerabilities, four of which Mozilla rates as Critical. The Release Notes don’t really have much else to say.

Because of the security content of this release, I recommend that you update your systems as soon as you conveniently can. You can get the new version via the built-in update mechanism, or you can download a complete installation package here.

Mozilla Releases Firefox 22

Today the Mozilla organization released a new version, 22.0, of its Firefox browser for Linux, Windows, and Mac OS X.  The new version includes some new features:

• HTML5 audio/video playback rate can now be changed
• Social services management implemented in Add-ons Manager
• The WebRTC communications API is now enabled by default
• Additional optimizations for JavaScript

There are also several miscellaneous improvements, and fixes for 14 identified security vulnerabilities, four of which Mozilla categorizes as Critical.  Further information is available in the Release Notes.

Because of its security content, I recommend that you update your Firefox installations as soon as you conveniently can.  You can obtain the new version via the built-in update mechanism, or you can download a complete installation package, in your choice of language(s).

Update Tuesday, 25 June, 16:25 EDT

This blog post on the Mozilla Blog explains some of the new features in more detail.

A Tastier Selection of Cookies

I’ve written here a number of times about browser cookies: small pieces of text that your browser stores on your system at the request of a Web server.  The cookie’s contents can be returned to the server with a later HTTP request.  The cookie mechanism was developed to provide a means of maintaining state information in the otherwise stateless HTTP protocol, which deals only in page requests and responses; the concept of logging in to a Web site, or having a session, is grafted onto the underlying protocol via the cookie mechanism.  This can lead to some security problems; it also impacts users’ privacy, since cookies are very widely used to track users as they browse to different sites.  (For example, those ubiquitous “Like” buttons from Facebook can set tracking cookies in your browser, even if you never visit the Facebook site itself.)

For some time now, several browsers have offered an option to disallow so-called “third party” cookies: those set by sites other than the one you are visiting.  And  Apple’s Safari browser, as well as development builds of Mozilla’s Firefox, have included heuristics to accomplish something similar.  These are helpful, but imperfect, since the definition of a “third party” is not as precise as one might like.  For example, XYZ.COM might have a companion domain for videos, XYZ-MEDIA.COM; logically, both are part of the same site, but simple heuristics won’t see things that way.

Now, according to an article at Ars Technica, Stanford University, along with the browser makers Mozilla and Opera Software, is establishing a Cookie Clearinghouse to serve as a sort of central cookie  rating agency.

The Cookie Clearinghouse intends to provide lists of cookies that should be blocked or accepted. Still in the planning stages, it will be designed to work in concert with the heuristics found in Firefox in order to correct the errors that the algorithmic approach makes.

The Clearinghouse is just being set up, so it’s too early to say how much it will help.  Similar cooperative efforts have helped reduce the impact of spam, phishing, and malicious Web sites, though, so we should hope for the best.

Chrome Updates for Other Platforms

A few hours ago, I posted a note about the release of version 28.0.1500.45 of Google’s Chrome for the Linux platform.  Now the rest of the conventional PC world has been updated, too, with the Release Announcement for version 27.0.1453.116, for Windows, Mac OS X, and Chrome Frame.

This release incorporates fixes for a “click-jacking” vulnerability with the Flash plugin, and some other unspecified security issues.  It also fixes some other user interface bugs; more detail is available in the Release Announcement.  Although the identified security issue is not too serious (Google rates it as Medium severity), it’s probably a good idea to get the update, which you can do using the built-in update mechanism.

I confess that I am no more enlightened than before about why this update is different from the Linux update; I have no further information on what is actually in the Linux update.

Google Releases Chrome 28 for Linux

Google has released a new stable version, 28.0.1500.45, of its Chrome browser for Linux. The Release Announcement, which is quite terse, makes no mention of other platforms; nor is there any indication of what changes are included in this version.  My guess  is that we will see a similar release for Windows and Mac OS X shortly; I’ll post a follow-up note if I learn anything more.

Google does say that the minimum supported release level for Linux has been updated to:

• Ubuntu 12.04+
• Debian 7+
• OpenSuSE 12.2+
• Fedora Linux 17+

This doesn’t necessarily mean that this and future releases will not work with older Linux versions, just that they may not; if they don’t, Google won’t fix it.

As usual, Linux users should check their distributions’ package repositories to get the new version.