Security

Updated at 11:32 a.m. PST with a summary of the bug fixes.

Mozilla released an update to Firefox 3 on Tuesday that patches 12 security vulnerabilities, four of which it rated as critical.

Firefox 3.0.9, the Web browser's third update this year, fixes two critical vulnerabilities in the Firefox browser engine and two in its JavaScript engine, according to a security advisory posted Tuesday:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code.

One critical security bug fixed crashes caused by memory corruption, which the developers felt could have been used at some point to run arbitrary code.

Two other high-profile bugs involved a misinterpretation of a particular Adobe Flash code that could have been exploited, and a URI mismatch that also could have led to arbitrary JavaScript executions. However, there's no evidence in the bugs that these security holes had been exploited.

AOL.com and AIM.com Web mail users should once again be able to view attached images inline and without hiccups. A bug created in Firefox 3.0.7 caused images to break where they had loaded properly in Firefox 3.0.6. Also, users who noticed previously stored cookies mysteriously disappearing should find that bug repaired.

The release comes as Mozilla prepares to release the fourth beta test of Firefox 3.5--the next version of the open-source browser. Mozilla had originally planned to release its new "Shiretoko" version of Firefox in early 2009. But after releasing Firefox 3.1 beta 3 last month, the organization behind the browser said a fourth beta is planned--and with the new version number, 3.5.

Expected changes in Firefox 3.5 include faster execution of Web-based JavaScript programs, a private-browsing mode, native support for the JSON (JavaScript Object Notation) technology for exchanging data between servers and browsers, and built-in audio and video abilities for bypassing Flash or other multimedia technologies.

In March, security-testing company Secunia reported that Mozilla had more vulnerabilities in its Web browser last year than Internet Explorer, Safari, and Opera combined, but that Mozilla dealt with those flaws more quickly than Microsoft did.

Meanwhile, Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 22.05 percent of the global browser market share, compared with IE's 66.82 percent, a drop of more than seven percentage points in a year, according to figures from Web metrics company Net Applications.

Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. (Downloads in all languages are available here.) Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.

CNET's Seth Rosenblatt contributed to this report.

(Credit: Adobe)

Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.

Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by March 11.

Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.

In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25.

Meanwhile, US-CERT said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.

The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said.

Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month's Patch Tuesday.

One security expert complained that Adobe was late to acknowledge the vulnerability and uncommunicative about the issue since it arose.

"Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication," said Andrew Storms, director of security operations for nCircle, a network and compliance automation firm.

Adobe representatives did not immediately respond Tuesday to phone calls and e-mails seeking comment.

Mozilla on Wednesday released an update to the Firefox Web browser that its developers said fixes eight security issues found in Firefox 3.0.6, six of which were rated critical.

The most serious of the vulnerabilities fixed in version 3.0.7 for Windows, Mac, and Linux could allow attackers to run arbitrary code on a victim's computer, Mozilla warned in security advisories Wednesday.

The six critical flaws affect the browser's garbage collection--which monitors how Firefox modules use the computer's memory--as well as the browser's PNG libraries and in the layout and JavaScript engines.

Mozilla developers said they weren't sure the layout and JavaScript flaws could be exploited.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in an advisory.

Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.

The update--Mozilla's second this year--comes as Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 21.77 percent of the global browser market share, compared with IE's 67.44 percent, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications.

Mozilla on Tuesday released an update to Firefox for Windows, Mac, and Linux that its developers said addresses several security and stability issues in the Web browser.

Version 3.0.6 fixes six bugs, the worst of which is a JavaScript issue affecting the browser's layout engine that developers labeled as critical. The vulnerability, which also affects Mozilla's Thunderbird e-mail client and SeaMonkey Internet Suite, could allow an attacker to run unauthorized code on exploited machines, Mozilla said.

The update improves how scripted commands, such as those included with Adblock Plus, work with plug-ins. It also addresses display issues, Mozilla said.

