Posted 10/28/09 at 02:35:12 PM by Bart Salisbury

Clearly there is nothing that hackers won’t go after in the attempt to monkey about with your computer’s innards. Any opening, no matter how insignificant, needs to be closed before it can be exploited. With this in mind Mozilla today released an update to Firefox, upping its version to 3.5.4, that patches 16 weaknesses, eleven of which are critical.

Hackers were busy on the obvious: the browser engine, JavaScript, and open-source media libraries; as well as the less obvious: the GIF color map parser and the string-to-number converter. In its security advisory, Mozilla reports: “Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”

Mozilla notes that the JavaScript vulnerabilities can cause browser crashes. Those not able or unwilling to upgrade are recommended to turn JavaScript off.

If you’re still hanging out in Firefox 3 you’ve also got a security patch waiting for you. Version 3.0.15 was released, addressing nine problems, four of which Mozilla tagged as critical.

Read More

Posted 08/27/09 at 03:30:20 PM by David Murphy

It sounds like Buzzword Bingo, but a new Mozilla Labs project is applying an open-source, crowd-sourced routine to solve common Web developer issues. The program's called TestSwarm, and I must confess, it's a novel idea for increasing a developer's ability to test out new JavaScript framework on a variety of browsers at once. And the fact that this an open-source project is cooler still: Aspiring testers can load the framework onto their own servers and set up their own test

TestSwarm was developed by one of the Mozilla Foundation's JavaScript Tool Developers, John Resig, to deal with the scalability issues that factor into JavaScript code testing. To Resig, the proper testing platform includes at least five different browsers split into 12 total versions per operating system. Although he doesn't go into this length in his example, you should triple that number to factor in the Windows XP, Windows Vista, and Windows 7 operating environments.

Factor these (now) thirty-six tests against an average of ten test suite iterations--a minimum number of variances that Resig runs in a common jQuery testing environment. That's three hundred and sixty runs for every test you create, more if you're expanding to include OSX and Linux platforms. And did I mention that the best results tend to occur when actual human beings are behind the testing instead of some automated attempt at user interaction? Yeaaaah...

So how did Resig address this grand problem of JavaScript testing scalability? You should know--you're a part of the solution, after all. Click the jump.

Read More

Posted 07/22/09 at 10:21:00 AM by Paul Lilly

Think your browsing history is secure from prying eyes so long as you never leave your PC unattended? Think again. A new site, Web2.0collage.com, digs through your browser's history and then constructs a collage of the web2.0 websites that you've visited.

"Web2.0collage.com mixes art and technology to raise privacy concerns," the site states on its homepage. "Many of us consider our browser history to be private, but that is no longer the case. Any website you visit can determine your browser history by exploiting the very features designed to enhance your Internet experience, a fact many people are not aware of."

Web2.0collage.com works its artistic magic by using JavaScript and them assembling the pieces together in a collage of thumbnails. What you do with it is up to you -- the site links to Zazzle.com to give you some ideas -- but if you're concerned about who's snooping your browser history, you should probably start by clearing your cache.

Read More

Posted 07/15/09 at 07:21:58 PM by Pulkit Chandna

Mozilla has confirmed the presence of a critical vulnerability in Firefox 3.5. The vulnerability is nestled in the browser’s Just-in-time (JIT) JavaScript compiler – part of the new TraceMonkey engine – and can be used to execute malicious code. Hackers may lure gullible Firefox 3.5 users to websites containing code meant to exploit the flaw. While Mozilla burns the midnight lamp in finding a solution, you can simply disable the JIT. However, it must be noted that disabling the JIT will have an adverse effect on JavaScript performance. 

Read More

Posted 07/15/09 at 01:30:11 PM by Paul Lilly

According to Mozilla, a bug was discovered last week in Firefox 3.5's Just-in-Time JavaScript compiler and was disclosed publicly on Monday. Mozilla classifies the vulnerability as "critical," saying it can be used to execute malicious code. More specifically, by exploiting the bug, a hacker could trick a victim into viewing a malicious website containing the exploit code.

"This vulnerability is due to an error in the way JavaScript code is processed," the US-CERT acknowledged. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additionally, exploit code is publicly available for this vulnerability."

While Mozilla said it is currently working on a fix, Firefox 3.5 users don't have to be sitting ducks. Mozilla says the vulnerability can be mitigated by disabling the JIT in the JavaScript engine, which you can accomplish by doing the following:

1. Enter about:config in the browser's location bar
2. Type jit in the Filter box
3. Double-click the line containing javascript.options.jit.content and set the value to false 

Mozilla warns that this is a temporary fix and will reduce JavaScript performance. Once an official fix has been put in place, you'll want to go back in and change the value back to true.

If you'd rather not mess around with about:config settings, you can still disable JIT by running Firefox in Safe Mode, which is accessible from the Mozilla Firefox folder.

Read More

Posted 07/01/09 at 12:45:58 PM by David Murphy

Happy day-after-Firefox-release day.  If you're one of the 3.2 million Americans to download the latest release of the browser as of this column's writing, congratulations.  You, like your peers, have recognized the value of upgrading to faster and better technology products!  If that sounds weird, that's the point.  It should.  According to Net Applications, around twenty percent of users (out of a survey sample of around 160 million people) still use an older version of a Web browser, be it Internet Explorer 6, Firefox 2, or either Safari 3.1 or 3.2.  You are not among them; I salute thee.

You've probably read a lot of marketing in the last 24 hours about how fast, awesome, and packed-full of features the new Firefox 3.5 release is.  Since you've had a chance to play with the release candidate of this latest upgrade starting in early June, this shouldn't come as much of a surprise.  But let's cut through the press release and examine the real facts: Just how much faster is Firefox 3.5 over its browser brethren?  Has Mozilla's newest TraceMonkey JavaScript engine delivered a princess or a barrel?

Click the jump to access the contents of this article 35 percent faster.

Read More

Posted 04/14/09 at 06:47:08 PM by Mark Edward Soper

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site through infected links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?" 

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. To get the real scoop, join us after the jump.

Read More

Posted 03/29/09 at 04:12:09 PM by Justin Kerr

Javascript rendering speed has been the ammunition of choice in the browser wars, but as most users know, the vast majority of Javascript based web applications aren’t particularly taxing. With most having been designed with IE7 in mind, the vast majority of  web apps only scratch the surface of what is possible. But to prove that Javascript is the wave of the future, Google has launched a new site called Chrome Experiments. Using the tag line “Not your mother’s Javascript” Google is showcasing everything from Gravity simulations, to complex Raytracing Canvas’s all inside your browser of choice.

The vast majority of these worked great in my testing with next generation browsers such as Firefox 3.1, as well as Safari 4 & Chrome 2, but IE8 was having a tough time until I shifted it into compatibility mode. According to Google “While it is possible to run these examples in other browsers, the fact that developers optimized the code for Chrome's V8 engine make them run slower (or not at all)”. The Raytracing test is an excellent benchmark for Javascript performance, and will even give you feedback on rendering time for those who want to do their own browser comparisons. Many of the applications are more proof of concept then useful, but it certainly does give us hope for the future of cloud computing. The more powerful the platform gets however, the more prone to exploits it is likely to become. Anyone else remember how exciting the ActiveX days were until hackers crashed the party?

Do you think the smoke and mirror show will help Chrome’s adoption rate?

Read More