E-Musings Mon Immorata

New Fox In Da House Firefox 1.0.4 patches critical vulnerability within days of discovery unlike the other browser that's updated monthly. Plus advantages of white listing download sites, setting up a Firefox Profile. First look at new JavaCools Spyware Blaster 3.4 and alert about a new Sober.Q worm variant that's spreading from Europe. Firefox 1.0.4 released late last week resolves some critical and potentially lethal vulnerabilities. The Arbitrary Code Execution bug actually comprises two separate issues that when combined can prove lethal to the security and privacy of our Firefox browsing experience. Discovered by security company Secunia, the first issues is caused by a JavaScript code injection bug feeding off an older bug that enables IFRAME JavaScript URLs to be executed in the context of another URL in Firefox's history list. The second flaw was in the browser's update mechanism and could by exploited to use the first vulnerability to run arbitrary code. The new release also resolves a DHTML regression error that permits JavaScript and Script objects to be run with potentially higher privileges than when they were created. This bug was patched in versions prior to Firefox 1.0.3. Although Firefox's developers have by default white listed only 2 update sites: Mozilla Update and Mozilla Addons. Many user get just plain annoyed by the pop-up warnings when trying to install a new extension or theme. And typically disable the included explicit permission warning. And there lies the rub. As I found out about the perils of such open white listing that allowed any web site offering great extensions to install them somewhat silently. As a matter of fact my security pendulum has swung the other way. And I no longer whitelist any plug-in sites. And prefer instead to use the Right-click and Save Target As .. command to save new extensions, themes and other add-ons I chance across online. This change happened after a rogue RSS reader add-in completely trashed a carefully tended profile that had supported extensions and a theme that weren't supposed to work with the current version Firefox 1.x branch! And my cautiousness also allows me to further investigate contents of such downloaded .XPIs (Firefox-enabled installers) before actually allowing them access to my Firefox installation. And if you didn't know this already, you can view the contents of .XPI file by opening it with just about any archive software. I find the free 7-zip to be great. But much as I love Firefox, like many of its fans, I find this browser's default upgrade method both annoying and comforting. Annoying because for every incremental upgrade you have to download the entire software which by itself is not such a biggie but install file sizes seem to be growing with every release. The Linux version is 8 MB. Yet the upgrade process is somewhat comforting because you have to specifically initiate the install process which won't proceed on auto-pilot without your explicit permission to do so. I also notices a tiny quirk on first running Firefox 1.0.4. After a fresh install, my copy displayed a red (critical update availability) icon in the top right corner. I actually double-checked my installed version to see if I was indeed running v1.0.4. On clicking the icon, the version upgrade check process reported I had the latest version installed! There's also a sometimes-appearing blue icon that indicates when upgrades are available for installed extensions. But if you are hoping for SVG support, that's still not enabled in the Firefox 1.0.x trunk. You will need to use a (potentially?) unstable nightly build. But Firefox 1.1 is just below the horizon and should be here in a couple of months or less. In related Firefox happenings, I finally decided that the only way to bring order into the chaos of too many extensions. And consequent slowdowns in Firefox's first start-up and subsequent runtime speeds was to begin using Firefox Profiles. By default Firefox integrates well with Windows and each user does have a unique profile containing their browsing settings (extensions installed, default theme, customized menu bars, and bookmarks). But I'm now using well-known but poorly documented feature included in Firefox from when it was still known as Phoenix. The Firefox Profiler (disabled by default) allows you to configure multiple configurations within your Windows user profiles. The key advantage is you can group extensions by need and improves browser startup and page rendering times. However you'll need to manually copy over any bookmarks if you want to use them in the new profile. To begin profiling, from Start > Run, enter FIREFOX.EXE -P and press Enter. There's a default profile available and the Don't Ask at Startup feature is enabled (disable it to use multiple profiles). When you create a new profile make sure it give it an illustrative name. You can also choose where to store the profile (on Windows 2000 and later the default is in your user profile). Complete the wizard and you are ready to use your new Firefox profile. And while each new profile created has no installed extensions, themes or other customizations. These can be added. And even optimizers like Firetune can tweak multiple profiles (if found). Or you could tweak your installation via the about:config file. All in all Firefox Profiler is a really simple work around to too many extensions and you'll kick yourself (like I did) for missing out on the fun until now. In other software updates, JavaCools Spyware Blaster 3.4 has been released. This includes numerous bug fixes, requested tweaks and optimization of its engine. The upgrade also improves support for the visually-impaired and other users of large fonts/ DPI settings. For those missing out on the fun, Spyware Blaster is a neat utility to prevent web sites from installing ActiveX-based spyware, adware, browser hijackers, dialers and other potentially unwanted software. 'Blaster also blocks spyware/tracking cookies in both Internet Explorer and Mozilla/Firefox. And can restrict actions of potentially unwanted sites in Internet Explorer. There's also a Flash plugin blocker that adds a 'kill bit' to block auto-download and install of the Flash runtime engine from Flash 3 onwards. Do also take note of a new Sober worm variant that's beginning to spread. I have already received copies of the worm sent by some very strange email addresses including support@winzip.de! The Sober.Q variant is spread by computers infected with Sober.N which posed as tickets for the 2006 World Cup in Germany. The Q variant floods inboxes with thousands of junk messages linking to news stories about Sober. Message bodies also contain German subject lines that translated read 'Dresden Bombing Is To Be Regretted Enormously', 'Armenian Genocide Plagues Ankara 90 Years On', 'Dresden 1945' and 'Turkish Tabloid Enrages Germany with Nazi Comparisons'. Messages also include the text: 'I'm not a spammer, but perhaps I should become one :)'! That's it for now. So until the next week Stay Safe! Click Here To Send Feedback