Web Browser Grand Prix 5

 

Three major released have landed since our last impromptu Web Browser Grand Prix (WBGP4): Chrome 12, Firefox 5, and Opera 11.50. Can Chrome or Opera regain the WBGP championship? Will Mozilla Firefox ever overtake Microsoft's IE9 in the rankings?
If it seems like it was only weeks ago when we were compelled to test the then-new Mozilla Firefox 4 against the reigning Web Browser Grand Prix champion Microsoft Internet Explorer 9 in Web Browser Grand Prix 4: Firefox 4 Goes Final, that's because it was only a few weeks ago.
In an attempt to curb the siphoning of its user base to Google, Mozilla decided to keep pace with the frenetic development cycle of Chrome. Firefox 5 is now a reality. But will Mozilla also keep up with innovation like Google? Furthermore, will a higher integer finally allow Mozilla to overtake arch-rival Microsoft in our performance metrics? Can former speed-kings Chrome and Opera reclaim the dual domination of our WBGP crown, as they did in 2010?

We've tightened up our suite of benchmarks for this article, cutting the fat that was Google's V8 JavaScript Benchmark and the redundant two-pixel variant of the GUIMark2 HTML5 Vector Charting test. We also fleshed it out by adding Facebook's JSGameBench, as well as battery life and reliability testing. But before we get to the benchmarks, let's get caught up on the latest developments in the continuing browser wars.
Opinions:-

The release of Firefox 5 was met with harsh criticism for its apparent lack of anything new. It has been said that Firefox 5 should have been called Firefox 4.1 or 4.2. Or even 4.02.
There is also a growing concern over whether the new rapid release schedule jives with IT departments. Firefox became a viable choice for many companies during the version 2 and 3 days. Mozilla also offers the preferred development platform for most Web designers. Basically, Firefox gained the reputation of being the most stable choice. By mimicking Chrome's development cycle, Mozilla may have shot itself in the foot.
Smack Talk:-

Microsoft took a shot right across the bow of Google and Mozilla by announcing that WebGL is “harmful,” and that IE10 would not be utilizing the specification. Several experts came out in support of Microsoft's assertion, though it should be noted that Redmond may have a dog in this fight with DirectX.

Attacking Mozilla even further, the Internet Explorer development team sent the Firefox development team a cupcake to celebrate the release of Firefox 5. Mozilla also received cakes from Microsoft for the release of Firefox 3 and 4. Full cakes. Obviously, this is in response to the criticism that Firefox 5 is nothing more than a minor update to Firefox 4. The included note read: "Congratulations on shipping! Love, The IE Team". "Congratulations on shipping" might have been in reference to the frequent delays that plagued Firefox 4, which was eventually made available more than six months late. Now that's a classy way to rag on somebody. Not missing a single opportunity to slam its competition, Microsoft also capitalized on the other major criticism of Firefox 5 when an IE developer boasted Microsoft's commitment to IT.
Mozilla shot back with a blog post addressing the IT issue, although in a very non-concrete way:

"We are exploring solutions that balance these needs..."

Not to be outdone, an Opera employee also had this to say in regard to rapid release schedule:

“Despite the version number (11.50), we've packed a lot of new features into it. While other browsers rush to release whole new version numbers with small tweaks, I think we've kept traditional versioning, while simply releasing a little faster.”Obviously, this comes at an unfortunate time for Mozilla, but one cannot help but wonder if this comment was meant for Google. Opera and Google have gotten into it pretty heavily in the past, and, for a time (before IE9), Chrome and Opera swapped places on a semi-monthly basis in the performance charts.

-News Source (Tom's Hardware)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Web Browser Grand Prix 5"https://www.voiceofgreyhat.com/2011/07/web-browser-grand-prix-5.html</a>

Mozilla fixes three security issues in its Firefox browser

Mozilla has updated its Firefox web browser, fixing three security issues, two of them critical.

One of critical issues involved flaws in WebGLES that could be exploited to run malicious code or to bypass a security feature on recent Windows versions, Mozilla explained.

Also, Mozilla fixed a problem with Firefox described as “XSLT generate-id() function heap address leak.” Chris Evans of the Chrome Security Team reported that “the XSLT generate-id() function returned a string that revealed a specific valid address of an object on the memory heap. It is possible that in some cases this address would be valuable information that could be used by an attacker while exploiting a different memory corruption but, in order to make an exploit more reliable or work around mitigation features in the browser or operating system”, Mozilla said.

Finally, Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. “Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code”, Mozilla explained.

