Webware

Mozilla has updated its Firefox browser to patch three critical security holes.

Firefox 3.5.6 and 3.0.16 both fix earlier memory corruption issues. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the security advisory said.

In addition, the earlier version of Firefox 3.5 had two critical vulnerabilities in its technology for playing Ogg-format media, one with the liboggplay media library and one with the libtheora video library.

The patches are among 62 fixes in the new Firefox, software that's translated into dozens of languages and runs on multiple operating systems. Users of the OS/2 operating system will be delighted to know that problems with Firefox's full-screen mode and with print preview have been resolved.

"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting. By default, Firefox downloads updates automatically then prompts users to restart when it's ready; updates also can be retrieved through the "check for updates" menu option.

Mozilla plans to cease supporting Firefox 3.0 in January. Meanwhile, a significant update, Firefox 3.6, is due by the end of the year.

Correction 1:23 p.m. PST December 17: This story was corrected to note that it was the earlier versions of Firefox that suffered the vulnerabilities.

It's been a matter of days since Facebook's new privacy controls went into place, and the company is already making modifications in response to user complaints that they expose too much information. Namely, the company has made it easier to prevent people from seeing who your friends are.

For one, Facebook no longer makes a link to a list of your friends publicly available, and it has added an option for members who want no one at all--including other friends--to see their connections. Third-party applications, however, can still access it.

"In response to your feedback, we've improved the Friend List visibility option," an update to Facebook's blog post about the new privacy settings read. "Now when you uncheck the 'Show my friends on my profile' option in the Friends box on your profile, your Friend List won't appear on your profile regardless of whether people are viewing it while logged into Facebook or logged out. This information is still publicly available, however, and can be accessed by applications."

Facebook's reasons for making this move likely have something to do with the fact that it wants to be a safe place for professionals: in some fields of work, people may be uncomfortable with basically opening up their Rolodexes. There was a high-profile incident that highlighted these potential pratfalls of making one's Facebook friend list publicly available: Business Insider revealed earlier this week that Overstock.com CEO Patrick Byrne was keeping a list of journalists covering the company as well as their professional connections found through Facebook.

The new privacy settings give members more control over how much they share in general, but they additionally encourage them to make more content public as the site moves from a closed-off, login-required site to a potentially huge player in the new real-time search craze. But the company remains under pressure from not only its 350-million-plus users, but also lawmakers in multiple countries who have voiced concerns about how much the company is doing to protect users' privacy.

Facebook users are too willing to give out their personal information, security firm Sophos has found.

According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.

After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.

Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."

The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."

Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.

Microsoft has begun a campaign to actively urge users of its 8-year-old Internet Explorer 6 browser to upgrade.

After launching IE 8 in March, Micosoft has concurred with critics that IE 6 is outdated. Many people have dropped the older browser, but the remaining users are often the tough cases--those who don't have a choice because of corporate computing policy or who aren't tech-savvy enough to realize there's a reason to move on.

This eBay 'Web slice'--basically a live bookmark in Internet Explorer 8--is part of Microsoft's effort to get people to upgrade from IE 6.

(Credit: Screenshot by Stephen Shankland/CNET)

It's this latter population Microsoft is targeting with a campaign that runs through June 2010 that touts its own IE 8 as a better alternative. The campaign's first visible elements are a video aimed at online holiday shoppers and a Web slice to promote daily deals at eBay. Web slices are basically live bookmarks that can show miniature Web pages in the browser.

"What we're doing with the outreach is help users understand how to protect themselves against social engineering threats that exist and to help people understand how Internet Explorer 8 puts people in control of their own privacy online," said Ryan Servatius, senior product manager for Internet Explorer. Security was one of the big problems with IE 6, and Microsoft now boasts that security features in IE 8 block 2 million malware sites a day.

According to Net Applications' statistics, Internet Explorer 6 is still the most widely used browser, with 23.3 percent share of usage in October, followed by IE 7 at 18.2 percent and IE 8 at 18.1 percent. The newer browsers are gaining on IE 6, but so are rivals including Mozilla's Firefox, Apple's Safari, and Google's Chrome.

Web developers often gripe about having to support IE 6, which doesn't support many modern features for more sophisticated Web sites and even applications. Microsoft acknowledges that it's holding back development of the Internet, too.

"The best thing a user can do to advance the Web is to help move people off IE 6," Servatius said.

