Posts Tagged ‘Firefox’

Firefox 9 Released, Up to 30% Faster

No Comments »

 

Major JavaScript Enhancements Make Firefox Speedy – up to 30% Faster

 

Firefox for Windows, Mac and Linux has new JavaScript enhancements that make Web browsing significantly faster. The latest update to Firefox includes Type Inference which boosts JavaScript performance and allow rich websites and Web apps with lots of pictures, videos, games and 3D graphics to load and run much faster. Type Inference is a feature of the SpiderMonkey JavaScript engine that integrates with the JaegerMonkey JIT compiler to provide analysis and help generate more efficient code. Firefox with Type Inference is up to 30% speedier on JavaScript benchmarks like Kraken and V8.

Last Release in 2011, More to Come Next Year!

Source: http://blog.mozilla.com/blog


Your Browser Matters

3 Comments »

 

Microsoft launched a website today designed to give users a detailed look at how secure their browser is. The site, called Your Browser Matters, automatically detects the visitor's browser and returns a browser security score on a scale of four points.

When you visit the site, called Your Browser Matters, it allows you to see a score for the browser you’re using. Well, if you’re using IE, Chrome, or Firefox—other browsers are excluded. Not surprisingly, Microsoft’s latest release, Internet Explorer 9, gets a perfect 4 out of 4

 

Link: Your Browser Matters


Firefox 8 released

No Comments »

Mozilla announced today the official release of Firefox 8

The built-in search box in Firefox’s navigation toolbar has been extended to support Twitter searches. Users can now select Twitter from the drop-down list of available search engines. Mozilla partnered with Twitter earlier this year to release a special build of Firefox that ties into the social network. The search box integration from that custom build is now part of the official Firefox release.

Another noteworthy user-facing feature in Firefox 8 is stricter control over side-loaded add-ons. Mozilla is cracking down on third-party applications that install add-ons in Firefox without the user’s knowledge or permission.

If Firefox 8 detects side-loaded add-ons when it starts, it will disable them by default and display a prompt asking the user if they want the add-on to be enabled. This will help protect users from invasive toolbars and other unwanted cruft.

In addition to these new browser features, Firefox 8 also has some improvements under the hood. The browser’s HTML rendering engine has gained support for cross-origin resource sharing, a feature that will allow a website to load WebGL textures from other sites. WebSockets also got a boost in this release with an updated implementation that conforms with the latest draft specifications

Users can download Firefox 8 from Mozilla’s website. The new version will also be rolled out to users through the stable update channel.


Firefox 7 Released – Includes updates for Security, not SSL (BEAST)

1 Comment »

 

Firefox 7 isn't just about speed, there's also a long list of security patches. Surprisingly, a fix for the SSL BEAST attack is not one of them.

Mozilla is patching it's Firefox Web browser for at least 10 vulnerabilities, seven of which are rated as being "critical." Firefox 7 was released on Tuesday offering users the promised of improved performance and better memory usage.

On the security front, the Firefox 7 release provides a critical fix for what Mozilla describes as, "Miscellaneous memory safety hazards."

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products,"
Mozilla stated in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of  these could be exploited to run arbitrary code."

There is also a critical fix for an interesting flaw that could have been triggered by having a user hold down the 'Enter' key. By holding
down the key, code could potentially be installed without a user's knowledge.

"Mariusz Mlynski reported that if you could convince a user to hold down the Enter key — as part of a game or test, perhaps — a malicious
page could pop up a download dialog where the held key would then activate the default Open action," Mozilla warned.

Other critical flaws that are fixed in Firefox 7 include potentially exploitable crashes in WebGL graphics and the YARR regular expression
library. Firefox 7 also provides a fix for a high impact flaw where cross-site scripting (XSS) could have been enabled via plugins.

There is also a fix in Firefox 7 for a flaw rated as "moderate" that is triggered by the motion of a device. Mozilla's advisory noted that a recent research paper detailed how it would be possible to inferring keystrokes from device motion data on mobile devices.

"Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk," Mozilla warned. "We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher
keystrokes the user is entering into the foreground tab."