In addition, Mozilla updated its Thunderbird email client, fixing vulnerabilities in version 3.1.9. Although Mozilla did not identify the security fixes, the Mac Security blog said the “update most likely contains the same fixes as Firefox 3.6, since it uses the same HTML rendering engine.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla fixes three security issues in its Firefox browser"https://www.voiceofgreyhat.com/2011/05/mozilla-fixes-three-security-issues-in.html</a>

Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist

Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist

In the official blog post Mozilla confirmed that they have blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. "The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer. This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms. Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied."- Said Mozilla
Unlike Google's Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins, Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of preventing those plug-ins from being disabled. The Firefox blocklist has rarely been used to disable plug-ins from big software vendors like Oracle, but precedents do exist. In October 2009, Mozilla decided to add Microsoft's Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist"https://www.voiceofgreyhat.com/2012/04/mozilla-put-older-vulnerable-versions.html</a>

Mozilla Fixed Cross Site Ccripting (XSS) Flaws & Released Firefox Version 16.0.2

Mozilla Fixed Cross Site Ccripting (XSS) Flaws & Released Firefox Version 16.0.2

Serious security hole in Mozilla Firefox has been fixed. Mozilla has announced availability of Firefox version 16.0.2, an emergency update to address a serious flaw in the way the browser treats the LocationObject. According to the advisory, successful exploitation of this flaw can result in cross site scripting or code execution. The bug was first discovered by security researcher Mariusz Mlynski, which  forced Mozilla developers to release the third emergency fix in a month since the introduction of version 16 of the popular browser. According to the Security Advisories of Mozilla Foundation -Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. With Firefox 16.0.2 also the security bug in Firefox ESR 10.0.10, Thunderbird 16.0.2, Thunderbird ESR 10.0.10 & SeaMonkey 2.13.2 has been fixed. Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content. Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object. Users running older versions of Firefox are advised to update immediately using the auto-update feature built into the browser.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Fixed Cross Site Ccripting (XSS) Flaws & Released Firefox Version 16.0.2"https://www.voiceofgreyhat.com/2012/11/MozillaFixedXSSReleasedFirefox16.0.2.html</a>

Mozilla Patches Security Hole In Firefox 10

Mozilla Patches Security Hole In Firefox 10

Mozilla released security patch which closes eight security holes in Firefox 10, among those 8 vulnerabilities, 6 are very critical which is company's highest threat rank and two are considered as "high". One of the vulnerability, which has been cured via Firefox 10, exposed users to cross-site scripting (XSS) attack as the browser fails to run security scan on untrusted scripting objects, as stated by the company. The update also works on other bugs which forces the browser to crash.

According to Mozilla's official website, "The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts." The company also claimed that Firefox 10 has a number of features important for developers. However, for the users there is one noticeable change which is the ability of the browser to mark automatically almost all the add-ons that are compatible with every upgrade.

To Download Firefox 10 Click Here

-Source (Mozilla)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Patches Security Hole In Firefox 10"https://www.voiceofgreyhat.com/2012/02/mozilla-patches-security-hole-in.html</a>

Countdown Begins, Ubuntu 11.10 (Oneiric Ocelot) Will be Available Within Few Hours

It has been six months in the making and has occupied the time of a cast of thousands, finally the Debian derived GNU/Linux distribution we have all been waiting for is here. Ubuntu 11.10 the Oneiric Ocelot is released on October 13th. Finally that day came. But we need to wait a little more to fell the 11.10 oneiric Ocelot. 

VOGH talked with Ubuntu  developer Team about this release and accroding to them:-

"Today we release Ubuntu 11.10: Oneiric Ocelot after a busy six months of work. Thank you to everyone who participated in this release and put their brick in the wall. We had many wonderful contributions from developers, testers, translators, authors, advocates, accessibility folks, marketeers, programmers, governors, and more. I am looking forward to seeing the release hit the tubes. :-)
This week I have been in London all week for the release week, and it has been a hectic, but useful week. I also used this week to take advantage of the timezone and hop on the phone with some community members on this side of the pond. Thanks to all those for the calls.
Speaking of this side of the pond, I am excited to be able to go to the London release party which takes place tonight on Thu 13th Oct 2011 from 6.30pm at The Cask Pub at 6 Charlwood Street, Pimlico, London, SW1V 6EE. Thanks to the Ubuntu UK team for putting together the party, and it looks like there will be a great crowd there."

All VOGH readers Please check out the event here and register if you plan on coming so the team has an idea of numbers.