The update comes as Firefox continues to chip away at Internet Explorer's market dominance. Internet Explorer now has 67.55 percent of global browser market share, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications released Monday. Mozilla's Firefox browser, meanwhile, has gained market share in the same time frame, climbing more than 3 percentage points to 21.53 percent.

The T-Mobile G1 midway through an update of the Android operating system.

(Credit: Stephen Shankland/CNET News)

Google has begun fixing a bug that would reboot T-Mobile's G1, the first Android-powered phone, any time a user typed the word "reboot."

According to the bug filed about the problem, "It would appear that Android is, at some level, interpreting specific text strings and acting as if they were local commands," according to user called mogphone.

Added another commenter, jdhorvat, "Funny story behind finding this: I was in the middle of a text conversation with my girl when she asked why I hadn't responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated 'Reboot'--which, to my surprise, rebooted my phone."

Repairs are under way. "This is already fixed and is going out in the RC30 build which will be pushed to users very soon," added user morrildl.

Indeed, my Android phone got the RC30 patch over the weekend, and the problem doesn't occur. It's not clear what time frame other Android users will receive their patches; there was a multi-day lag between my G1's last update a week ago and the period in which some others got their updates.

Some more details on the problem are described at this Web site.

(Via ZDnet)

Google and T-Mobile have begun distributing a security patch for the first Android-powered phone, the G1 built by HTC. This is the update alert message.

(Credit: Stephen Shankland/CNET News)

Google has begun distributing a patch to its Android mobile phone operating system, an early test for how nimbly the company can respond and how well the infrastructure works to distribute and install updates.

For the Android test phone I'm using, a T-Mobile G1, the update was smoother than the process by which the software problem came to light publicly on October 24.

The handset I'm testing gave me a message Saturday afternoon: "A system update is available," and a choice to update now or later. When I clicked the button to begin the update, it downloaded new software, which took a few minutes, then installed it, then resumed working with no hitches.

The patch fixes the highly publicized security problem with Android's Web browser and makes a few other minor changes, according to a Google spokesman quoted in IT World on Friday.

The researchers--Charlie Miller, Mark Daniel, and Jake Honoroff of Independent Security Evaluators--called the Android Web browser flaw serious, but Google said its severity was mitigated by Android's design, which restricts each program to its own area.

Earlier, Google appealed for what it called "responsible disclosure" of security vulnerabilities--in other words, a grace period to fix problems before they're made public to reduce the likelihood an attacker will get a chance to exploit a vulnerability. There's an ages-old tension between companies that want to fix their products and security researchers who want to get the word out, in part because attackers also are trying to find the vulnerabilities.

Google didn't respond to a request for comment Saturday.

Here the G1 shows progress in downloading the update.

(Credit: Stephen Shankland/CNET News)

Once the patch is downloaded, the phone automatically installs it.

(Credit: Stephen Shankland/CNET News)

Earlier today, Google was keeping mum about a three-day-old security fix to its Chrome browser, but now the company has revealed details of two critical-risk vulnerabilities and some lesser issues it says are fixed.

The critical patches relate to buffer overrun vulnerabilities that could have let a remote attacker execute arbitrary software on a Chrome user's computer, said Mark Larson, a Google Chrome program manager, in a mailing list posting Monday afternoon. The first patch fixed a vulnerability in handling long file names, called the SaveAs vulnerability, and the second a vulnerability in dealing with the Web site addresses displayed in Chrome's status area when the user hovers over a link.

An update to Google Chrome means the browser now can head off a particular technique that previously could crash the browser.

(Credit: Stephen Shankland/CNET News)

Larson also established a Google Chrome Releases blog for announcements and release notes relating to Chrome. The company had said earlier it was working on a way to release that information, in part after people requested such notes well after Google started automatically updating Chrome browsers without saying what exactly was in the update.

Google fixed two lesser security issues, too. First was an issue in which typing "about:%" in the address bar could crash the computer. The problem also meant that a Web page with that text as a hyperlink could crash the browser if a user hovered the mouse pointer over the link. Second was to prevent the user's desktop from being the default download directory to mitigate "the risk of malicious cluttering of the desktop with unwanted downloads, which can lead to executing unwanted files," Larson said.

