Security

Google CEO Eric Schmidt is the latest Silicon Valley CEO to draw ire after suggesting that folks seeking privacy might not want to look to the Internet to find it.

"I think judgment matters," Schmidt said, appearing on CNBC (see video below). "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines--including Google--do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities."

In some senses, Schmidt was merely stating the truth about the U.S. law as it currently stands. However his "maybe you shouldn't be doing it in the first place" comments, in particular, seem to have raised the hackles of privacy advocates and others.

Among the most interesting reactions was a posting on a Mozilla veteran's personal Web page suggesting that users might want to switch to Bing because of its better privacy policy.

"That was Eric Schmidt, the CEO of Google, telling you exactly what he thinks about your privacy," Mozilla Director of Community Development Asa Dotzler said on his personal blog, referring to the CNBC comments. "There is no ambiguity, no 'out of context' here. Watch the video."

From there, Dotzler shows how one can easily switch Firefox's search engine from Google to Bing, adding, "Yes, Bing does have a better privacy policy than Google."

To be fair, that Patriot Act and other laws apply just as much to Microsoft as it does to Google. Still, I think Dotzler's posting raises some interesting issues. Plus, it's particularly noteworthy that a Mozilla worker is willing to raise the issue given how the lion's share of Mozilla's revenue comes from the Google traffic generated from Mozilla's search bar.

The difference, in my opinion, isn't that Microsoft is somehow subject to different laws than Google, or even that it would behave differently in the face of a government challenge (both companies kowtow in China, for example). Rather, the two companies seem to have a different approach toward privacy issues.

Google's attitude tends to focus on the great benefits that open information can, and often does have. Plus, of course, its stance is an outgrowth of the fact that Google has built its business around gaining revenue by doing the best job of organizing that information.

That shows up in all kinds of ways. Mozilla Developer Relations Director Christopher Blizzard noted in a Twitter posting that sites users visit in Chrome get sent to Google.

"Everyone knows that every site you visit and all address bar searches in Chrome go to Google, right?" Blizzard wrote. (I sent an e-mail to Mozilla seeking its corporate take on things, but did not immediately get a response.)

Microsoft's approach, meanwhile, stems no less from its economic interest, but its zeal is tempered by years of heavy regulation and consumer backlash.

These differences in attitudes, and shifting tides in the center of power in the tech industry, I expect to be major issues in the coming years as regulators and consumers decide where to place their attention.

That said, Schmidt is hardly the first to point out that the idea of privacy on the Internet might be outmoded. "You already have zero privacy. Get over it," former Sun CEO Scott McNealy famously intoned, drawing many of the same criticisms.

Obviously, privacy advocates argue that protections must extend to the Internet. In a blog posting, security expert Bruce Schneier makes a passionate argument, although I think it is interesting that he digs up an essay from 2006 to make his reply.

"Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance," Schneier wrote. "We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need."

So what do you think? Is privacy a basic human need, or a quaint, outdated notion, or is it, paradoxically, both of those things?

Earlier in November, Firefox surpassed 25 percent usage share of Web browsers, according to Net Applications.

(Credit: Net Applications)

Mozilla released a third beta of Firefox 3.6 on Wednesday, adding stability and performance features, and said it hopes to lock down the code soon for its first release candidate.

The new beta, for Windows, Mac, and Linux, includes a component directory lockdown that makes it harder for other software to meddle with the open-source browser's state by preventing that software from sidling into the same folder as the browser's own components. The result should be fewer crashes, said Mozilla's Johnathan Nightingale in a blog post, and Firefox still is open to third-party extensions via its official add-on mechanism.

The change should improve security, too, added another Mozilla programmer, Vladimir Vukecevic, who wrote in his own blog post that Mozilla is considering bringing the change to Firefox 3.5, too.

"Creating binary components to interface with the operating system or with other applications is fairly straightforward, though ultimately dangerous. Binary components have full access to the application and OS, and so can impact stability, security, and performance," Vukecevic said.