Oneiric Release Schedule

• June 2nd Alpha 1

• June 30th Alpha 2

• August 4th Alpha 3

• September 1st Beta 1

• September 22nd Beta 2

• October 13th Ubuntu 11.10

Oneiric will be the second release of Ubuntu to be made available on the 13th, the last being Ubuntu 5.10 Breezy Badger way back in 2005.

Release Schedule of Ubuntu:-

• Ubuntu 4.10 20th October

• Ubuntu 5.10 13th October

• Ubuntu 6.10 26th October

• Ubuntu 7.10 18th October

• Ubuntu 8.10 30th October

• Ubuntu 9.10 29th October

• Ubuntu 10.10 10th October

10 of the new features implemented in the Ubuntu 11.10 (Oneiric Ocelot):-

1. Breathtaking login manager (a.k.a login screen or display manager)
2. Lots of Unity launcher, Unity Dash, and Unity panel improvements, including smart application finder when dragging different files, unread counters for Mozilla Firefox, Mozilla Thunderbird, Empathy and Pidgin, and smart search in Dash.
3. Awesome backup up tool, called Deja Dup, that will backup and restore all the files (yes, including the hidden ones) in your home folder.
4. Mozilla Thunderbird 7.0 as the default email client (replacing Evolution Mail and Calendar, which has been completely removed from the system).
5. Mozilla Firefox 7.0 as the default web browser!
6. Brand-new ALT+Tab functionality that will work across multiple desktops.
7. Improved office suite - LibreOffice 3.4
8. Easily access various settings straight from the Unity panel, to setup your monitor, bluetooth devices, startup applications, printers, USB devices, and system updates.
9. Simplified and good looking file manager - Nautilus 3
10. Breathtaking Ubuntu Software Center!

-News Source (Ubuntu)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Countdown Begins, Ubuntu 11.10 (Oneiric Ocelot) Will be Available Within Few Hours"https://www.voiceofgreyhat.com/2011/10/countdown-begins-ubuntu-1010-oneiric.html</a>

Firefox with Bing By Microsoft & Mozilla

Mozilla has teamed with Microsoft to bring more Bing to Firefox. Mozilla and Bing are pleased to make available Firefox with Bing, a customized version of Firefox that sets Bing as the default search engine in the search box and AwesomeBar and makes Bing.com the default home page.  (Existing Firefox users can also make these changes by installing the Bing Search for Firefox Add-on)

Of course, any user of Firefox can go into the browser's settings and make those changes themselves if they want, and there is even a "Bing Search for Firefox" add-on that will do the same. But many users don't mess with their settings too much, which is why Google (the usual default for Firefox) is the most widely used search engine among Firefox users. Google competes with Bing on the search side and Google's Chrome browser competes with Firefox. Microsoft, of course, makes a Firefox rival in Internet Explorer. Mozilla, in a blog post, said that "nearly 20 customized versions of Firefox" are available from its partners, including Bing, Yahoo (which now uses Bing to power its search as well), Twitter and Yandex.

To Download firefox with Bing here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox with Bing By Microsoft & Mozilla"https://www.voiceofgreyhat.com/2011/10/firefox-with-bing-by-microsoft-mozilla.html</a>

Firefox Ver 6.0 is Now Available (With Lots of New Features)

Mozilla released Firefox v6.0 on the 16th of August. To know what is new on this version and more information cheek the following statements.  

What’s New in Firefox 6.0:-

The latest version of Firefox has the following changes:

• The address bar now highlights the domain of the website you're visiting
• Streamlined the look of the site identity block
• Added support for the latest draft version of WebSockets with a prefixed API
• Added support for EventSource / server-sent events
• Added support for window.matchMedia
• Added Scratchpad, an interactive JavaScript prototyping environment
• Added a new Web Developer menu item and moved development-related items into it
• Improved usability of the Web Console
• Improved the discoverability of Firefox Sync
• Reduced browser startup time when using Panorama
• Fixed several stability issues
• Fixed several security issues

To see the fixed Bug in this version of Firefox click Here


To download Firefox v6.0 Click Here  

To see the official press release of Mozilla cheek the following Link:-

http://www.mozilla.com/en-US/firefox/6.0/releasenotes/

-News Source (Mozilla) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox Ver 6.0 is Now Available (With Lots of New Features)"https://www.voiceofgreyhat.com/2011/08/firefox-ver-60-is-now-available-with.html</a>

Metasploit declared $5,000.00, in 5 weeks for exploits Bug Bounty program

If you've got a way to crack Google Chrome, the Metasploit team wants to pay you for it. Today Rapid 7 announced that it has a total of $5000 in cash to reward to contributors who send in exploits for its Top 5 or Top 25 vulnerability lists. The exploits have to be submitted, and accepted, as modules under its standard Metasploit Framework license. 