Other fixes addressed non-security issues: a JavaScript problem with Facebook; a problem suggesting search terms while using various Web sites; and some data-transer issues with the Safe Browsing mode.

Updated 1:44 p.m. PDT with details that Chrome automatically updates itself with no notification or choice for the user.

Google has quietly begun releasing a hastily prepared update to its Chrome browser to fix some security problems.

The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Google started releasing the update Friday, initially to a small number of users, but didn't make much of an announcement about the change.

To check if an update is available, click the wrench icon in Chrome's upper-right corner, then select 'about Google Chrome.'

(Credit: Josh Lowensohn/CNET News)

"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."

However, Google isn't revealing details yet about what security issues it's fixed.

"All users have not received the update yet, so we cannot discuss the details of the security issues that were addressed, but we plan to disclose more information once the update has reached all of our user," the company said in a statement Monday.

To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.

Google knows best
Without a manual check, Chrome will update itself automatically, Google said. "Google Chrome will automatically checks for updates approximately every five hours. If an update is available, it will be downloaded and applied at the next browser restart," Google said.

Google believes it's best if Chrome applies security updates not only without a description of what's changing, but also without an opportunity for users to decide whether to accept the patch.

"Users do not get a notification when they are updated...When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention," the company said in a statement."There are some security fixes that we'll keep quiet because we don't want to disclose security vulnerabilities to attackers."

The automatic update policy applies to security and bug fixes. "For major version updates, when feature changes are involved, we'll explore options for providing users with more details about the changes," Google said.

Microsoft and Mozilla encourage users to download and apply updates automatically to Internet Explorer and Firefox, respectively, but users can chose not to do so.

Automatic updates can cause indigestion in corporations where internal administrators often want control over what software is running or not for compatibility, security, and other reasons. But browser browser vulnerabilities loom larger as more applications move to the Web and more people rely on those services, and automatic updates can help nip attacks in the bud.

Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source code. The open-source Chromium project has publicly available mailing lists and source code, but many recent changes to the code base are redacted to show only a blank page rather than the detailed changelog notes of other changes.

"Most of the changes are visible, aside from security changes, which we must keep private in order to keep users safe," Google said of the changelog.

Programming fans also won't be able to glean any insights from the Chrome update plug-in, which is proprietary.

"We use this updater and the server architecture it interfaces with to update across many of our products, some of which are not open source," Google said. "It's not that we are trying to hide anything; rather, it's just that this update infrastructure is not intended to be used by others who may distribute their own versions of the browser based on Chromium code."

Reported vulnerabilities
One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority.

Another reported issue in Chrome 0.2.149.27 is a buffer overrun that could allow an attacker to run arbitrary code on a user's computer and thereby take control of it, according to Bach Khoa Internet Security.

The company was willing to discuss some other details about the update, though. For one thing, the company updated a JavaScript problem that could cause problems using Facebook. For another, it fixed a problem that would crash the entire browser if a person typed "about:%" into the address bar. Google called the problem "non-exploitable, but very annoying," reflecting the removal of the "security" label from the bug report.

Apple released a security update Thursday to users of its Tiger and Leopard operating systems to address a critical and well-publicized Domain Name System flaw, along with a dozen other updates.

The DNS flaw, which was first reported by Dan Kaminsky of IOActive on July 8, could allow attackers to redirect Web site visitors to any site they choose and present forged information. The DNS translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet.

During the second pre-Black Hat security conference Webinar on July 24, Kaminsky provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8. His announcement coincided with a massive, multivendor patch release. But he withheld details, hoping that most people would get their systems patched before the bad guys got a hold of it.

However, an exploit code that could allow someone to attack the DNS was available in various places on the Internet on July 23.

Apple's update also fixes a QuickLook bug where loading a malicious Microsoft Office file could lead to "arbitrary code execution."

Apple recommends Security update 2008-005 for all systems running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4. The update is available at Apple.com or through the update mechanism in OS X.