Also in the latest beta of 3.6 is a feature that lets the browser run some Web-based JavaScript programs asynchronously, which is to say without being so picky about the order the scripts run. This can improve the speed that Web pages load, Mozilla said.

The biggest Firefox 3.6 feature most folks will notice is Personas, the reskinning add-on that's now being built in. More than 10 million Personas have been downloaded so far, Suneel Gupta and Myk Melez of the Personas team said Wednesday.

Mozilla is working to release a final version of Firefox 3.6 before the end of the year, and one sign the project is wrapping up is that the developers are locking down the features and changes that can be added into the release candidate 1. Code freeze for RC1 is scheduled for Wednesday but might be at risk, a Mozilla planning site said this week.

Firefox is steadily gaining in use. Last week, Web traffic monitoring firm Net Applications announced Firefox cleared 25 percent share of those using browsers worldwide--not dethroning Internet Explorer by any means but still winning over new users. Mozilla estimates there are more than 300 million Firefox users total, and this week said there are more than 300,000 testers using the Firefox 3.6 beta

Google's Chrome, meanwhile, is appealing to some of the same browser enthusiasts who were Firefox's first users. One of its big selling points is speed, and Google is working on other ways to make the Web faster, too. Chrome gives it a vehicle to test such ideas out in the real world, a strategy that Apple, Opera, and Firefox have employed to advance the Web state of the art.

One Mozilla programmer, Alexander Limi, revealed a speedup technology called Resource Package for Mozilla, too, on Tuesday. His proposal calls for bundling many Web page elements up into a single compressed file that can be retrieved in a single Web-page request action. Browsers are limited in the number of such actions they can take in parallel, so consolidating the interactions can make pages load faster. The approach is backwards compatible with existing browsers that don't support the feature, he added.

"If the feedback is good we're likely to try and get this implemented for Firefox 3.7," said Mozilla evangelist Christopher Blizzard in a blog post Tuesday.

Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.

Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.

Google Wave is one site that suggests IE users install Google Chrome Frame.

(Credit: Google)

Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.

"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.

Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.

"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.

Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.

"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."

Mozilla on Wednesday released two new versions of its browser, Firefox 3.5.3 and 3.0.14, that patch three critical security holes and fix assorted other bugs.

The updates can be fetched through the Help menu's Check for Updates option, or can be downloaded directly.

Although Mozilla still supports the 3.0 version, it's pushing people to the 3.5 version, and support for the 3.0 series will end in a few months. Version 3.5, released in June, supports a variety of new Web page technologies and includes a faster JavaScript engine for running Web-based programs.

Interested folks can read the release notes.

Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.

"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director Mike Beltzner said in a blog post Thursday.

Firefox 3.5 embodies Mozilla's hope to build a better foundation for Web applications, but about two weeks after its debut, a vulnerability in the browser's JavaScript engine came to light. Mozilla rated it "critical" because an attacker could create a Web site that would run malicious code on the computer.

The new version can be installed from Mozilla's download site or by selecting "Check for Updates" in the Help menu. Unfortunately, when I did so, the Firefox warned me that the newly updated Gears 0.5.29.0 plug-in from Google becomes incompatible again.

Update July 17 1 p.m. PDT: A patch to fix the Gears compatibility issue is under way.

There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.

The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.

The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.

No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.

The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.

On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.

The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.

Tom Espiner of ZDNet UK reported from London.

Updated at 11:32 a.m. PST with a summary of the bug fixes.

Mozilla released an update to Firefox 3 on Tuesday that patches 12 security vulnerabilities, four of which it rated as critical.

Firefox 3.0.9, the Web browser's third update this year, fixes two critical vulnerabilities in the Firefox browser engine and two in its JavaScript engine, according to a security advisory posted Tuesday:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code.

One critical security bug fixed crashes caused by memory corruption, which the developers felt could have been used at some point to run arbitrary code.