Cash for bugs is a controversial but common way for security firms to encourage hackers to send exploits to the white hats. As far as Bug Bounty programs go, Metasploit's program is meager. But for an open source program that relies on contributions sent in for free, it's an interesting experiment. The program will end quickly, lasting only five weeks (July 20). One fun thing that the team is doing is letting people stake a claim to their exploit of choice from their Top 5 (prize is $500) or Top 25 (prize is $100) lists. After claiming an exploit, hackers get a week to submit their Metasploit module for their chosen bug. The prize money will "only be paid out to the first module contributor for a given vulnerability," the Metasploit team says.

And guess what? Denial of Service exploits won't qualify. Metasploit wants your bug to be able to do more than that. It should also bypass ASLR/DEP when applicable and be geared toward English-based targets. Metasploit wants hackers to follow its hacking guidelines and they cannot be residents of a US embargoed country.

All accepted submissions will not only win a bit of cash but their submissions will be made available to other Metasploit users, again under the Metasploit Framework license (3-clause BSD).

As I look at the list of 30 possible exploits while writing this blog post, I see that only two have been claimed so far. CVE/ZDI 2011-1218, Lotus Notes - Autonomy Keyview(.zip attachment), and an exploit not listed in the CVE database, known as " DATAC RealWin On_FC_CONNECT_FCS_LOGIN packet containing a long username." So plenty of room for participants remains.

The cash-for-bugs program is interesting, but the list of vulnerabilities for which Metasploit is seeking help is even more so.

The Top 5 are for specific holes in ...

1. Google Chrome (before 11.0.696.71)
2. Lotus Note
3. IBM Tivoli Directory Server
4. DNS
5. GDI

In the Top 25, the entries on the list that caught my eye include holes in JScript, VBScript Scripting Engines, JBOS, Oracle VM and Citrix, among others. (Yes, browsers are in there, too, including Firefox, Chrome and Opera).

Of course, if you do have a killer bug, particularly for some of the browsers like Firefox or Chrome you can perhaps earn more than $100 for it. Mozilla's Bug Bounty program pays up to $3000 cash reward and you get a Mozilla T-shirt. For web applications or services related security bugs, Mozilla pays from $500 to $3,000. In January, Google plunked out what was then a record reward, $3,133, to a hacker for reporting a flaw Chrome. (Google raised its bug bounty fee about a year ago, from $1,337 after Mozilla bumped up its reward rate to $3,000).

TippingPoint, known as one of the founders of the bug bounty concept, not only pays cash (as much as $5,000 for your zero-day), but it also awards bonus points in a scheme more complicated than an airline mileage rewards program. Participants earn points for referring others into the program, for each zero-day they submit and so on. These points gain you bonuses for your hacks, and other goodies like all-expense-paid trips to hacker conferences like Black Hat.

Who knew hacking could be so rewarding?

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Metasploit declared $5,000.00, in 5 weeks for exploits Bug Bounty program"https://www.voiceofgreyhat.com/2011/06/metasploit-declared-500000-in-5-weeks.html</a>

Mozilla Firefox 8 Released With More Add-on Control Features

Mozilla announced today the official release of Firefox 8, a new version of the popular open source Web browser. The modest update introduces a few new features and brings a number of minor improvements to the browser’s underlying HTML renderer. From version 8, when Firefox launches and detects that a new third-party add-on has been installed, the add-on will be disabled by default until approved by the user. When users upgrade to Firefox 8, they will be presented with a one-time dialog for approving previously installed add-ons. Another noteworthy user-facing feature in Firefox 8 is stricter control over side-loaded add-ons. Mozilla is cracking down on third-party applications that install add-ons in Firefox without the user’s knowledge or permission. Such add-ons have caused serious problems for users in the past—like the notoriously buggy Skype toolbar which Mozilla had to remotely disable earlier this year when it caused 33,000 Firefox crashes in one week.

To Download Firefox 8 Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Firefox 8 Released With More Add-on Control Features"https://www.voiceofgreyhat.com/2011/11/mozilla-firefox-8-released-with-more.html</a>

DigiNotar Certificate Venerability Patched on Firefox 6.0.2

Firefox 6.0.2 has just come out, adding more protection to that provided by Firefox 6.0.1, which was necessitated by the mess caused by disgraced Dutch web security company DigiNotar.