Of course, many will upgrade to IE 8 by buying Windows 7. IE 6 was the browser that shipped with Windows XP, which remains entrenched, but there are signs Windows 7 is a more compelling successor than Windows Vista. That could help the corporate customers move away from IE 6, Servatius said.

"As enterprises migrate from whatever operating system they're using today to Windows 7, that's going to help deprecate IE 6," he said. "What we're doing is working both with consumers worldwide and IT professionals to help them understand what the benefits of a modern browser are."

Internet Explorer 8, Firefox 3, Google Chrome 4, Apple's Safari 4, and Opera 10 include features that block sites known to host malware and malicious downloads. All but Opera also let you browse without leaving any tracks. But just as important as these protections is ensuring that whichever browser you use is thoroughly patched.

Filtering out bad sites
Firefox's built-in antiphishing tool claims to update its bad-site database 48 times a day, according to Mozilla's Firefox security page. Firefox 3 uses Google's Safe Browsing service to automatically block sites that are known to host malware. The Google Code site describes how Safe Browsing works in Firefox.

To verify that attack-site blocking is enabled in Firefox, click Tools > Options > Security and make sure "Block reported attack sites" is checked.

Firefox will prevent known-bad sites from opening when "Block reported attack sites" is checked.

(Credit: Mozilla Foundation)

The same feature is built into Google's own Chrome browser. You can ensure that malware-site filtering is on in Chrome by clicking the wrench icon in the top-right corner, choosing Options, and selecting Under the Hood. "Enable phishing and malware filtering" should be checked. The Google Chrome Help site describes the feature. (Hint: This page looks very similar to the description on the Google Code site.)

Google's Chrome browser blocks known-bad sites when "Enable phishing and malware protection" is checked.

(Credit: Google)

The SmartScreen technology in version 8 of Internet Explorer blocks known-malicious downloads as well as bad URLs. Other new security features in IE 8 include automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar. The Microsoft Security site describes the SmartScreen Filter and includes links to a SmartScreen FAQ and information for site managers.

Apple's Safari browser added phishing and malware blocking in version 3.2, which was released in late 2008; read about this and other security features in Safari 4 on the Apple Safari site. Likewise, Opera's Fraud Protection predates the phishing and malware filters in IE and Firefox and is enhanced in the latest version 10. But attack-site blocking is only one of Opera's many security features, which you can read about on the Opera site.

Browsing in private
To activate private browsing in Firefox 3, click Tools > Start Private Browsing, or simply press Ctrl-Shift-P. You can set Firefox to start in private-browsing mode by clicking Tools > Options > Privacy and check "Automatically start Firefox in a private browsing session." The Mozilla support site provides more information about this feature. Likewise, put IE 8 in private-browsing mode by clicking Safety > InPrivate Browsing, or by pressing Ctrl-Shift-P. You can also open a new tab and click either Browse with InPrivate or Open an InPrivate Window.

IE 8 also lets you control the information about your browsing habits that's shared with Web tracking services. To activate this feature, click Tools > InPrivate Filtering Settings and choose "Let me choose which providers receive my information." This opens the InPrivate Filtering settings dialog, where you can turn filtering off, choose which services to block from tracking you, or automatically block all trackers.

Internet Explorer 8's InPrivate Filtering lets you block some or all Web tracking services.

(Credit: Microsoft)

You can open an incognito window in Google Chrome by clicking the wrench icon in the top-right corner and choosing "New incognito window," or simply press Ctrl-Shift-N. The incognito icon (a shadow figure in a fedora and glasses) appears in the top-left corner of the browser window. The Chrome support site offers a more detailed description of this feature.

Opera lacks an equivalent private-browsing capability but does offer private searching and other identity-blocking features, as described on the Opera site. To activate private browsing in Safari, simply click Safari Settings Menu > Private Browsing.

Automatic and not-so-automatic browser updates
Patching is a way of life with nearly all software, but especially with browsers and the media players associated with them: Adobe Reader, the Flash Player, Apple's QuickTime, and Sun's Java, among others. All of a browser's security features can be rendered useless by a piece of malware that takes advantage of an unpatched hole in the program.

Firefox 3 alerts users to the presence of an update and now also notifies you when your Flash Player is out-of-date. Internet Explorer 8 updates via the Windows Update/Microsoft Update services. Google Chrome made a splash by being the first browser to update itself in the background without requiring any prompting from users. Safari updates automatically via Apple's update service, which also serves up patches automatically for QuickTime, iTunes, and other Apple software. Opera also notifies you automatically when a new version is available.