SSL BEAST

While Firefox 7 addresses multiple security issues, it is not taking specific aim at the recent disclosure of potential SSL vulnerabilities. Overall, Mozilla has publicly noted that they do not believe Firefox to currently be at risk from the SSL BEAST attack


SSL BEAST – Heavy Security Risk for SSL/TLS (aka HTTPS)

1 Comment »

SSL is a critically important part of Internet security and it has come under increasing scrutiny in recent months. Last Friday, a pair of security researchers demonstrated a new attack called SSL BEAST at the ekoparty security conference in Buenos Aires, Argentina. Researchers Thai Duong and Juliano Rizzo leveraged weaknesses in cypher block chaining (CBC) in order to exploit SSL.

"The SSL standard mandates the use of the CBC mode encryption with chained initialization vectors (IV)," the researchers wrote in a white paper detailing their research. "Unfortunately, CBC mode encryption with chained IVs is insecure, and this insecurity extends to SSL."

Duong and Rizzo noted the CBC vulnerability can enable a man-in-the-middle (MITM) attacks against SSL to decrypt and obtain authentication tokens.

"The novelty of our attacks lie in the fact that they are the first attacks that actually decrypt HTTPS requests by exploiting cryptographic weaknesses of using HTTP over SSL," the researchers stated.

While the SSL BEAST attack is a cause for concern, there are already technologies in place to help mitigate the risk. For one, the BEAST attack only affects the TLS 1.0 version of SSL and not later versions. One vendor that leverages a non-vulnerable version of TLS is the Tor onion router project which provides a degree of anonymyity and privacy to users..

"Tor uses OpenSSL's empty fragment feature, which inserts a single empty TLS record before every record it sends," the Tor project noted in a blog post. "This effectively randomizes the IV of the actual records, like a low-budget TLS 1.1. So the attack is simply stopped."

Google's Chrome Web browser has also taken steps to mitigate the risk as well.

"Chrome has already addressed the issue and the fix on the browser side is quite simple and elegant," ISC SANS security research Mark Hofman blogged. "We'll see the other browsers implement something similar over the next few weeks. That doesn't fix the protocol, but it will help address the immediate issue of clients being attacked in this manner."

Google engineer Adam Langely blogged that Google's own servers are also somewhat protected from the SSL BEAST attack since they use a cipher that doesn't use CBC.

While Google has already taken steps to protect its users, Microsoft sees the risk as being low.

"Microsoft is aware of the industry-wide SSL 3.0 / TLSv1.0 issue demonstrated at a recent security conference which we believe presents low risk to our customers and to the Internet," Jerry Bryant, Group Manager, Response Communications, Microsoft Trustworthy Computing said in a statement emailed to InternetNews.com. "Windows 7 and Windows Server 2008 R2 support TLSv1.1 and TLSv1.2 but due to compatibility issues with many web sites, are not enabled by default."

2011 has not been a good year for SSL. SSL has come under fire due to the exploit of a pair of certificate authorities. Both Commodo and DigiNotar were exploited this year leaving big sites including Google and Mozilla at risk.


Hacking Firefox and Thunderbird addons to work with new versions of Firefox/Thunderbird

No Comments »

Have you ever got used to a Firefox or Thunderbird addon that you really like, or just can't live without, and then a new version of either Firefox or Thunderbird is released, and suddenly your addon no longer works?

Of course, the generally recommended way is to search http://addon.mozilla.org for a new version, but sometimes when you try to update your addons, you find there is no new version, or it seems like nobody is maintaining the addon any more. I tend to live on the leading edge of new Firefox releases, I want the new features, I want the latest, and I want it now, so I quite frequently hit this problem. Fortunately, there is an easy way to keep using your favorite addons, usually with little or no risk.

The summary for those who just want to skim and jump in:

  • Download the addon file you want to update
  • Rename the addon archive file to add .zip to the end
  • Extract install.rdf
  • Edit install.rdf, find and change maxVersion, save the change
  • Pack install.rdf back into the install archive
  • Rename the file back to it's original .xpi name
  • Install using File, Open

The detail for those who need all the steps:
You will need only two free tools to help you do this job, the totally free 7-Zip or some other ZIP file management utility and hopefully knows how to use it. The other tool is a simple text editor. Microsoft's Notepad will do, but any other text editor will work if you have any particular preference. My preference is NotePad++ which is a good free programming and general purpose text editor.