Firefox 6.0.1 fixed Mozilla Foundation Security Advisory 2011-34, which simply pulled everything to do with DigiNotar from its list of trusted certificates. Loosely speaking, any certificate signed by DigitNotar, or any certificate signed by someone with a certificate signed by DigiNotar, and soad infinitum, was blown out of the water.

Any website with a certificate bought through DigiNotar therefore become untrusted at once. As Mozilla quite bluntly explained in the 6.0.1 update, "sites using certificates issued by DigiNotar will need to seek another certificate vendor." And that's how it should be. A Certificate Authority isn't supposed to make mistakes of this sort - not at all, let alone to this extent.

However, Firefox 6.0.1 exempted from its blockade any certificates signed by the Dutch State itself using its STAAT DER NEDERLANDEN ROOT CA signing certificate. Although tainted by association with DigiNotar, the Dutch public service was apparently convinced that none of the certificates it had issued were affected by any signing irregularities at DigiNotar.

It turned out that the Dutch authorities had not one, but two, Certificate Authorities of its own, and its second root certificate - imaginatively named STAAT DER NEDELANDEN ROOT CA - G2 was not exempted in Firefox 6.0.1. This was reported as a bug, and Mozilla set about adding an additional exemption for certificates signed by this CA. This would have reduced the impact of the Firefox certificate blockade on the web services provided by the Dutch authorities.

In the interim, however, the Dutch government abandoned trust in any of its own certificates, so the Firefox bugfix changed from "exempt the government CA we left out last time" to "remove the exemption for the government CA we exempted last time."

Let's see whether this fiasco causes the Dutch authorities to reconsider modern public service buzzwords such as "cloud" and "outsourcing"!

This sort of step - vigorously disowning everything tainted by DigiNotar - is aggressive but, in my opinion, necessary. Getting into a certification relationship with company X is like buying shares in company X. If the price goes down, all shareholders lose out simultaneously. If the company goes down, you go down with it.  

Brief About DigiNotar :- 

DigiNotar is the former Certificate Authority - or so-called "authority" - which managed to issue more than 500 bogus digital certificates in the name of major web properties such as Facebook, Twitter, Microsoft and Google; in the name of intelligence agencies such as the Mossad and the CIA; and even, it seems, in the name of other certifying authorities.

To Download Firefox 6.0.2 Click Here

-News Source (Naked Security & Mozilla) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">DigiNotar Certificate Venerability Patched on Firefox 6.0.2"https://www.voiceofgreyhat.com/2011/09/diginotar-certificate-venerability.html</a>

Firefox For Android Updated With Privacy Feature

Mozilla has released a 'Do Not Track' feature on Firefox, which enables private browsing on the cellular device. This feature seeks to increase the security amongst Android users. Sid Stamm, Security and Privacy Official at Mozilla said that, the unveiling of the HTTP Reader, which made use of the Do Not Track feature, received enormous support from users and other contemporaries. He says that the basic idea is to provide users with the same browser experience as the desktop version of the web browser.

Turning On the Do Not Track feature on your Android device is as easy as a flick of a switch. One needs to go to thebrowser preferences and slide the 'Tell sites not to track me' button. Bearing no differences to the desktop client, Stamm on his blog says that the websites will receive the same signal from the mobile version as the desktop client enabled with the Do Not Track service sends.
Security seems to be a priority with developers these days, with major brands like Apple and Google being criticized for location tracking. It's really commendable to see Mozilla trying to make mobile browsing more secure than before for its users.  

Download Mozilla Firefox Beta for Android over here.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox For Android Updated With Privacy Feature"https://www.voiceofgreyhat.com/2011/05/firefox-for-android-updated-with.html</a>

Metro Version Of Firefox Will Available on Windows 8

Metro Version Of Firefox Will Available on Windows 8

There are lots of addition and subtraction is going with the upcoming Microsoft Windows 8 & Windows on ARM.Microsoft's browser rivals to publicly commit to a Metro edition. Microsoft has said it will ship both Metro and traditional desktop versions of Internet Explorer 10. Metro is Microsoft's label for the touch-enabled interface at the center of both Windows 8 and WOA. Windows 8 will run Metro and traditional 32- and 64-bit Windows applications, but WOA will run only those third-party apps designed for Metro. Not only IE but also Firefox will follow the same trend. Mozilla confirms that it will build a "proof-of-concept" version of Firefox for Windows 8's Metro touch-first interface next quarter, then follow that with more functional editions later in the year. Mozilla Said:- "This proposal depends on Microsoft providing the same capabilities for Firefox as it does for IE -- running at the Medium level integrity process that allows us the full use of the Win32 API and what we need from Metro, or a set of APIs that allow Mozilla to port Gecko to the WinRT. For the purposes of this feature proposal, I'm assuming we'll get the first and we won't have to port the bulk of Gecko and instead will use the win32 dlls from within Metro."

