Ilya Kozhevnikov

Browser Newsletter #29

July 08, 2008

CSS Variables are here!

We talked about how CSS variables are next a few months back, and now they are here! WebKit now has an experimental implementation of CSS variables. You can test this feature using a WebKit nightly.

about:mobile - Our First Issue, Fennec M4 Available, Mobile Network Profiling Tool and more…

The M4 Milestone release of Fennec is available for testing for the N800 and N810. The main feature of this release is that it features really good scrolling and panning, largely written by Stuart Parmenter and Gavin Sharp. Please note that this is still a very early milestone release, and as such this build has many features that are either incomplete or unstable. Please see the instructions on how to install this Fennec milestone release on the N800-series tablets and Mark’s post on the release. If you follow the instructions you will also get milestone updates as they become available. The M5 milestone should be out a few weeks from now.

Madhava Enros has updated the working UI designs for Fennec. The current designs aim to minimize required typing, make it easy to do quick searches, and also to maximize the amount of screen space dedicated to web content. Primary browser controls and tab thumbnails are placed out of the way, just beyond a page’s edges, but can be dragged quickly into view when needed. Please see his updated mockups in the mobile section of the wiki to get the full story.

40% of surfers don’t bother with browser security updates

A recent collaborative study between Google, the Swiss Federal Institute of Technology, and IBM offers new insight into how many people surfing the web are doing so safely. According to the report, a clear majority of users (some 59 percent) are using the latest version of their preferred Internet browser—but that still leaves 40.1 percent who aren’t. That’s a troublingly high number for anyone working in IT security, given that virtually all (89.4 percent) of the vulnerabilities reported in 2007 were remote exploits. Not all of these exploits specifically targeted the web browser, but it’s become the target of choice for an increasingly large percentage of all attacks. Proper browser security is therefore of paramount concern.

The group performed its analysis using Google’s database of user information (nonpersonally-identifiable information, mind you). The information in question was gathered between January 2007 and June 2008, and represents some 18 months of browser data. Both minor and major patch versions were considered, as was the date when new patches were actually released. Data was compiled separately for each of the browsers that were tracked, and multiple visits from any given machine were counted only once per day.

Older Versions Of Firefox, IE Put 45% Of All Internet Users At Risk

Computer security researchers from ETH Zurich, Google, and IBM believe computer software would be more secure if, like a perishable food product, it were labeled with an expiration date.

In a newly published paper, Stefan Frei and Martin May of the Computer Engineering and Networks Laboratory at ETH Zurich, Thomas Dubendorfer of Google Switzerland, and Gunter Ollmann of IBM (NYSE: IBM) Internet Security Systems make this recommendation because they found that 637 million (45.2%) out of 1.4 billion Internet users worldwide are at risk from their failure to use the latest, most secure version of their chosen Internet browsers.

Read more…
© InformationWeek, 01/07/08

Google, Yahoo spiders can now crawl through Flash sites

This announcement has been a long time coming, as Flash developers have been wishing for ways to make their content searchable for close to a decade. Adobe acknowledges this in its announcement, saying that although search engines are able to index static text and links within Flash SWF files, “[Rich Internet Applications] and dynamic Web content have been generally difficult to fully expose to search engines because of their changing states—a problem also inherent in other RIA technologies.”

First look: Mozilla Weave 0.2 puts Firefox in the cloud

Mozilla Labs has announced the availability of Weave 0.2, the third major release of its experimental Firefox synchronization add-on. This version brings a broader feature set, improved reliability, and streamlined notification support. Although it is still in the early testing stage, Weave is already effective and easy to use.

When Mozilla launched Weave in December, the add-on offered basic support for storing the user’s Firefox bookmarks and history in the cloud, allowing the synchronization of the data between computers. The latest version extends this functionality to also cover cookies, passwords, tabs, and form contents. Future versions will go further and also support synchronizing the user’s extensions, themes, and search plugins. Mozilla intends to eventually implement an API that will enable third-party Firefox extensions to leverage Weave’s synchronization capabilities for other kinds of user data.

Mobile Web To Get Standards

A group of mobile operators have just unveiled a new initiative they’re calling “BONDI” whose goal is to encourage development of new mobile web applications while not compromising customers’ security. BONDI was created by members of the OMTP (Open Mobile Terminal Platform), an industry group that includes participants from all parts of the mobile world and whose members include operators like AT&T, Hutchison 3G, Orange, Telecom Italia, Telefónica, Telenor, T-Mobile and Vodafone.

