Welcome to TheTechBlog.com - Here you'll find the latest Tech News, new gadgets and commentary! This site is moderated by Sam and Chase - Hosts of Tech Check on Fox6, and longtime high tech/computer radio broadcasters.
| Friday, May 20, 2005 |
| AOL releases Netscape 8 |
by Tollie
Quick History:
 - Netscape was a commercial product, and the definitive web browser.
- Microsoft included Internet Explorer for free in Windows.
- Browser wars ensued.
- Internet Explorer got a lot better with IE 4 and Windows 95.
- Netscape lost. AOL bought Netscape - but kept using IE for AOL.
- Netscape released its original code for free to what is now the Mozilla Foundation.
- Mozilla uses that code to create Mozilla Suite, and it's successor - Firefox
- AOL attempts to relaunch Netscape based on Mozilla Suite - not very successful.
- Firefox continues development, with its code always free and 'open source' for others to use.
- AOL releases Netscape 8, combining Firefox and Internet Explorer into one.
Netscape 8 offers a unique combination of Firefox and Internet Explorer in one product. It allows you to browse the internet with the security and safety of Firefox, yet be able to use Internet Explorer for those ill-behaved sites that only develop for Windows Internet Explorer.
How does it work? Netscape maintains a list of 'safe/trusted' sites and 'untrusted' sites. For trusted sites, pages display using Internet Explorer. For unknown sites, pages display using Firefox. For untrusted sites, pages display using Firefox and with Javascript/Java/Cookies disabled. And of course, you can add to the trusted or untrusted sites lists.
You can also change which browser is used. For example, you can have all sites display in Firefox, including trusted ones - since most will look fine, and only switch over to Internet Explorer if things look strange.
Netscape 8 includes AOL's instant Messenger and ICQ and two themes, but so far does not offer compatibility with any of the hundreds of Firefox extensions or themes - which is enough to keep me and most using Firefox instead.
|
posted by Tollie Williams @ 2:54 PM   |
|
|
|
| Sunday, May 08, 2005 |
| The Tech Blog - Firefox security hole |
Latest Update: Vulnerability fixed. Firefox 1.0.4 now available.
The following entry concerns the previous version of Firefox, 1.0.3:
Big Security Hole in Firefox-click here for the article
It turns out the more secure browser has a pretty significant security hole in it that will allow a website to install and run malicious code on your system when you visit.
Chase
Update:
Tollie here. I'm going to add my thoughts on this security vulnerability - actual a security vulnerability combo.
This is the worst Firefox flaw we've seen yet. Thankfully, Mozilla acted very quick and has already provided a quick patch for the average user, that requires no user action at all, which addresses the more serious of the two. And as a temporary patch for both, disabling javascript is a complete workaround.
Here are the details:
This security vulnerability is actually two - the first is one that allows frames to be used to make javascript look like it is running from any website. This can allow for malicious websites - when visited - to steal username and password info of websites you've recent been to and can still access using the 'back' button.
It also makes the second part of this vulnerability combo more serious. The second part allows malicious websites - when visited - to run code without authorization if Firefox is set to allow websites to install add-on software.
Normally, Firefox uses a "whitelist" of sites that you approve. When you first install Firefox, this list is limited to two default sites under the control of Mozilla. If a site not on the list attempts to install an add-on, Mozilla blocks it entirely. If a site is on the list, Firefox still asks if you want to install the add-on, but it displays a window with an icon and a short description. The vulnerability here is in that window - a malicious add-on can execute code, even if the user decides to cancel the installation.
The vulnerability-combo was one that used the first exploit to fake code as if it were coming from one of the two default sites on the whitelist, so the window would display even if the site wasn't added to the allowed list, and from there the second vulnerability allowed code to be run without user approval. On a technical note: unlike most Internet Explorer vulnerabilities, however, the malicious Mozilla code only runs with the authorization (power) of Mozilla - not the authorization (power) of the complete Windows System.
Further, Mozilla has already taken action that renders this second vulnerability mostly toothless, and there's nothing you need to do. Mozilla simply moved their default add-on sites to a different address, which effectively turns off the 'allow website to install software' option for the majority of Firefox users who haven't added any other sites to the allowed (white) list.
Finally, no known malicious code exists presently. Only demo. code to prove the existance of the vulnerability is available. And, Mozilla is already at work on patches to take care of the two vulnerabilities. They'll be available as Firefox 1.0.4.
And to repeat: Disabling Javascript is a complete workaround for both vulnerabilities. Simply go to Tools - Options - Web Features - and uncheck [ ] Enable Javascript.
PS. I made a quick change to ChaseAndSam.com and fixed a few things so it is now non-javascript friendly. Frankly, I should have done that already.
- tollie |
| posted by Chase Thompson @ 7:47 PM |
|
|
|
|
|
|
The Tech Blog