Feature Overview:- 

• Windows 8 contains two application environments, "Classic" and "Metro". Classic is very similar to the Windows 7 environment at this time, it requires a simple evolution of the current Firefox Windows product. Metro is an entirely new environment and requires a new Firefox front end and system integration points.

• The feature goal here is a new Gecko based browser built for and integrated with the Metro environment.

• Firefox on Metro, like all other Metro apps will be full screen, focused on touch interactions, and connected to the rest of the Metro environment through Windows 8 contracts.

• Firefox on Metro will bring all of the Gecko capabilities to this new environment and the assumption is that we'll be able to run as a Medium integrity app so we can access all of the win32 Firefox Gecko libraries avoiding a port to the new WinRT API for the bulk of our code. (Though we will need to have a pan and zoom capability for content.)

• We will need to determine if the Firefox front end on Metro will be built in XUL, C/C++, or HTML/CSS/JS (I'm assuming for now that .Net and XAML are off the table.)

• Firefox on Metro is a full-screen App with an Appbar that contains common navigation controls (back, reload, etc.,) the Awesomebar, and some form of tabs.

• Firefox will have to support three "snap" states -- full screen, ~1/6th screen and ~5/6th screen depending on how the user "docks" two full screen apps. Our UI will need to adjust to show the most relevant content for each size.

• In order to provide users with access to other content, other apps, and to Firefox from other content and apps, we'll need integration with the share contract, the search contract, the settings contract, the app to app picking contract, the print contract, the play to contract, and possibly a couple more. We'll be a source for some, a target for some, and both for some.

• We'll need to handle being suspended by the OS when out of view.

• We may want to offer a live tile with user-centric data like friends presence or other Firefox Home information updates

• Ideally we'd be able to create secondary tiles for Web-based apps hosted in Firefox's runtime.

For More Information Click Here

-Source (Mozilla & Computer World)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Metro Version Of Firefox Will Available on Windows 8"https://www.voiceofgreyhat.com/2012/02/metro-version-of-firefox-will-available.html</a>

CLUB HACK Magazine has been released

March witnessed the launch of the much awaited Mozilla Firefox 4. We dedicate this issue to Mozilla and even the cover page that I designed (ahem) reflects that. The month started on a high note with India finally winning the ICC World Cup that also awakened our patriotic feelings.
Keeping with the theme of browser security, this issue covers Mozilla Security in Tech Gyan, FireCAT in Tool Gyan, Being Invisible on the Internet in Moms Guide, Configuring Apache SSL in Command Line, Introduction to newly launched Matriux Vibhag and New Rules of Information Technology in Legal Gyan.
We at ClubHack Mag would like to thank our contributors for an overwhelming response to the call for articles for this issue. Browser security affects all users of the Internet and therefore, we have decided that to keep the same theme for our May issue.
Wireless networking is another issue that is now looming large on the horizon of most organisations and has even penetrated most tech-savvy homes. We intend to cover Wireless penetration testing for our subsequent issues. Keep sending your articles to info@chmag.in
Happy and Safe surfing!
In April issue we have the following articles

0x00 Tech Gyan - Mozilla Firefox Internals & Attack Strategies
0x01 Tool Gyan - FireCAT
0x02 Mom's Guide - Being Invisible on the Internet
0x03 Legal Gyan - The Information Technology Rules, 2011
0x04 Command Line Gyan - Configuring Apache SSL
0x05 Matriux Vibhag - Introduction Part 2
0x06 Poster of the month - Happy and Safe Surfing.
n India we were waiting to see any 'hacking' magazine to happen and the wait was getting little longer. So finally ClubHack decided to come up with its own 1st  Indian "Hacking" Magazine called CHmag.
We at ClubHack aremore than thrilled about the magazine and this fits into our main objective of making hacking and information security a common sense for a commn man.
Moving further we need a lot of help form the whole information security community of the country to make this a success
This magazine is divided into the following sections:
0x00 Tech Gyan of the month
0x01 Legal Gyan of the month
0x02 Tool Gyan of the month
0x03 Command Line Gyan of the month
0x04 Mom's Guide of the month
0x05 Awareness Poster of the month
We hope to add a lot of sections in future, all we need is input from you as to what you would like to see in your magazine
The PDF version can be downloaded from http://chmag.in/issue/apr2011.pdf

