The Mac Security Blog
The Mozilla Foundation has released Firefox 10, the latest version of their web browser, which fixes eight vulnerabilities, six of which are rated critical. These include memory corruption issues, cross-scripting vulnerabilities and more. (See the Firefox security advisory.)
Firefox 10 also features some “powerful new developer tools,” for web designers, and a new system for checking add-on compatibility.
The Mozilla Foundation also released Firefox 3.6.26, with patches for five vulnerabilities, because some people are still using the two-year old version of the program for compatibility reasons.
Users can automatically update their copy of Firefox by launching it, choosing Firefox > About Firefox, and clicking Check for Updates. Alternatively, you can download a copy here, or, for version 3.6.26, here.
The Opera web browser has been updated to fix a high-risk cross-scripting vulnerability, as well as a low-risk JavaScript issue. Version 11.61 also improves stability. In addition, Opera has added an auto-update mechanism. When launching version 11.60, users see an upgrade notice, and a message indicates that, “You will never have to upgrade manually again, because the newest version of Opera contains an auto-update mechanism.”
Google has updated its Chrome web browser for three high-risk vulnerabilities, bringing the program to version number 16.0.912.77. Google’s release notes point out that one of the bugs, regarding Safe Browsing navigation, “was fixed in 16.0.912.75 but accidentally excluded from the release notes,” so this release actually mentions four vulnerabilities, but only actually fixes three of them.
The Chrome browser auto-updates on Mac OS X, so you don’t have to worry about downloading a new version.
Adobe has released updates to its Reader and Acrobat PDF viewing and editing software to address two critical vulnerabilities that Adobe updated in Windows versions 9.x of these programs in December, as well as four other issues. These vulnerabilities “could cause the application to crash and potentially allow an attacker to take control of the affected system.”
More information about the update, along with download links, is available here.
It was only three weeks ago that Google updated their Chrome web browser for a number of security flaws. The company has released another update, addressing three high-risk issues, and incrementing the version number to 16.0.912.75. None of these issues are serious enough to lose sleep over, but sometimes even the smallest vulnerabilities can be exploited.
As always, Chrome will update itself, so no need to worry about downloading anything on your own. Full information about the security fixes in the update is available here.
The Electronic Frontier Foundation (EFF) has raised concerns about the latest version of AOL Instant Messenger (AIM), an application used for sending and receiving instant messages on Macs, PCs and portable devices, including iOS devices. According to the EFF:
The new preview version of AOL Instant Messenger raised privacy concerns for us when it was first introduced, first because it started storing more logs of communications and second, because it apparently scanned all private IMs for URLs and pre-fetched any URLs found in them.
The EFF met with AOL to discuss these issues, but in a recent blog post, they said:
…we still recommend that AIM users do not switch to the new version, as it introduces important privacy-unfriendly features.
Mac users may not be aware, but when they use iChat, they are using AOL Instant Messenger. Apple’s iChat uses AOL’s servers to connect Mac users. Here’s a screen shot of the Server Settings tab in iChat’s Accounts preferences; you can see that the server used is an aol.com server:
The biggest privacy issue with the latest version of AIM is that it logs your chats for up to two months, or potentially indefinitely. While this may not be a serious issue for most users, data breaches could allow malicious users to obtain such logs which might contain personal information, phone numbers, passwords and more. In addition, “your private conversations are now available to, for instance, law enforcement agents with a warrant or a national security letter (In other words, be careful what you send by iChat.)
In addition to this, those people you chat with who are not using AIM may not be aware that their chats are being logged. While the new AIM will warn users the first time you initiate a chat, if you are using the new version of AIM, and there is option for the person using the new AIM to turn off logging, this is unclear, and inconsistent. Macworld’s Dan Miller wrote about this recently, pointing out that after he deleted the new version of AIM, these messages persisted, and it wasn’t at all clear whether chats were indeed being logged or not. It seems that once you log into your iChat account with the new AIM, this logging is turned on, and you simply cannot turn it off.
The EFF points out that:
You cannot go “off the record” if you are using an alternative client like iChat or Pidgin, or if you switch back to an earlier version of AIM. And if the other participant in the chat is not using the new AIM, that person cannot toggle the conversation off the record, such that it is not stored by AOL. Finally, there is no off the record mode for the new group chat feature at all. All group chats on AIM will be logged.
Another element of the new AIM is that the program scans all URLs in chats, in order to attempt to embed photos or videos in chat windows. Even if these links don’t lead to photos or videos, they are scanned and stored in logs. Yet this, too, cannot be turned off. The EFF says that, “it does not look like there will be a way to permanently opt out of the link downloading behavior.” It addition, “Since conversations can only be marked “off the record” from inside the new AIM, users of older versions or alternate clients will always be prone to having some of the links they send scraped, even though they won’t see them rendered.”
Finally, the EFF points out that users were not warned about this URL fetching service, and are not given an option to turn it off. As with many such privacy changes, it is best to inform users of what is changing and offer them a chance to opt in to the new features. AOL has not done so, and most users are not aware of what is happening. Users should carefully consider whether they want to install the new AIM. iChat users won’t see any changes on their end, but their contacts who do have the new AIM installed will cause chats with them to be logged.
The EFF’s final verdict is clear: “Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade.”