Many browsers patched prior to hacking event
By Susan Bradley One of the top draws at CanSecWest, the highly regarded Canadian security conference, is the break-the-browser contest known as Pwn2Own.
So can it be coincidence that Apple, Google, and Mozilla updated their browsers just days before the contest?
Yesterday was the start of CanSecWest 2010 in Vancouver, British Columbia. This year, a U.S. $10,000 prize sponsored by TippingPoint’s Zero Day Initiative (more info) goes to each white-hat hacker who’s the first to bring down Microsoft’s Internet Explorer 8, Mozilla’s Firefox 3, Google’s Chrome 4, or Apple’s Safari 4. Smartphones are targeted in the competition, too.
At this writing, environments that failed the test included Apple’s iPhone and three different browsers: Safari, Firefox, and IE 8 (with the attacker able to circumvent IE’s vaunted Data Execution Prevention), according to the ZDI Twitter feed.
The benefits for us from the contest should be more-secure browsers — before the conference and, probably, soon after.
Zero-day threat in Firefox is now fixed
Mozilla pushed out an update to Firefox on March 22, earlier than the March 30 date originally promised.
The release notes for version 3.6.2 state that the update fixes several security issues, including a zero-day bug described in a Mozilla security advisory — an exploit that could allow a hacker to take control of your system.
For Firefox 3.6 users, this should be a high-priority patch. If you stayed back on versions 3.5 or 3.0, you are not vulnerable to this particular bug — thus proving once again that sometimes waiting on an application upgrade is for the best.
Safari browser gets fixes before its big test
Historically, Apple’s Safari browser has been one of the first to fail in the CanSecWest contest, usually with an unreleased exploit coded by Safari vulnerability expert Charlie Miller.
So it’s perhaps no surprise that Apple’s March 15 Safari 4.0.5 patch, detailed in bulletin HT4070, includes several security updates.
However, TippingPoint lists several still-unpatched security holes in Apple’s browser, so I would not bet on Safari getting through this upcoming contest unscathed.
Google’s Chrome gets a bit more privacy
Just as outgoing U.S. Federal Trade Commissioner Pamela Jones Harbour took Google to task in recent FTC roundtable remarks for privacy violations, Google reported new enhancements to its Chrome browser.
A March 17 Chrome blog noted that more-fine-grained cookie settings were added to the current versions of Chrome. This includes the capability to allow or block cookies from specific sites. So if you’d like more control over the information about you a site keeps, do the following:
- Click on the tool icon in the upper-right corner and scroll down to Options.
- Click on the Under the Hood tab and then Content settings.
- Under the Cookies tab, you can block all third-party cookies, allow certain Web sites to set cookies, and use even-more-granular controls.
When I launched the Flash Player manager, it listed the Web sites I’d visited — such as British car-show site TopGear. It’s a reminder that these programs know a lot about your habits — merely by noting the sites you visit.
Figure 1. The application for changing Chrome’s Flash Player cookie settings is on Adobe’s site.
| Have more info on this subject? Post your tip in the WS Columns forum. |
WS contributing editor Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