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">CLUB HACK Magazine has been released"https://www.voiceofgreyhat.com/2011/04/club-hack-magazine-has-been-released.html</a>

Mozilla Stand Against CISPA, Saying The Bill Will Infringes on Our Privacy

Mozilla Stand Against CISPA, Saying The Bill Will Infringes on Our Privacy

 

When almost 99% of leading IT Industry, software giant like Microsoft, Facebook, AT&T, Intel, Verizon has been either silent or quietly supportive of the controversial bill HR 3523 Act dubbed the Cyber Intelligence Sharing and Protection Act (CISPA). But here we get one exception late Tuesday, Mozilla’s Privacy and Public Policy lead sent me the following statement:-
"While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security. The bill infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse. We hope the Senate takes the time to fully and openly consider these issues with stakeholder input before moving forward with this legislation."

CISPA’s official supporters include Facebook, Microsoft, IBM, Intel, Oracle and Symantec among others–carriers including AT&T and Verizon have signed on, too. Despite reports that Microsoft had backed off its support for the bill citing privacy, a Microsoft spokesperson Monday told reporters that the company’s supportive position on CISPA remains “unchanged.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Stand Against CISPA, Saying The Bill Will Infringes on Our Privacy"https://www.voiceofgreyhat.com/2012/05/mozilla-stand-against-cispa-saying-bill.html</a>

Firefox 7 Released With Better Memory Management, Patches Critical Security Holes

Mozilla released their new version Firefox 7 with lost of new features enabled. The release of Firefox 7 is important because the new version features better memory management and is the first step in Mozilla's long term plan to make the browser more resource friendly. 

Nevertheless, users who upgrade to it will also benefit from improved security as this release fixes six critical and two moderate severity security vulnerabilities.
Four of the critical patches are shared with Thunderbird 7 and address a use-after-free condition with OGG headers, an exploitable crash in the YARR regular expression library, a code installation quirk involving the Enter key and multiple memory hazards.
A moderate severity patch that provides defence against multiple Location headers caused by CRLF injection attacks is also common to both products.
In addition to these patches Firefox 7 also contains fixes for two critical and one moderate severity vulnerabilities, with one of them resulting in a potentially exploitable WebGL crash. It's worth pointing out that Microsoft previously motivated its decision to not include support for WebGL in Internet Explorer by saying that the 3D graphics library opens a large attack surface. So far several serious vulnerabilities have been identified and patched in WebGL, which partially supports Microsoft's assessment, but the library's supporters claim this is no different than with other technologies.
Firefox 7 also updates Websocket, a protocol disabled in the past because of security issues, to version 8, which is no longer vulnerable to known attacks. Unfortunately, Mozilla has not yet developed a fix for a recently disclosed attack against SSL/TLS, despite having worked on the problem since June. Developers are still trying to find a resolution that will break as few websites as possible, but at this point it's not even certain that a fix will be included in Firefox 8.

To download Firefox Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox 7 Released With Better Memory Management, Patches Critical Security Holes"https://www.voiceofgreyhat.com/2011/09/firefox-7-released-with-better-memory.html</a>

SeaMonkey 2.6 Beta 1 Released & Improved add-on Control

SeaMonkey 2.6 Beta 1 is now available for  download on the SeaMonkey website. The SeaMonkey project is a community effort to develop the SeaMonkey all-in-one internet application suite (see below). Such a software suite was previously made popular by Netscape and Mozilla, and the SeaMonkey project continues to develop and deliver high-quality updates to this concept. Containing an Internet browser, email & newsgroup client with an included web feed reader, HTML editor, IRC chat and web development tools, SeaMonkey is sure to appeal to advanced users, web developers and corporate users.

Under the hood, SeaMonkey uses much of the same Mozilla source code which powers such successful siblings as Firefox, Thunderbird, Camino, Sunbird and Miro. Legal backing is provided by the Mozilla Foundation.