Two other high-profile bugs involved a misinterpretation of a particular Adobe Flash code that could have been exploited, and a URI mismatch that also could have led to arbitrary JavaScript executions. However, there's no evidence in the bugs that these security holes had been exploited.

AOL.com and AIM.com Web mail users should once again be able to view attached images inline and without hiccups. A bug created in Firefox 3.0.7 caused images to break where they had loaded properly in Firefox 3.0.6. Also, users who noticed previously stored cookies mysteriously disappearing should find that bug repaired.

The release comes as Mozilla prepares to release the fourth beta test of Firefox 3.5--the next version of the open-source browser. Mozilla had originally planned to release its new "Shiretoko" version of Firefox in early 2009. But after releasing Firefox 3.1 beta 3 last month, the organization behind the browser said a fourth beta is planned--and with the new version number, 3.5.

Expected changes in Firefox 3.5 include faster execution of Web-based JavaScript programs, a private-browsing mode, native support for the JSON (JavaScript Object Notation) technology for exchanging data between servers and browsers, and built-in audio and video abilities for bypassing Flash or other multimedia technologies.

In March, security-testing company Secunia reported that Mozilla had more vulnerabilities in its Web browser last year than Internet Explorer, Safari, and Opera combined, but that Mozilla dealt with those flaws more quickly than Microsoft did.

Meanwhile, Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 22.05 percent of the global browser market share, compared with IE's 66.82 percent, a drop of more than seven percentage points in a year, according to figures from Web metrics company Net Applications.

Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. (Downloads in all languages are available here.) Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.

CNET's Seth Rosenblatt contributed to this report.

Correction and update:This post was updated at 1:53 p.m. with a corrected headline (the word "patched" was missing) and additional and winnowed information on the security holes.)

Mozilla published a critical security upgrade for Firefox Friday evening. Version 3.0.8 for Windows, Mac, and Linux fixes two security holes listed as "critical."

One patched an arbitrary code execution hole through an XUL element, and the other corrected an XSL stylesheet exploit. Both fixes patch crash-based security holes in which remote codes could have been run.

The release notes for Firefox 3.0.8 are available here.

Mozilla reported more vulnerabilities in its Firefox Web browser last year than Internet Explorer, Safari, and Opera combined, but Mozilla dealt with those flaws quicker than Microsoft, according to a new a report by vulnerability-testing company Secunia.

Firefox had 115 reported flaws in 2008, nearly four times as many as every other popular browser, and nearly twice as many as Microsoft and Apple combined, according to browser vulnerability research (PDF) released this week. In comparison, Microsoft reported 31 flaws in IE, Apple reported 32 in Safari, and Opera reported 30.

However, the report found that Mozilla was quicker to patch Firefox's flaws that were disclosed publicly without vendor notification compared with Microsoft. These "zero day" vulnerability disclosures contain information that can be used by attackers to write exploits for the flaw. The longer it takes vendors to release an update that repairs the vulnerability, the longer users of the browser are at risk.

Secunia reports that Microsoft took longer to fix two more serious flaws than Mozilla did with two less serious flaws.

(Credit: Secunia)

Secunia reported six incidences in which Microsoft was publicly notified of browser vulnerabilities, two of which the security company labeled as "high" or "moderate" in severity. Meanwhile, Mozilla experienced three such occurrences, all of which Secunia labeled as "less critical" or "not critical."

Microsoft took 110 days to issue patches for the two most serious flaws, while it took Mozilla an average of 43 days to address its three flaws, Secunia reported. One of the IE vulnerabilities remained open for 294 days in 2008, according to the report.

The revelation comes as Mozilla released an update Wednesday to Firefox, its second in about a month. Mozilla developers said the update fixes six critical vulnerabilities found in Firefox 3.0.6, the most serious of which could allow attackers to run arbitrary code on a victim's computer.

Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 21.77 percent of the global browser market share, compared with IE's 67.44 percent, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications.