Fix
All of the Mozilla, Firefox, and Navigator threats appear to involve Java. So, until Mozilla releases a patch, disabling JavaScript will block any attack attempts in the meantime. The April 6 version of Firefox release candidate 1.0.3 (as opposed to the April 5 version) does address this JavaScript vulnerability. However, it will reportedly wreak havoc with some extensions, so it's strictly a beta test version for now.
No workaround is available at this time for the IE and Outlook threats.
Final word
Well, not to belabor the obvious, but as I've always said, a big reason that hackers hit Microsoft so often is because it's the biggest target. Knowing this is one reason many people have turned to Firefox.
I like Firefox; I use Firefox every day. But I've never been under the illusion that it's completely secure or that it wouldn't suddenly begin to develop a lot of leaks when it became popular enough for people to take some serious shots at it.
As Firefox and Mozilla become more popular, I expect to see more vulnerabilities and patches — it's just common sense. For the time being, Firefox only has about 9 percent of the market, so we can still expect to see plenty of problems emerging in Internet Explorer as well.
Until this week, I had simply switched browsers when a new vulnerability appeared in one or the other. But now both browsers I regularly use have serious vulnerabilities, so I'm stuck until a usable patch is available.
Also watch for …
- There a number of reports about instant messaging and P2P networks, and none of them are good. The short version is that IM and P2P attacks have surged 250 percent as better antispam filters have reduced spam on email servers. Ranging from viruses and worms to phishing ventures, the attacks mostly affect Yahoo, MSN Messenger, AOL, and Windows Messenger.
Again, that's most likely because these vendors have the most target-rich audiences. If other IM clients become more popular, attackers will begin targeting them. Only 11 percent of the attacks actually used a known vulnerability; presumably, the rest just relied on users opening anything anyone sent to them. - If you needed any proof that phishing is becoming a big danger, you need only note that Microsoft recently filed 117 lawsuits over the creation of fake Microsoft sites. Unlike viruses, which are a profit center for some software companies, it appears that the phishing threat is becoming so dangerous that the big boys are going to fight this battle for us.
- It has also reported how phishing is rapidly migrating from email to instant messaging services. For some interesting numbers, check out the Web site of the Anti-Phishing Working group or the organisation's February 2005 PDF report.
- Users can patch Firefox 1.0 (and most likely later versions) to block more popup ads. But this poses a new problem: As Firefox and other popup-blocking browsers gain market share, advertisers are turning to a new kind of popup that uses plug-ins. Because many sites use legitimate popup windows for various features, browsers typically don't block them, but a Firefox plug-in that does is in the works.
- Because of the anti-privacy, pro-corporate culture in Japan, it may be hard to believe that the country just passed a draconian privacy theft law, which will hold designated corporate privacy officers and staff criminally liable for security breaches resulting in the disclosure of personal records. The new law took effect on 1 April but doesn't appear to be either a joke or wishful thinking. The law applies to companies holding more than 5,000 such records, and those found responsible for failing to follow the strict new rules can receive a fine and up to six months in jail.
Talkback
If only the press as a whole would have held Internet Explorer to the same standards in the beginning as they do now FireFox. It would have been a different world.
Other then that I think it's a plus to disclose flaws in software. Certainly security and privacy related ones. Currently the general public is mostly ignorant about the state of affairs in software security land since the general public is mostly informed by means of ads and news flashes and that's hardly an accurate representation of the actual facts.
"In fact, troubles for the increasingly popular browser are coming so fast and furious that mozillaZine has reported that a new Firefox release candidate has already replaced the Firefox release candidate 1.0.3, which became available on April 5."
The extra fixes to be included in 1.0.3 fix bug 281988. There have been no security problems found with the code relating to that bug, just the potential for problems.
https://bugzilla.mozilla.org/show_bug.cgi?id=281988
"Be forewarned that this release candidate 1.0.3, and probably the eventual release version as well, is likely to cause problems with a number of extensions."
"Asa Dotzler has announced another set of Mozilla Firefox 1.0.3 release candidates. ***These builds should allow extensions and other features to operate as they did in Firefox 1.0.2 while still including the security improvements wanted by the Mozilla Foundation.***"
http://www.mozillazine.org/talkback.html?article=6369
"Of course, while you can switch to Firefox to avoid the latest IE vulnerability, you'll then have to deal with the new Firefox vulnerability instead—and it appears to be nearly as dangerous."
IE's problem is remote code execution. Firefox's is information disclosure. I don't know about you, but I'd much rather have an attacker be able to read random bits of memory than him be able to run whatever code he likes on my machine.
"All of the Mozilla, Firefox, and Navigator threats appear to involve Java. So, until Mozilla releases a patch, disabling JavaScript will block any attack attempts in the meantime."
Java is not the same Javascript! Perhaps you should let someone who knows the difference write the articles from now on.
You appear to be confused between the language in which an exploit exists and the language to disable using a security setting. Do you know the difference between Java and JavaScript?
Java is an object oriented development language delivered over the network as class and jar files.
JavaScript/ECMAScript is a scripting language embedded into a html page and usually delivered in plain text.
If the vulnerability is Java then keep it clear and advise users to switch off Java.
If the vulnerability is JavaScript then keep it clear and advise users to switch off JavaScript.
I hope you run a follow up article showing for each of the Firefox and IE vunerabilities how long each takes to fix. That would be proper editorial.