Firefox 14 brings 14 security fixes

Firefox 14 is out *yawn*

Other than 14 security issues fixed, there’s not much going on here, folks.

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

They’ve got 5 critical, 4 high, and 5 moderate severity issues patched. As is usual lately, many of them were actually fixed by Google for Chromium and got merged into Firefox. (They both use many of the same Free/Open Source libraries.)
Elsewhere, we see that there’s some progress with memshrink.

https://blog.mozilla.org/nnethercote/2012/06/27/memshrink-progress-week-53-54/

https://blog.mozilla.org/nnethercote/2012/06/15/memshrinks-1st-birthday/

http://blog.mozilla.org/nnethercote/2012/06/13/memshrink-progress-week-51-52/

https://blog.mozilla.org/nnethercote/2012/05/30/memshrink-progress-week-49-50/
These aren’t as easy to sort, due to the ongoing nature of the memshrink project. Some users who have been using older Firefox versions have seen improvements in memory usage because Mozilla has been leaning on extension developers to fix broken extensions that use memory stupidly. These tend to be proprietary extensions from big companies that are not known for quality software design. (McAfee and Microsoft are big offenders) If you do have crappy extensions like these, get rid of them.

This problem mainly affects Windows users because you guys tend to have Firefox extensions installed in “drive-by incidents” when you install unrelated software or when Microsoft feels like taking a shit all over your browser. Take a minute to look through your add-ons and make sure that you are only using ones you actually want. There are uninstall and disable buttons for the rest. The problems that incompetent extensions create tend to be blamed on Firefox even though Mozilla has nothing to do with them.  Alternatively, you can just get rid of Windows and install something like Kubuntu where this stuff never happens.

Moving on, we bust out the magnifying glass and see what new features we have.

I only noticed two that were worth mentioning.

1. There’s a click to load plug-ins feature now. It is off by default and hidden under about:config. It breaks a few sites, but this sort of thing is badly needed, as plug-ins like Adobe Trash tend to be 99% obnoxious and 1% useful.

2. The HTTP Pipelining system seems to have been reworked, that too is under about:config and off by default.
Ho hum…

Antivirus software company admits antivirus is useless. Flame malware signed with Microsoft keys.

Two interesting stories on The H Online regarding the Flame malware for Windows.

Antivirus company F-Secure has had samples of Flame since 2010, other antivirus companies have as well, yet they were unable to detect Flame until recently.

This means that Flame has been out there for over two years and no antivirus software has done anything about it.

Flame was signed with a forged Microsoft cryptographic key.

The forgery was simple to pull off since Microsoft’s Certificate Root doesn’t keep proper track of their keys and uses weak DES which most e-commerce sites haven’t bothered to use since the EFF demonstrated that it could be easily cracked using commodity PC hardware from 1998.

This demonstrates a couple things I’ve been saying all along.

1. Why do browser makers not bother to make sure that “Trusted” certificate roots can actually be, you know….trusted? You have Mozilla, Google, and Opera conspiring to keep CACert out, but all of them would trust insecure Microsoft keys from Microsoft’s certificate authority. What’s more disturbing is that Windows apparently recognizes Microsoft’s DES keys. I doubt that it would allow you to sign a kernel module with them, but it would be sufficient to suppress the security warning that pops up that says the software isn’t signed.

2. Antivirus software is pointless. It has marginal effectiveness against common malware, and no effectiveness at all with more sophisticated malware. It’s hard to tell whether this is incompetence or because the US government and Israel write malicious Windows software all the time, and they’d rather that users of Windows not be protected from it.

Should Mozilla support h.264? It depends.

There’s news that Mozilla is considering supporting the patent-encumbered and dangerous MPEG-4 formats known as “h264″ and “aac”. LINK (As reported by The H Online)

It’s unfortunate that it has come to this, but I am in favor of doing it in the way they have described. Albeit unenthusiastically…

We know that there is a dangerous and criminal organization out there called the “MPEG-LA” that doesn’t innovate or produce anything, but acts as a “patent pool” to sue victims who try to implement media codecs without their permission. They “own” several thousand “essential” patents (meaning that you can’t implement the spec without violating them) describing what h264 with aac does.

Microsoft and Apple, which are also criminal cartels, are also members of the MPEG-LA, and are trying to wipe out the open and unencumbered VP8 and Ogg Vorbis combination known as WebM by refusing to support it in Safari and Internet Explorer.

Mozilla and Opera have so far not implemented MPEG codecs because they would be gouged by the MPEG-LA’s innovation tax.

The problem for the user, which is caught in the middle, is that sites that are out there today and insisting on MPEG-4, such as Vimeo, won’t work in Firefox or Opera in HTML 5 mode, and require the proprietary binary blob with gazillions of security problems known as “Adobe Flash” to play their content.

Mozilla is not proposing to ship the offending codecs themselves, but to just use the ones on the system, if any. On Windows, they can hook into DirectShow, on OS X they can hook into Quicktime, and on Linux they can hook into and use anything Gstreamer can play. Of course Android,  iOS, and Windows Phone (with all three people who have one) all have their own media codecs.

