CHRISdotTODD

Update Oct. 3: A recent article from eWeek suggest that the claimed bug in Firefox may be just a hoax . Naturally the Mozilla folks are taking this seriously until they can absolutely rule out that their is no issue. ==================== Just to be fair, since I have hammered Microsoft quite hard because of their security holes in Internet Explorer (IE), there are new reported security problems with Firefox . The basic issue is related to how Firefox handles JavaScript -- this is one of many areas we have seen exploited in IE too. Despite this, I am still sticking with Firefox for three reasons: Firefox is less of a target by hackers than Microsoft Firefox has a history of fixing bugs faster than Microsoft Using the Firefox NoScript extension is a much easier way to manage JavaScript access that through the Microsoft security options

Today ZDNet and other news agencies reported yet another security hole found in Internet Explorer. For only the third time, a third-party has provided an immediate fix, so that users do not have to wait on Microsoft. Microsoft expects to release the fix as part of their monthly "patch Tuesday" distribution, which occurs the second Tuesday of every month. Do not forget we have another patch that is the patch of all patches -- Firefox .

Recently I posted about another security issue with Internet Explorer -- Microsoft has since released a patch -- a rare case for Microsoft to release a patch outside their monthly "patch Tuesday" cycle. I also push Firefox fairly hard as an alternative to Internet Explorer. To be fair, Firefox has had as many issues as Microsoft, but it still is a better alternative for two reasons: 1) Firefox does not have the same tight integration to Windows as Internet Explorer, therefore the problems are typically not as severe; 2) Firefox releases fixes much faster than Microsoft. All that aside, if your machine gets a virus, spyware , or other malware from browsing, it is more difficult than ever to remove. So of course you need to be diligent in keeping your browser and operating system (OS) up-to-date, as well as your security applications. If your system is compromised, you might as well just plan on re-installing your OS -- a very time consuming effort -- and consider yoursel

As yet another security issue is found in Internet Explorer, it is a good time to remind you that Internet Explorer is used for more than web browsing. A few months back I pointed out how Microsoft Project had problems due to the ActiveX security settings I had set too high. Another such program is Outlook and Outlook Express. With the latest issue, you could receive an email with embedded code that would exploit your computer. This problem is big enough that Microsoft may actually release it outside their normal monthly patch cycle -- they have only done this once -- to fix a problem with their DRM. This problem is big enough, you can actually get a fix from a third-party . Perhaps a better fix, in addition to using Firefox (or Netscape) instead of Internet Explorer, use an alternate email program such as Eudora or Thunderbird (from the makers of Firefox).

Yesterday my organization announced that they are still unable to get a fix from Microsoft for the security patch MS06-042 from August 15 that broke our ClearQuest web interface for creating queries. The August 15 patch was actually the third release of the MS06-042 patch from Microsoft, as each time they have introduced new problems. The original release of the patch actually introduced security problems . This is the recommendation from my company to fix the problem, "Internet Explorer is the only browser impacted by the Microsoft security patch. The only known workaround at this time is to use one of the other supported browsers; Firefox version 1.5 is suggested ."

eEye Digital Research notified D-Link in February of a flaw in their firmware in several of their routers. After six months of not correcting, eEye has notified the rest of us. If you have one of these routers, you may want to put some pressure on D-Link to correct this bug. In the mean time, if you turn of Universal Plug-n-Play (UPnP), it will prevent the problem. For that matter, you may want to turn off UPnP whether you have this router or not. UPnP was designed to make it easy for non-technical types to get their router properly configured by software. The problem is that when enabled, any malware running on your PC could change your router settings without you knowing. Steve Gibson and Leo Laporte first discussed the dangers of UPnP in Episode 3 of Security Now in September 2005. Why then do we have UPnP? Microsoft has an article that talks about all the benefits to UPnP here . Regardless of the benefits, turn it off -- Learn to make the manual changes required, so you fully und

Are you still using Microsoft Internet Explorer (IE)? If so, then you are what I call security ignorant. eWeek recently published two articles on how Firefox adoption has slowed down and that it will be more difficult for Firefox to grow further. (See " Internet Explorer Loses More Ground to Firefox " and " Firefox 2.0 Beta 1 Is No Slam-Dunk ".) Their argument is based on usability, and that Microsoft will release IE 7 as part of a security update. Hmm... that should be a clue right there. Perhaps Firefox is not familiar as Internet Explorer; perhaps Firefox does not display all of your websites the same as Internet Explorer. I say, so what -- security, which includes your privacy, are more important than having to learn a new browser. And if your favorite website looks different or does not work right -- tell the web master and/or find a new favorite site. I have been using Firefox for some time now, I other than visiting Microsoft.com for some Windows updates

PC World’s August 2006 issue has a great article on “The 10 Biggest Security Risks You Don’t Know About,” http://www.pcworld.com/reviews/article/0,aid,126083,00.asp. This is a comprehensive article that should scare you enough to ensure your PC is up-to-date with fixes and you have all the necessary protections. The article begins with describing zombie PC attacks. These are unknowing PCs taken over and being used for various crimes, including simply logging your keystrokes to learn your usernames and passwords. They offer the usual tips to avoid this threat: avoid unknown sites and email, be suspicious of email attachments, and use any browser except Internet Explorer. The second risk discussed is having your own sensitive, stolen data available for free on the web. This is really a result of the first issue, with the hackers not securing what they have stolen. Why should they? Additional ways to avoid the original problem includes having a personal firewall such as Zone Alarm – a pr

Microsoft has made this rather confusing. If you support Windows with Internet Explorer or are a web application developer, read on; if not, skip to the last line . The way I read security Bulletin MS06-013 , the change has already been released, but a patch in IE is keeping it from being active. As quoted in the bulletin, "This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent." This is also taken from the bulletin: Some of the important modifications include the following: Security level for the Internet zone is set to High . This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), and file downloads. Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Loc