Are Firefox Users Safer from Internet Threats?

A group of researchers (from the Computer Engineering and Networks Laboratory in Zurich, Google and IBM) have published the results of a survey of web browser usage, and suggest that Firefox users are more secure than others. They base this on the fact that Firefox users are more likely to have the latest (and most secure) version of their browser. “We believe the auto-update mechanism as implemented within Firefox to be the most efficient patching mechanism of the Web browsers studied. Firefox’s mechanism regularly polls an online authority to verify whether a new version of the Web browser is available and typically prompts the user to update if a new version exists. With a single click (assuming that the user has administrative rights on the host), the update is downloaded and installed.”

Some 83% of Firefox users, the study found, are surfing with the latest version of the browser, compared with 65% of Safari users (that’s Mac and Windows together), 56% of Opera users and a mere 47% of Internet Explorer users. (The study focused on users of both Macs and Windows PCs.) Yet one in six Firefox users don’t update their browser, in spite of this ease of updating. As for the Safari figure, they don’t split Mac and Windows users. Mac users are probably more likely to update to new versions, because of the Software Update mechanism integrated in Mac OS X; Windows users have an updater, but it’s easier to ignore, since it only provides updates for Apple software: Safari, iTunes and QuickTime.

Javascript Vulnerability in Adobe Acrobat; Again

Adobe has released a security update for Acrobat Reader and Acrobat Professional, for all platforms, versions 8.0 through 8.1.2 and versions 7.09 and earlier. As the Adobe security advisory says, “A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.”

But this is yet another Javascript vulnerability in Acrobat, and security researchers are questioning why this happens so often. Andrew Storms, director of security operations at nCircle Network Security, quoted on Computerworld , said, “With this many JavaScript bugs in Acrobat, one begins to ask questions. Why would a full, thick application like Acrobat need to be using JavaScript, especially when JavaScript in the browser has historically been a target for hackers? And since JavaScript has been a target for so many years, why hasn’t Adobe flushed out these vulnerabilities already?”

It’s true that Acrobat is regularly updated for security reasons; perhaps more so than it should be. But with PDFs offering more advanced features (such as links to websites), it’s probably no surprise that vulnerabilities are being turned up.

Mac users certainly don’t need to use Acrobat, since Preview, the tool included with Mac OS X, performs most of the actions that one needs when viewing PDFs. However, Acrobat Pro is needed for advanced PDF creation. While Mac OS X can create PDFs from any document, there are few options available to refine and slim these files.

So if you use Acrobat, make sure to download this latest update. With the ease at which people download and open PDF files from the web, this is one program that you want to be sure of.

OpenOffice.org Releases Security Fix

Users of the alternative (read: free) office suite, OpenOffice.org, should download the latest version of the suite, 2.4.1. This version corrects a flaw in versions 2.0 to 2.4 that can allow malicious users to “execute arbitrary commands on the system with the privileges of the user running OpenOffice.org.”

Microsoft Office Update Contains Security Fixes

Microsoft has released Microsoft Office 2008 for Mac Service Pack 1, a major update to Office 2008, which also contains some security fixes that Microsoft says are critical. In Microsoft’s security bulletin describing the issues, the company says:

“This security update resolves several privately reported vulnerabilities in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Whatever the vulnerabilities, the effects could be disastrous. It is rare that we see something that could allow attackers to create new accounts, install programs, and delete data. It is strongly recommended that you install this update immediately.

But the security fixes are not just for Office 2008. They cover Office 2004, as well as just about every version of Office for Windows. You can download the Office 2008 update here; it’s 180 MB. The Office 2004 update is here; it’s only 9 MB.

Adobe Updates Acrobat for Critical Vulnerabilities

Adobe has issued a security bulletin regarding security updates to “Adobe Reader 8.1.1 and earlier versions Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions.” These programs have critical vulnerabilities that could “cause the application to crash and could potentially allow an attacker to take control of the affected system”. A total of eight vulnerabilities are fixed in these updates, and you can download them from the security bulletin page linked above.

Personal Information Easily Harvested on Facebook

Facebook is currently the most popular social networking site on the Internet. With the ability to find friends, communicate with them, and play games, the site can be addictive. But the BBC’s program Click this week showed that your personal information - the information in your Facebook profile - can be harvested easily by applications you choose to add to your profile.

It turns out that when you allow an application to access your personal information - something that many applications require - that application can get at not only your information, but that of your friends, without their knowing it, and in spite of their security settings.

The Click team created a simple application that could masquerade as a game or a test.

“We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?”

The solution? Alas, there is none for no. The only thing you can do is make sure that you don’t include, in your Facebook profile, information that you don’t want non-friends to find out about. Or, as the Click team says, “In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.”

To learn more about this, watch this segment of Click on the program’s website.