The problem with this is that it shifts the responsibility to the user to make sure they have codecs. In most cases, the platform in question is promoted by some big company that sees the MPEG-LA siphoning their profits as a cost of doing business, but the codecs are there nonetheless and Firefox is currently not making use of them. It’s the case where a person uses free and open source software, such as a Linux distribution,  and doesn’t want top be gouged and run nonfree MPEG Cartel-sponsored gstreamer codecs (from Fluendo), that they have to make a choice about whether to use the codecs that infringe US patents (such as the free and open source gstreamer codecs). In the case of proprietary software, the choice was already made for them, as most choices usually are.

Therefore, my position is… With the objection to the MPEG-LA cartel even being allowed to exist at all. That Firefox should use whatever the user has installed. Refusing to play formats for which the user already has codecs is ridiculous. The user should ideally be using software that respects his or her freedom (such as the gstreamer-bad and gstreamer-ugly codecs, which is where ones with patent problems end up). Even more ideally, the laws should be changed to invalidate every last software patent out there so that the user is free to do what they wish with their own computer, and programmers are free to make software that can compete with established monopolies like Microsoft and Apple. Until then, a couple of minority browsers ignoring those codecs won’t make those codecs go away any more than some Linux distributions not officially providing MP3 codecs has made MP3 go away. Those sites are out there, and users should not feel compelled to use proprietary software such as Internet Explorer, Safari, and Google Chrome to simply view them. Just as users who encounter MP3s, while this is unfortunate, should not have to use proprietary software to play those MP3s.

As a second point for this position, we know Microsoft slips trojan horses into competing browsers on Windows, and so if Mozilla doesn’t do it, Microsoft will wedge in another broken plug-in that is full of security problems to Firefox users on Windows. By making the change in Firefox, they can preempt Microsoft infecting Firefox with more things the user may not have approved of.

It’s unfortunate that this method will make it the user’s problem to decide if they care about using untaxed codecs, but you can thank Microsoft and Apple that someone is going to be stuck with the check.

Google is being sued by some idiot using Safari on a Mac. US Congress critters investigate.

I noticed this yesterday and decided to comment.

There’s a big stink going on right now. Someone found out that Google was setting “third party cookies” (for their advertising servers) in Apple’s Safari browser, which defaults to not loading third party cookies (which I’ll get to in a moment).

Now it appears that someone using Safari on a Mac that expected privacy somehow, is suing Google. (The PC World article on the first link has a more accurate technical description of what’s going on)

In short, someone found a bug in Safari, and now Google is being sued and is under investigation by Congress. We know how much Congress can be expected to know about the internet based on their hilarious to horrifying attempts to regulate it as many of them uttered things like “I don’t know how this here internet thing works, but they tell me….” or the late Senator Ted Steven’s infamous “series of tubes” comment. To say nothing of the fact that Congress flip flops between mandatory tracking for all and bullshit “consumer privacy concerns” such as this one. (For those concerned with the former, the bill is called HR 1981, but a more fitting name would be HR 1984)

If this was a bug in Firefox, it would be fixed. If it was a bug in Chrome, it would be fixed.

Somehow, Microsoft and Apple users seem to think they can use proprietary secret software when they’re not allowed to know how it works and have privacy at the same time. Software which has a history of many bugs,  with vendors that typically take weeks/months/years to patch them once they’re made public. These companies also slip back doors into the software for various government agencies.

Apple was recently caught with a back door that they put into iTunes, it remained there for 3 years, undetected, which facilitated man in the middle attacks. (A government could use this to run a counterfeit iTunes server and load malicious software onto the victim’s computer. The article calls it a flaw, but we know what was really going on, and that it was likely just moved.).

There’s no way you can trust Microsoft or Apple’s software to protect your privacy. Anyone who has actually read the EULA for Windows (especially XP, Vista, and 7) should know that there are at least several dozen Windows components that phone home to Microsoft with your personal information. Most do it over an encrypted connection so that the user has a very hard time telling what is actually being sent to them. Apple isn’t any better.

Let’s get back to cookie controls. They’re a red herring. They’re totally bogus. They don’t do anything for you. Every browser has them, even Internet Explorer 6. They don’t do anything to protect you because cookies are passe. Tracking and spyware sites have developed data mining techniques that work well even if the user clears every cookie they ever set.

One method is to associate IP addresses with log ins. Facebook, Google, and Microsoft all do that. Even after you log out, it’s possible for them to track you personally. There’s other methods. Browsers like Firefox and Chrome are just now starting to implement watered down privacy controls for Adobe’s Flash software (which is proprietary software and a frequent cause of cross platform/cross browser security problems).

Flash has “supercookies”, or what is more technically known as Local Storage Objects. Flash LSO’s can be up to 150 KB (which is 37.5 times larger than a cookie), a site can store as many as they want on your computer (just like a cookie), and (unlike cookies), most browsers do very little to nothing about them. Silverlight has something similar, users of Windows where Silverlight is sneaked over the fence by Windows Update should take notice of that.