But updating is too important to leave to others. Back in April, I described Secunia's Online Software Inspector and downloadable Personal Software Inspector, which identify out-of-date programs on your PC. The programs mentioned in that post have all been updated since, but Secunia's services should point you to the most recent versions.

(Note that Secunia sometimes reports a program as being out-of-date when in fact you have the latest version. On my PC, it continually reports my up-to-date Flash Player as being in need of an update, for example. But the free service Secunia provides is worth putting up with this and similar minor annoyances.)

There's no way to reduce to zero your risk of picking up some piece of malware while browsing. You need layers of security to keep viruses, Trojans, and botnets at bay—the more layers, the safer your browsing. (Of course, the more layers, the slower your browsing, too, so don't get carried away.)

Much emphasis has been placed on the enhanced security features of the latest versions of the popular browsers. Whether one is any safer than another is anybody's guess, but no browser gives you more ways to thwart a Web-based attack than Firefox via its wealth of security add-ons.

Link checkers add warnings to search results
Search results are often difficult to trust, even when the URL looks familiar. Phishers are adept at planting dangerous links that look like harmless ones. Link checkers provide you with an indication of the trustworthiness of sites before you click their links. (Note that several of the products are available for Internet Explorer as well.)

Some of the programs, such as McAfee's SiteAdvisor, give the thumbs-up or thumbs-down based on a single company's research. Web of Trust (WOT) bases its recommendations on the collective intelligence of a network of volunteers. LinkExtend is a link-check aggregator that combines the analyses of eight different services.

McAfee SiteAdvisor adds a safety indicator to Web search results.

(Credit: McAfee)

While the recommendations of link checkers are helpful in identifying safe sites, you can't take their yeas and nays as gospel. For example, sites that offer downloads of system utilities may be flagged as dangerous because the programs require access to the operating system and thus could do major damage in the wrong hands.

Track the trackers
You know popular Web sites download software that tracks your activities on their sites, but do you know who's doing the tracking? Find out with the Ghostery add-on that pops up the names of the trackers as the page opens. The program puts a small "ghost" icon in the bottom-right corner of the Firefox window that turns orange when trackers are present. Click the link that appears to the right of the icon to find out more about the trackers and block them individually or entirely.

The Ghostery Firefox add-on lets you know who's tracking your activities on the site.

(Credit: Ghostery)

View encryption specs
When you open an encrypted Web page, a lock icon appears in the bottom-right corner of the Firefox window and the URL in the address bar begins with "https." But there's more than one form of encryption, and knowing which type and strength of encryption in use can be handy.

The CipherFox add-on puts in the bottom-right of the Firefox status bar the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cipher and keysize currently in use. Double-clicking the entry opens the CipherFox dialog box, where you can disable RC4 encryption and display partial SSL/TLS. (Note that the developer accepts donations to support the product.)

Take charge of Web password management
Firefox's built-in password manager lets you create a master password and remember passwords for specific sites, but if you want to get serious about managing your passwords, get LastPass, a password manager that provides much more granular control over your sign-ins.

After you download and install the add-on, an icon is placed in the top-right corner of the Firefox window. Click it to open the LastPass menu, which lets you manage your identities, open the LastPass Vault, jump to favorite sites, and generate secure passwords. You can also import or export sign-in IDs, compose and print secure notes, and assign keyboard shortcuts for specific actions.

In addition to Firefox and IE, LastPass is available for Google Chrome and Apple's Safari browsers. LastPass backs up your passwords by storing an encrypted copy on its own servers. And because you can access your passwords via the Internet, you can use LastPass on any Web-connected device, although use of LastPass on an iPhone or other smart phone requires a Premium membership, which costs $1 a month. (You can also put LastPass on a USB thumbdrive for use with Firefox Portable and other portable apps.)

With the holiday shopping season creeping up, you may have a child on your shopping list who longs for a special toy. However, you may worry that the toy you are considering is unsafe for your child and perhaps the environment. Thankfully, there are resources online that offer advice on which products may be unsafe to your child.

If you're a parent, this set of resources is definitely worth checking out.

Keep Kids Safe

Consumer Product Safety Commission There is probably no better place to go first when looking for safe children's toys than the U.S. government's Consumer Product Safety Commission page.

