Bug In Firefox Prevents Updates For Some Users  

Posted by Mohammad Talha in

As I had reported in an earlier post, my Check for Updates option on the Help menu in Firefox 3 was grayed out:

FF3-no-checkforupdates.jpg

I had a similar problem with Firefox back around version 1.5 and reported it in Bugzilla. I remember nobody being very helpful about it. My report was probably one of many that was consolidated into one report on the same problem. The original post was in December 2005 and it's still basically open, depending on who you listen to in the report's discussion thread. A second Bugzilla thread covers the same bug and attempts to narrow the bug report scope and give it new attention.

The problem appears to be that if a user does not have write access to the directory from which Firefox was installed then Check for Updates will be grayed out and the user will get no automatic updates. How would such a thing happen? In my case, I installed Firefox 3 from a network share while logged in as Administrator. I would argue that giving a non-privileged user write access to software installation directories is a bad practice. This bug appears in all platforms, not just Windows.

Some users on the Bugzilla thread are arguing that this is proper behavior, but the problem is that it seems not to have been the behavior in the Firefox 2.x generation. Thus the bug would appear to be a regression error. The threadmaster argues that this is proper behavior and that if Firefox 2 did not behave this way (which was also my experience) then that was a bug.

In the meantime I am forced to change to a behavior I don't believe in, either granting my restricted user account write access to the installation directory or reinstalling as that user with a new writeable installation source directory. Not a really big deal, but not the right way to do things.

(full story)

The Security Question Vulnerability  

Posted by Mohammad Talha in

It's common for sites for which you must provide logon credentials to let you set a "security question" that they may ask you in case you forgot your password. An entry on the Securiteam blog challenges the security of this system, at least as it is implemented in many ways.

The gist of the challenge is that it's easy to research many of the answers to the stock questions services ask. The blog looks at Windows Live Mail, Yahoo! Mail and GMail. Of those 3 only GMail allows you to define your own question, presumably one harder to research (e.g. "What girl did I have a secret crush on in 8th grade?")

The blog also makes the obvious suggestion that you can lie; take an easy question, like "What is your father's middle name?" and make the answer your phone number. There is a hole in this theory: if you can't remember your own user name and password, why would you expect to remember the inaccurate answer you provided to one of these questions?

Still, they make a good point that you need to be careful in choosing a security question. Too easy an answer and a stranger (or, easier, someone who knows you) can steal the account away.

(full story)

Norton Internet Security 2008  

Posted by Mohammad Talha in , ,

Symantec continues to polish and enhance its flagship Norton Internet Security suite. The 2008 edition adds full-scale password and identity management, and its new BrowserDefender technology offers even stronger defense against Web-based attacks. Borrowing a page from Norton 360's playbook, NIS 2008 now offers a built-in, multilayered help system. For the multicomputer home, it now includes a network map and optional remote monitoring of other NIS 2008 installations. Antispam and parental controls remain second-class citizens, present only if you install the optional Add-On Pack.

Microsoft Sets Kill Bits  

Posted by Mohammad Talha in ,

At the request of their ISVs, Microsoft has released kill bit packages for certain versions of HP Instant Support and Aurigma Image Uploader. They have been released as part of a cumulative security update for ActiveX with many other kill bits.

Kill bits are settings in the Windows registry which disable an ActiveX control. When an ISV finds a vulnerability in an ActiveX control they often ask Microsoft to disable that control by making the kill bit available. Click here to learn more about kill bits.

This cumulative update was pushed out with this past Patch Tuesday's set of updates, but the update was rated Important, so if your Automatic Updates is set only to apply critical updates you may not have it.

You can apply the update by running Windows Update manually or by downloading and running the appropriate update for your system from Microsoft's Knowledge Base.

For details on the new kill bits and what they kill see the advisories at Aurigma and HP (here and here).

Excerpt: A cumulative update disables many faulty ActiveX controls.

(full story)

TopBlogLists.com - Blog Search