A warning is the first important note here; always backup your Firefox or Thunderbird installation directory before doing any "hacking". While a problem is extremely rare, problems can happen, and you will only have yourself to blame if you don't take appropriate precautions before making any unsupported changes. I won't take any responsibility for any problems you inflict on yourself through sharing with you what I do on my own computer(s). It is often a good practice anyway to backup your installation directory before installing any new addon, just because you never really know what can happen, though usually by the time anything is approved and available for public download on http://addon.mozilla.org, it has been fairly well tested by others and proved to be safe. At the very least, before following my tips here, backup your profile and addons directories by making a copy of them to some other location on your disk. If you don't know how to do that, or don't know where your profile and other directories (folders) are, I don't suggest you try my tricks. Read Gizmo's article How to Back up Mozilla Firefox and Thunderbird, in which among other things Gizmo mentions using tools such as MozBackup which shields you for knowing how to do it manually.

Once you have taken your backup, the first step is to find and download the latest version of the addon you want, and download a copy to your disk. Remember, at this point you can not simply click the Install link, because you know the installer will tell you the addon is unsupported for your version of Firefox or Thunderbird, which is more than likely why you are reading this article! Normally, you would click the Install button, but in this case, you want to save the file to disk, so right click on the install (or Add to Firefox / Add to Thunderbird) button, and then click 'Save Link As'. Choose a location on your disk, make a new folder if necessary. The file you download will be named something like better_gmail_2-0.6-fx.xpi. On rare occasions you may find that when using Firefox, you just can't click 'Save Link As' for some reason. Try a different browser, you may have better luck saving the file when the browser itself is not capable of actually installing the addon.

Having saved the addon, you will need to extract one file named install.rdf from it, make a change, and then pack it back into the file. Since the addon is just a zip file containing all the supporting files necessary for the addon, the easiest way to extract files is to rename the original by changing the .xpi extension to .zip, or by simply adding .zip to the end of the file name temporarily. You will need to extract the install.rdf file from the zip file, edit it, and then put it back in again, so if you're not comfortable with these tasks without me describing them in great detail, don't try. Ask somebody else who is comfortable using zip to extract a file and pack it back in again to help you with this process.

Once you have the install.rdf file extracted, open it with your text editor, and look for lines like the ones listed below. Many addons don't have these lines, so they are not checking for specific versions, and you should not see any incompatibility messages.

    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
        <em:minVersion>1.0</em:minVersion>
        <em:maxVersion>3.0</em:maxVersion>
      </Description>
    </em:targetApplication>

The part you need to change is the line with the maxVersion setting. As long as I am running Firefox 3.0.1, this addon should work for me, but when I upgrade to 3.1, or 4, it will no longer work. The next step is to change the maxVersion setting to at least the version you are currently running, I usually just change it to 9.0 which means I can run any version that will be released for some time to come.

    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
        <em:minVersion>1.0</em:minVersion>
        <em:maxVersion>9.0</em:maxVersion>
      </Description>
    </em:targetApplication>

If your install.rdf looks really weird when you open it, and seems to have just a few lines that look really long, and don't all display on the screen, don't panic. Most likely, the addon programmer has used a Unix or Linux system to create the files, or they have used an editor that does not automatically wrap lines. The Unix or Linux option may be the more likely of the two, and if you don't know what I mean by line termination characters and vi, explaining more would only confuse you even more. Either way, some Windows text editors will know what to do with a non-typical Windows text file, Notepad will not, so if you see just a few long lines, just use Ctrl F, or click Edit, Find, and then type maxVersion. All you need is to find this setting, change it, and save it. Don't worry about the strange file formatting.

After making the change, save the install.rdf file, pack it back into the addon zip archive, and rename it back to it's original name ending in .xpi. The last step is to actually install it, and to do this, rather than browsing to http://addon.mozilla.org, simply click File, Open File, select your modified .xpi file and click the Install Now button. At this point, unless you made any mistakes or any other problems were detected during installation, your addon is installed and will be ready for use when you restart Firefox. The procedure is same for Thunderbird addons.

As I said, problems are rare, however you don't know everything the programmer did when writing the addon, so monitor everything carefully until you are sure everything is functioning as it should. There may be specific features in different releases of Firefox or Thunderbird being used by the addon programmer which might really make the addon incompatible with a newer release. In general, unless there is a major change, most things should be safe. The real point is, be careful, and keep backups so that you don't have any reason to curse yourself for making the change, and me for telling you how to do it.