When you get to the CPSC site, you'll be able to search for all the recalls and issues that have arisen with toys. You can also see some of the most recent recalls by simply clicking on the appropriate month above the search box. In either case, the site lists all the recalls during the specified period, why it was recalled, and information on how to return the item. The site also features images of the products to help you determine if the toy you've purchased is of concern. Even better, you can follow the CPSC on Twitter or Facebook to receive updates on new recalls as they are announced. The CPSC Web site, while poorly designed, is a must-see for any parent.

The CPSC Web site has all kinds of recalled products.

(Credit: Screenshot by Don Reisinger/CNET)

GoodGuide If you're looking for data on what you should be providing your kids with, GoodGuide is the place to be.

GoodGuide offers a listing of healthy foods, household products, and toys that are suitable for children. GoodGuide's Toy section lists the level of lead, mercury, chlorine, and other harmful chemicals in the toy. Green means the toy doesn't have contain the respective harmful chemical, while red means that there are high levels of a chemical in a toy. You can also dig down into each listing to determine if the company that created the product has a good reputation. I was impressed by the number of toys GoodGuide offered. I think any parent will like GoodGuide.

Find out how healthy a toy really is with GoodGuide.

(Credit: Screenshot by Don Reisinger/CNET)

Apple released a security update for its Safari Web browser on Wednesday. Available for Windows and Mac, Safari 4.0.4 plugs what sound like moderate to severe security holes. Unlike competitors Internet Explorer, Firefox, and Chrome, Apple doesn't rate the severity of its security fixes.

The security fixes address a wide range of problem points. On both Windows and Mac, parsing maliciously written XML content could have led to a browser crash, using shortcut menu options within a maliciously created Web site could have led to the disclosure of local information, and visiting a maliciously built Web site could have resulted in unexpected actions on other opened Web sites.

For Windows only, viewing a maliciously made image with an embedded color profile that could lead to a browser crash or running arbitrary code is no longer a threat, nor is accessing a maliciously crafted FTP server, which could have led to an unexpected crash, information disclosure, or arbitrary code execution. For Mac only, an exploit that could have allowed e-mail to remotely load audio and video content when loading a remote image has been disabled.

Although it's good practice to update a program whenever a security fix has been released, more transparency from Apple on the matter would pull the company up to competitors' standards.

Click here to read the full changelog for Safari 4.0.4.

The entry hall in my house has been a test bed for home monitoring cameras for years. I like to be able to record people coming into the house and see what's going on around the front door. Anyone with a family and occasional babysitters will understand. So I continue to look for simple, robust video-monitoring solutions, and vendors keep obliging by improving the state of the art in home remote cameras.

The latest: Two interesting and very different products, Avaak's Vue and the Astak Mole. Both are very easy to get up and running, and neither require monkeying with arcane router settings to get offsite access to the video streams--something that can be a problem with the Panasonic BL-C131a cameras that I otherwise favor. (I've also tried the Logitech WiLife system, and find it quite good.)

The Vue.

(Credit: Rafe Needleman/CNET)

The Vue
The Vue is the most unusual remote camera I've seen. The product is unchanged from my March 2 preview, but I had a chance to experiment with the shipping version recently. The big benefit of the Vue: The cameras are tiny, battery-powered and thus completely wireless, and the system is extremely easy to set up. You plug an included controller box into your router or switch and tuck it out of the way, and then you can place the cameras anywhere in your house on their clever little stick-on magnetic dome mounts. The standard kit comes with two cameras.

The Vue is great for monitoring a location but there's a big downside: The cameras don't have motion sensors. If they did, the batteries wouldn't last. So you can see what's happening when you want, or record images on a schedule, but this product doesn't work as a security camera. It is very easy to share the output from a camera with friends, though. A two-camera kit is available now for $299.

The Vue experience is simple all the way around.

(Credit: Screenshot by Rafe Needleman/CNET)

The aptly-named Mole.

(Credit: Rafe Needleman/CNET)

The Mole
I also recently received the Mole, from Astak. This is a single camera for $299, but unlike the Vue cameras, this unit must be plugged in for power (it has Wi-Fi as well as Ethernet for connectivity). It can be panned and tilted by remote control over the Web, so one camera can see more than two Vues in some setups.

The Mole also has infrared illuminators for low-light capability, and a microphone, so you can see and hear what's happening at all hours. Since the camera is always on and can see in all conditions, it can also watch for motion and perform actions--alerting you and recording video and stills either to the Web or to its own memory card--when it detects movement. It even has a speaker so you can talk back through the camera. It is black and industrial-looking, however, befitting its name --not so great for installation in a nice white-painted hallway.