To Download SeaMonkey Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">SeaMonkey 2.6 Beta 1 Released & Improved add-on Control"https://www.voiceofgreyhat.com/2011/11/seamonkey-26-beta-1-released-improved.html</a>

Up-gradation of Firefox 5.0.1 for MAC OS X Has Been Fixed

Mozilla has released version 5.0.1 of Firefox. As previously reported, the maintenance update to Firefox 5 addresses problems with Apple's upcoming Mac OS X Lion operating system that could cause the browser to crash. Firefox 5.0.1 also resolves an issue caused by one of Apple's latest Java updates (Java for Mac OS X 10.5 Update 10) that prevented the Java plug-in from being loaded. Although the release notes mention only changes affecting the Mac OS X version of Firefox, updates to the Windows and Linux versions have also been released.

Further information about the update can be found in the release notes. Firefox 5.0.1 is available to download for Windows, Mac OS X and Linux from the project's web site. Alternatively, users can upgrade to the new versions either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu.

Update: To avoid a crashing problem on the upcoming version of Mac OS X, Mozilla has released an update to the 3.6.x branch of Firefox, version 3.6.19, that disables downloadable fonts when running on Mac OS X Lion. The developers say that they hope to enable them again in a future release. In a post on the Mozilla Developer Center blog, the developers also note that Windows and Linux users "do not need and will not see the update offer" for Firefox 3.6.19 or 5.0.1.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Up-gradation of Firefox 5.0.1 for MAC OS X Has Been Fixed"https://www.voiceofgreyhat.com/2011/07/up-gradation-of-firefox-501-for-mac-os.html</a>

Firefox 4 Supports Content Security Policy

Content Security Policy is a standard developed by Mozilla designed to protect against cross sitescripting (XSS) attacks. Cross site scripting attacks use vulnerabilities in websites to inject JavaScript code into pages or urls of that site. The injected JavaScript code is then executed when visitors open a specifically prepared link or page on the website. Attacks can have serious consequences, it may for instance be possible to steal cookies from users to impersonate them on the site.

Content Security Policy has been in development for quite some time.. The basic idea behind the standard is to give webmasters a tool at hand to whitelist JavaScript, and other objects and files, that may be executed on the site. This implementation blocks all JavaScript code that is executed on the site and not in the list of allowed sites, which means that attackers cannot exploit possible XSS vulnerabilities on the website or server.

A browser supporting CSP ignores code that is not in the whitelist. Browsers who do not support CSP ignore the policy.

Content Security Protection for Users

CSP is currently only supported by Firefox 4, Thunderbird 3.3 and SeaMonkey 2.1. You can test the functionality by visiting this test page.

Twitter recently announced that they have added CSP to their mobile version, accessible under mobile.twitter.com. Users who use one of the aforementioned browsers are protected from XSS attacks on that website.

The engineers on Twitter removed all JavaSCript from code and implemented the CSP header. They then restricted the header to Firefox 4 users and created a rule set to allow JavaScript from their assets. This included the content deliver network used to deliver stylesheets and user profiles.

Unexpected issues were encountered by the developers. They noticed for instance that some Firefox add-ons were inserting JavaScript on page load, which triggered a threat report. The Twitter engineers noticed furthermore that some ISPs inserted JavaScript code or altered image tags for caching reasons.

They managed to resolve those problems by mandating SSL for all Firefox 4 users who access the mobile Twitter web site.

A test with Firebug shows that the mobile version of Twitter is indeed using the policy on site. Please note that Twitter makes a user agent check and is very restrictive about it. Firefox 5 or Firefox 6 users won’t get the policy currently.

Content Security Protection for Webmasters

Webmasters may have some work at hand to add support for CSP to their website. JavaScript code that is directly embedded in documents will not be executed anymore, which has several implications. Webmasters need to move the code to external JavaScript files.

Policies are specified with the X-Content-Security-Policy header. The header X-Content-Security-Policy: allow ‘self’ *.ghacks.net for instance allows JavaScript to be loaded from ghacks.net and all subdomains of ghacks.net.

The using CSP guide on Mozilla offers additional examples on how to set the right headers.

Browsers that do not support CSP ignore the header.

CSP offers two additional forms of protection. It mitigates clickjacking attacks. Clickjacking refers to directing a user’s mouse click to a target on another site. This is often done by using transparent frames on the original website.

Content Security Policy can also be used to mitigate packet sniffing attacks, as it allows the webmaster to specific protocols that are allowed to be used. It is for instance possible to force HTTPS only connections.

The CSP Policy directives are accessible here on Mozilla.

Next to the already mentioned options are parameters to specific hosts where images, media files, objects or fonts may be loaded from.

Plugins are available for WordPress and Drupal that add the policy to supported websites automatically when activated.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox 4 Supports Content Security Policy"https://www.voiceofgreyhat.com/2011/05/firefox-4-supports-content-security.html</a>