IE8 Security Part III: SmartScreen® Filter

In Internet Explorer 7, we introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites, and worked with partners to introduce Extended Validation certificates that light up the address bar when users visit sites with verified identity information. Beyond the Phishing Filter, Microsoft has also published educational materials on identifying phishing scams, and developed a strategy to attack phishing at multiple levels.

For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks over a million phishing attacks weekly) to develop the SmartScreen® Filter, a replacement that improves upon the Phishing Filter in a number of important ways: Improved user interface [...] Faster performance [...] New heuristics & enhanced telemetry [...] Anti-Malware support [...] Improved Group Policy support [...] I’ll describe each of these in the sections that follow.

IE8 Security Part IV: The XSS Filter

Today we are releasing some details on a new IE8 feature that makes reflected / “Type-1” Cross-Site Scripting (XSS) vulnerabilities much more difficult to exploit from within Internet Explorer 8. Type-1 XSS flaws represent a growing portion of overall reported vulnerabilities and are increasingly being exploited “for fun and profit.”

The XSS Filter operates as an IE8 component with visibility into all requests / responses flowing through the browser. When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing.

IE8 Security Part V: Comprehensive Protection

As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits.

Web Application Defense: Cross-Site-Scripting Defenses [...] Safer Mashups [...] Safer Mashups: HTML Sanitization [...] Safer Mashups: JSON Sanitization [...] MIME-Handling Changes [...] MIME-Handling: Restrict Upsniff [...] MIME-Handling: Sniffing Opt-Out [...] MIME-Handling: Force Save [...] Local Browser Defenses: Add-on Security [...] Protected Mode [...] Application Protocol Prompt [...] File Upload Control [...] Social Engineering Defenses: Address Bar Improvements [...] SmartScreen® Filter [...]

Firefox 2.0.0.15 fixes 12 security bugs, Firefox 3 not affected

Mozilla has released Firefox 2.0.0.15, a security update for the Firefox 2 that fixes 12 security vulnerabilities, four of them labeled critical by Mozilla.

It’s Official: Firefox Downloads Set Guinness World Record

We already knew that Mozilla had a record breaking day on June 17th when Firefox 3 was downloaded close to 8 million times, despite the download site not working for at least part of the morning. Now, Mozilla has announced that Firefox 3 has indeed made it into the Guinness Book of World Records with 8,002,530 downloads. Mozilla had set itself a goal of only 5 million downloads.

Firefox 3 Boosts Browser’s Market Share Over 19%

Firefox 3 has experienced rapid market share gains since its release in mid-June, helping to push the Mozilla browser’s overall share to more than 19%, a Web metrics firm said Wednesday.

Since its release June 17, Firefox 3’s worldwide usage share has soared to more than 4%, Net Applications reported. In the first hour of its release, the latest version of the open source browser grabbed 1% of the global market.

Firefox 3’s gains came mostly from users upgrading from Firefox 2, the firm said. However, a small portion of the gains, 0.4%, came at the expense of Microsoft’s Internet Explorer.

IE’s market share fell to 73.01% in May to 73.75% at the end of June, Net Applications’ numbers showed. Firefox overall increased its share during the same timeframe to 19.03% from 18.41%.

Opera Patches Bugs in Flagship Browser

Opera Software patched the newest version of its flagship browser for the first time last week when it released Opera 9.5.1 to fix several flaws.

The update patches bugs in the Windows, Mac OS X and Linux editions, said Opera in notes posted to its Web site.

Microsoft probing ActiveX attacks targeting Access feature

Microsoft issued a security advisory on Monday warning about targeted attacks being launched that exploit a hole in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.

Prism: bringing web applications to the desktop

Prism is a project from Mozilla Labs and is, obviously, based on the Firefox web browser. Prism was originally called Webrunner, and was a tad difficult to use. You had to run it from the command line with a URL. Not the most user-friendly way of accessing your favorite web applications! Now, Prism has a graphical user interface (albeit a simple one) and makes it easy to bring web applications to your desktop.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.

This entry was posted on Tuesday, July 8th, 2008 at 12:38 and is filed under Browser Newsletter. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.