I thought I had done a post earlier in regards to Mozilla Revoking Trust in one CNNIC Intermediate Certificate. Turns out I had not. Also had planned on posting more about this earlier this weekend as Mozilla took further actions against the CNNIC certificate authority on Thursday, April 2nd. I did mention this briefly in the Firefox 37.0.1 Released post, but wanted to take a moment and explain about this in a little more detail. About 2-weeks ago on March 23rd, from the Mozilla Security Blog: China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China…
Security
Read More
Mozilla released an emergency update to Firefox 37 on April 3, 2015 with Firefox 37.0.1. This update did address start-up crashes due to graphics hardware and third party software. However, there were two security fixes to address a couple recently released Mozilla Foundation Security Advisories (MFSA): MFSA 2015-44 Critical: Certificate verification bypass through the HTTP/2 Alt-Svc header [Firefox 37 Desktop] MFSA 2015-43 High: Loading privileged content through Reader mode [Firefox 37 Android/Firefox 38 Beta (Desktop)] The now disabled HTTP/2 Alt-Svc header aka Opportunistic Encryption For Firefox was introduced in the Firefox 37 from earlier in the week. There has been several security issues/breaches…
Mozilla released another emergency security update for Firefox 36 on March 21, 2015 with Firefox 36.0.4. This update has more Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest. Depending on their update settings, users should be prompted shortly to update to Firefox 36.0.4 or can also force the update by going to the Firefox Help Menu and selecting About Firefox then follow the prompts. Alternatively, users my also go to getfirefox.com and download and install the latest version of Firefox there. The next scheduled release for Firefox is March 31st with Firefox 37.
Mozilla released an emergency security update for Firefox 36 on March 20, 2015 with Firefox 36.0.3. This update has Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest. Depending on their update settings, users should be prompted shortly to update to Firefox 36.0.3 or can also force the update by going to the Firefox Help Menu and selecting About Firefox then follow the prompts. Alternatively, users my also go to getfirefox.com and download and install the latest version of Firefox there. The next scheduled release for Firefox is March 31st with Firefox 37.
From the Mozilla Security Blog: First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click “More Information…”. If you see “Verified by: Superfish, Inc.”, you are infected with Superfish, and you should follow these instructions to remove it. The Superfish adware distributed by Lenovo has brought the issue of SSL interception back to the headlines. SSL interception is a technique that allows other software on a user’s computer to monitor and control their visits to secure Web sites — however, it also enables attackers to…
“In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target. …” Source: l3net – a layer 3 networking blog Details
“While you can make privacy related configuration changes in the Firefox options, many advanced options become only available when you load about:config or install add-ons that provide you with frontend access to those settings.“You can check out our list of best privacy add-ons for Firefox which gives you an overview of good extensions for that purpose.“Tinfoil is a brand new extension for Firefox that makes quite a few privacy related preferences available in its options. … “ Source: gHacks Tech News More
Google researchers announced recently of the POODLE (Padding Oracle On Downgraded Legacy Encryption) Attack which hackers take advantage of sites (around 0.3%) still using the outdated (introduced in 1996) SSLv3 security protocol. Mozilla has announced that SSLv3 will be disabled, unfortunately it won’t be until Firefox 34 which will be released on November 25th. However, user can (and are urged to) install the SSL Version Control extension which will disable SSLv3 on the fly. I would not be surprised though if Mozilla pushes out Firefox 33.1 update to have SSLv3 disabled in the coming days or weeks. Google Chrome is already testing changes to disable…
Google has come out with a tool (beta) for Windows to help users identify and remove rogue extensions and toolbars that are secretly tracking you. When malicious programs are using your Chrome browser to collect data, serve you ads or cause overall sluggishness, there’s a quick way to find out what’s causing the issues. Google recently published the Software Removal tool for Windows that will scan for software that is causing issues with the browser. A few words of caution before you use this tool: It is still in Beta so you may want to create a restore point just…
Browsers extensions are great as they enhance the usability and your experience with your browser. However, there are some extensions out there that will actually do the opposite. This seems to be a bigger problem for Chrome but there are a couple known ‘spying’ extensions in Firefox. These ‘evil’ extensions may track you or as in the case with Scott Hanselman inject ads into sites you are viewing. My perspective on JavaScript-based browser extensions has been far too naïve until this point. We were all burned by bad toolbars or evil ActiveX add-ons in the past, so when I run IE I run it with…