The take home message here is that it was ludicrous for this guy to expect any kind of enhanced privacy just because Safari has some lame cookie controls which are a piss poor clone of something Mozilla introduced well over 10 years ago. I really doubt that will stop this frivolous lawsuit, and I fully expect the anti-Google interests called Microsoft and Apple to play this up for all the drama it’s worth.

Microsoft hired the scumbags over at  Waggener Edstrom a while back to launch a smear campaign against Google, and Microsoft is already jumping on this Safari problem like a dog in heat. (I won’t link since I can’t seem to find an article that is telling people the truth about where the anti-Google smear is coming from. Waggener Edstrom specializes in astroturfing and attack ads. They’ve worked for companies like BP and Walmart, and for many a corrupt politician. (When you see that disgusting outrageous pants-on-fire “GMail Man” attack ad, that’s who made it).

If you’d like to know more about these people, Techrights has occasionally blogged about what they’re up to and who they work for.

So now that we’ve covered the facts about Microsoft and Apple, IE and Safari’s lack of real privacy controls, and why cookie controls do nothing.

There’s a number of things you CAN do to really prevent or limit how sites track you. Here’s some suggestions.

Firefox users can use Adblock Plus (just remember to opt out of the “acceptable ads nonsense). Delete Easylist’s filter subscription, and add these instead.

Better yet, use Chrome/Chromium with Chrome Adblock, remove Easylist, and use these instead. (Chrome Adblock is better than Adblock Plus for Chrome, the two are unrelated)

Firefox or Chrome 17+ users can install HTTPS Everywhere (The Chrome version is an alpha for the time being, but it does work)

Opera users can use Opera’s content blocker to block advertising and stat/tracking sites. Pre-made lists here. Remember to manually update them now and then or skip the process and let Opera Adblock do the same thing for you if you have Opera 11 or later.

Firefox and Chrome can also block Flash applets from automatically loading, saving you bandwidth and making flash applets that track you or load malicious software less effective. Firefox has Flashblock, Chrome users can enable the Click to Load option in the advanced settings for plug-ins.

Weaker protection for users who insist on inferior browsers with government spyware built in.

Internet Explorer 9 supports “tracking protection lists”, which are a small/watered down subset of true content blocking. Pre-made TPLs for IE here.

Safari users can use Safari Adblock, it’s from the same guy that made Chrome adblock. I’ve never used that one, but if it comes with Easylist, rip it out and add these.

The bottom line is that the only way to protect yourself from tracking servers is to not connect to or run applets from them to begin with.

Trueblock Plus gives users Adblock Plus without the “Acceptable Ad$”

Just a quick note.

I was (and still am) outraged that Wladimir Palant sneaked into people’s browser preferences and turned on some ads for big companies and parking page parasites that were paying him the big bucks.

There’s now another option; a fork of Adblock Plus called Trueblock Plus. It is derived from Adblock Plus code and is under the same Mozilla Public License as Adblock Plus. Both are free and open source software.

The freedoms that make up “free software” include using the software for any purpose and being able to modify, improve, and redistribute it. In other words, the freedom to “fork” if the upstream dies off, becomes unresponsive to new features that people want, or in the case of Adblock Plus, start to add malicious features that nobody really asked for. (Or for any other reason.)

Right now, the only real modifications to Trueblock Plus are to re-brand it (The name and logos that Adblock Plus uses are trade marks, and are not covered by the free software license of the source code) and to turn off that annoying “Acceptable Ads” antifeature that Wladimir Palant cooked up.

There are also some rough edges in Trueblock Plus. The author of the fork notes that there’s going to have to be some more purging of Adblock Plus branding before Trueblock Plus can progress beyond “preliminary review” status at Mozilla Add-Ons.  For example, the Contribute button still links to Adblock Plus’s website. I’m not sure if that’s intentional or not but it says “Contribute to Trueblock Plus”, so I am thinking he may have just searched for and renamed each occurrence of Adblock Plus.

The other problem is that the “Acceptable Ads” code is still there, just disabled by default. Since this code is hardly vital to the operation of the extension, it might be better if Trueblock Plus were to simply revert the commit that added it in the first place. More code in a program means more potential for bugs and security issues, plus the only reason it’s there is so Wladimir Palant can make money by allowing spyware and tracking garbage through by silently switching it on without the user’s consent upon “upgrading” to Adblock Plus 2.0 or later. It is doubtful that any user would opt into something that directly counters the problem that led them to install the software in the first place.

Users who pay attention can still uncheck Wladimir’s Acceptable Ad$ , but he even admits on his website that he’s banking on people not doing that since most people don’t like to tinker and may not even notice what has changed that is allowing ads to get through.

If you have less computer literate friends or relatives, or if you personally don’t want any more nasty surprises from Mr. Palant, then Trueblock Plus might be the way to go.

Homepage

Mozilla Add-Ons site (I always recommend installing add-ons from here in every possible case.) Install for Firefox. / Install for Seamonkey