Nellie2

I found this Browser Security Test site. I ran my browser through it and came up with these results…. phew!

There is some comprehensive and easy to understand information about each vulnerability that is tested.. depending on your browser.

Remember though.. each browser has different vulnerabilities.. and more are discovered or exploited every day.  Just because you may pass this test today… doesn’t mean that you can let your guard down tomorrow!  And regardless of what anyone may tell you.. all browsers are vulnerable to something, there is no such thing as a totally impervious browser.

Bookmark to:

I’ve had a bad cold which finally got the better of me yesterday, so I didn’t get to tell you about the latest update to Firefox.  If you use Firefox and it hasn’t already prompted you to download and intsall the update then you can do it manually by opening Firefox and going to Help > Check For Updates.

This is a stability update that corrects several issues that were found in the previous version of Firefox.

• Firefox 2.0.0.9 Release Notes
• Firefox Download

Bookmark to:

This one isn’t defending you against anything. It’s basically a browser hijack that will redirect searches that you enter into Google or Yahoo. Of course you will be told that your computer will keel over and die a horrible death if you don’t download and install (and pay for) IE Defender.

It’s a SCAM!

Once again the folks at Bleeping Computer have posted a great self help removal guide.

Update  IE Defender Defends Itself and links to more help with removing it.

Bookmark to:

I reported yesterday about the zero day exploit affecting RealPlayer and Internet Explorer.. looks like the exploit has been patched already.

You can grab the information and download the patch here

Bookmark to:

Symantec have warned of an exploitation that takes advantage of an unpatched RealPlayer vulnerability. This problem affects an ActiveX object in the RealPlayer component ierpplug.dll.

The malicious .html page checks several versions of RealPlayer to determine if the installed application is vulnerable. If it is, the attacker can potentially take control of the computer. Trojan.Reapall, the sample we received, successfully exploits this RealPlayer vulnerability and downloads and executes a copy of Trojan.Zonebac.  Additionally, when the vulnerability is successfully exploited, the clip named “videotest” from the “My Library” folder, available in standard installations of RealPlayer, will be played.

If you have RealPlayer installed then just visiting the malicious web page will put your computer at risk, you don’t need to have RealPlayer running.

Until a patch is released there are some measures you can take to reduce the risk of infection.

• Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5, (see instructions here: http://support.microsoft.com/kb/240797)
• Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.
• Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.
• Ensure that antivirus software is up to date.
• As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, customers are advised to disable JavaScript whenever possible.
• Always execute Web browser software as a user with minimal system privileges.

Bookmark to:

Firefox 2.0.0.8 was released today, there are a few security fixes and support for Mac OS X 10.5 and updated language support.

Your browser should ask you to update automatically… however, having said that, my Firefox hasn’t asked to update yet. In which case all you need to do is go to Help > Check For Updates. You will then be prompted to download the update and run it.

Happy Surfing!

Bookmark to:

What good security practice demands:

* Strong passwords that are hard to guess.
* Different passwords at each site.
* Periodically changing existing passwords.

Why you probably aren’t practising good security:

* Strong passwords are difficult to remember.
* Juggling a multitude of passwords is a pain.
* Updating passwords compounds the memorization problem.

How Password Hasher helps:

* Automatically generates strong passwords.
* One master key produces different passwords at many sites.
* Quickly upgrade passwords by “bumping” the site tag.
* Upgrade a master key without updating all sites at once.
* Supports different length passwords.
* Supports special requirements, such as digits and punctuation.
* Supports restricting a hash word to not use special characters. (New!)
* Saves all data to the browser’s secure password database.
* Generates a portable HTML page with your site tags and option settings that allows you to generate your hash words in any browser on any machine without the extension installed. (New!)
* Can add marker buttons to unmask passwords on any web site. (New!)
* Extremely simple to use!

Password Hasher 1.0.4 download

I like to use KeePass to generate and store my passwords, but if you wanted a browser extension for this sort of thing then Password Hasher will do the job nicely.

Bookmark to:

Back in June this year, Mozilla issued a security update that fixed a flaw in Firefox where a malicious website could use the presence of the IE browser on a machine to force firefox to launch just about any installed application, all the hacker needed to do was to convince you, the user, to click on a particular type of link.

At the time, Microsoft said that this particular problem was not the result of a vulnerability in a Microsoft product.

On Wednesday of this week, Microsoft issued a Security bulletin that more or less states that ‘Ok.. there may be a bit of a problem here’.

Regardless of who is responsible for what… the thing to remember here is that the attack can only happen if the user clicks on a particular type of link… perhaps in an email or a document. Which brings me back to something I was talking about yesterday… Don’t click on stuff in emails unless you are sure it is from a safe source!

There is a much better write up on this story by Brian Krebs at Security Fix

Bookmark to: