Archive

Archive for the ‘Internet’ Category

Java Runtime Environment 1.6 Update 29

October 23, 2011 1 comment

Version 1.6 of the Java platform has been updated to version 29. If you’re not prompted to update automatically, visit Java.com and click the download button.
It patches 20 vulnerabilities including protection against BEAST.

“BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic.  This exploit was recently demonstrated at a security conference.  The vulnerability related to this exploit is CVE-2011-3389.

http://blogs.oracle.com/security/entry/october_2011_critical_patch_updates

You might have read my previous article, Java 7 released, but it’s still not out of RC.

Java 6 SE - Update 29

Download

You can directly download the whole install package for both 32 and 64 bit windows versions from FileHippo, or visit the Java website directly to be offered an installation suitable for your OS and language.

Firefox 7.01 on Release Channel

October 1, 2011 1 comment

So a new version of Firefox has landed on the Release channel, and already we see the first dot release,  to 7.0.1 – to resolve a bug with Add-On visibility.

We’ve identified an issue in which some users may have one or more of their add-ons hidden after upgrading to the latest Firefox version, affecting both desktop and mobile. These add-ons and their data are still intact and haven’t actually been removed.

blog.mozilla.com/addons

If you’ve had this problem, the upgrade should resolve it. The Add-Ons blog has a link to a tool to resolve the issue if the upgrade doesn’t.

Beta, Aurora, Nightly

So Beta Channel is now at 8.b1, Alpha Aurora Channel is offering 9.0a2 and strange versioning continues over at Firefox Nightly, offering up 9.0a1 – a depreciated build?

Read the official Release Notes for yourself here.

Adobe Flash Player 10.3 Advisory

September 18, 2011 Leave a comment

Flash Player by Adobe, consistently plagued with vulnerabilities, has under gone yet another minor version upgrade on the Release channel – to 10.3.183.7 10.3.183.10

Adobe recommends users of Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.183.5.
Users of Adobe Flash Player for Android 10.3.185.25 and earlier versions should update to Adobe Flash Player for Android 10.3.186.3.

http://www.adobe.com/support/security/bulletins/apsb11-21.html

Google Security

A Google Security researcher who fuzzed over 400 bugs in Flash Player was denied attribution by Adobe, because of the way CVE numbers are allocated.
He blogged about it in this post, and Adobe responded with their own snark..

So, what’s the right number of CVEs to allocate? In this particular case, some of the code changes we made were closely related within a single component, which would argue for consolidating them with a single CVE, while others were clearly distinct. At this point, we’d rather invest our time in continuing the hardening work that will make Flash Player more robust against attack than reviewing change logs. We’ve updated the security bulletin to include CVE-2011-2424 to describe this batch of bugs.

http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html

And the updated text of the advisory now attributes the CVE to the Google team.

This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2011-2424).

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
Tavis Ormandy of the Google Security Team (CVE-2011-2424)

http://www.adobe.com/support/security/bulletins/apsb11-21.html

Downloads

Android users can get the latest release version from the market here, Internet Explorer users can direct download from FileHippo.com and those running Firefox can grab it from FileHippo.com too..

Those looking for the official Adobe Flash Player download site can click here.

Aurora – The Future of Firefox

September 17, 2011 Leave a comment

Firefox - Aurora

Mozilla now offer 4 versions of their popular web browser software, with increasing levels of sophisticated new technology, interface design and developer tools, but at the expense of stability and compatibility.

Nightly, Aurora, Beta, Release

So the available builds are categorised according to their suitability for general release – the current Nightly is untested and raw, and in time becomes Aurora; and so the current Aurora becomes the next Beta and the current Beta becomes the Release version, available to everyone as Firefox – stable, patched. Software fit for a production environment.

Mozilla aim to do this every 6 weeks.

Every 6 Weeks

So from Aurora to Beta to Release is 12 weeks, or about 3 months. Currently, the Nightly build is at version 9.0, Aurora is at version 8.0, the Beta is 7.0 and Release is 6.0.2

Aurora

Let me just quickly say, if you’re still a bit confused with the Firefox releases, and don’t know which version you should run, then my advice would be to head on over to Firefox.com and download the version offered to you. This is the Release version – the most stable, most tested and most recent.

The other builds –  Nightly, Aurora, Beta – they’re for geeks, for those who like their internet cutting-edge. Want Nightly, Aurora or Beta for your Android device? Check out system requirements, compatible handsets and find downloads here.

Add-Ons Manager

A new interface and new way of handling Add-Ons is introduced. When an add-on is installed from outside of Firefox, the add-on is disabled by default, and requires explicit authorisation from the user to activate.

they can slow down Firefox start-up and page loading time, they clutter the interface with toolbars that often go unused, they lag behind on compatibility and security updates, and most importantly, they take the user out of control of their add-ons.

http://blog.mozilla.com/addons/2011/08/11/strengthening-user-control-of-add-ons

MemShrink

The MemShrink side project aims to reduce the memory usage of Firefox. Lower memory usage means a faster experience, as the overheads for paging and caching are reduced.

One nice thing about this feature is that it gives technically-oriented users a way to tell which web sites are causing high memory usage.  This may help with perception, too;  people might think “geez, Facebook is using a lot of memory” instead of “geez, Firefox is using a lot of memory”.

http://blog.mozilla.com/nnethercote/2011/07/06/memshrink-progress-week-3/

Developer Tools

Including Telemetry, Web timing spec, Azure Direct2D for Canvas and increased HTML5 and CSS3 support, including media elements and custom right click menus. Want to know more about the new developer tools?

Current HTML 5 Support

I’m already impressed with the HTML 5 support in the Release version of Firefox, when the rest of the web catches up, sites will be dynamic and media rich beyond our wildest imaginations.

Insecure Data Request/Response from Quidco RPC

September 13, 2011 Leave a comment

I recently reported some Data Protection and Privacy issues with the Quidco app for Android, and wanted to have an in-depth look at the Client/Server data sent by the app.

Packet Capture

With the newly installed tcpdump facility, I was able to capture the network traffic from my handset and watch the Quidco app for Android send a request to the remote server and receive data back. This happens when you log-in, when you check-in, when the app wants to load your personal details and display your cash-back history.

Pretty standard stuff, nothing out of the ordinary, nothing unexpected.

The problem is not what’s being sent, but how. The communication between the server and the handset is not secured – the data is sent by the server over the internet as plain-text, and includes your email, postcode, real name, date of birth and IMEI.

JSON-RPC

JSON or JavaScript Object Notation, is a lightweight text-based open standard designed for human-readable data interchange.
The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application.

http://en.wikipedia.org/wiki/JSON

JSON allows the Quidco app to makes requests to the remote server in a defined way, through procedure calls. Such procedures observed in the analysis of the packet capture include getNearbyDeals and getUserDetails.

Wireshark Analysis

The capture file is loaded into Wireshark where it can be displayed and reconstructed.
One function has the ability to reorder and display in ASCII the request and response of a specific TCP stream.

Reconstruct A TCP Stream

Reconstruct A TCP stream with Wireshark

getNearbyDeals

getNearbyDeals

The function takes several arguments, including the users latitude and longitude, and returns data on the deals close-by.

getUserDetails

getUserDetails

Evil Twin Attack

Being a mobile app, designed to be used out and about, it’s a possibility the end user will connect to a WIFI hotspot, for example Openzone, when they want to check-in at a store or search for near-by deals.

An ‘Evil Twin’ is a hotspot with the same name as a legitimate one, but which is set-up by criminal entities to harvest personal data, log-in or banking details. The Guardian ran a story about it. It’s all to do with the way your handset will automatically connect to a WIFI network based on it’s SSID or name.

Firesheep was a proof of concept plug-in for the Firefox browser, which allowed trivial Facebook session hijacking on insecure networks. Now there is a native Android app, FaceNiff which claims to do a similar job.

Disclosure

The developers of the app were contacted regarding the insecure client/server communication and now the app has been updated to v1.0.4 to address this issue.

Wireshark analysis of traffic captured for version 1.0.4 shows all request/response traffic is made over https.

The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks

http://en.wikipedia.org/wiki/HTTP_Secure

Wireshark Analysis

v1.0.4 Application Traffic Secured with HTTPS

Firefox 9 64-bit Released on Nightly..

September 12, 2011 Leave a comment

So the main Firefox build, currently v6.0.2, is still only available as a 32-bit exe on Windows.

But feel like treading the alpha infested waters of Nightly, and version 9 in full 64-bit form can be downloaded.
Version numbers for Nightly builds are not always accurate.

Nightly Build

So the Nightly build is the most recent code, the alpha stages of the next Firefox; the basis of the next RC. Nightly’s are released without any testing.

It very clearly states on the site that the binaries are for testing purposes only, but I’ve not had a problem with Plug-In or Add-On incompatibility, and no crashes yet.
If you do important work, you know not to install it on your main Dev machine..

And it looks the same as v6, and v5. To be honest, since they went crazy with the naming, I haven’t actually noticed anything new over the v4 release.. But v9 will one day have a brand new User Experience.

About Nightly 9.01a

x86-64

So, if like me, you have a 64-bit version of windows, and you want to run 64-bit versions of your software, at the risk of instability, go ahead and download and install a Nightly build.
If you have a 32-bit system, I say stick to the stable Firefox releases, or the slightly less stable betas.

v9 doesn’t really provide anything over v5 or v6, but it’s native.

Quidco App for Android is out of Beta!

September 8, 2011 Leave a comment

The Quidco App for Android has finally lost it’s Beta status, and version 1.1.0 is now available from the Android Market or visit Quidco.com/app.
If you’re not already a Quidco member, read my post and sign up!

v1.1.0

Quidco app for Android is released!

So the Quidco app moves from this early Beta, to full release version, and quickly to v1.0.2 – although the Whats New tab on the web based android market says nothing has changed, the Recently Changed section on the mobile version of the market shows crash fixes.

Using The Quidco App

Sign Up Or Sign In

Load the app, and you will be asked to sign-in with your Quidco details, or to join the Quidco service.
The first time you sign-in, you will be asked to enable Location Sources –  both Network and GPS are required for full functionality.

Location

If you choose not to enable your location, you can still choose from a general list of places.

Device Association

Again, the very first time you run the app you will be asked to associate your device with your Quidco account.
You have to enter the code exactly – if you enter it incorrectly, you will be given several more attempts. If you appear to be stuck, make sure your keyboard doesn’t automatically capitalise the first letter.

If you sign out, it will not ask you to associate again when you sign-in.

Nearby Deals

Click Nearby to be shown a list of deals and in-store cashback offers ordered by distance from location.

At the top, select Map to be taken to a fully interactive Google map with each deal a pin in the map. Click one of the deals to be given it’s name, and again to view the full details.

The Pizza Hut deal for example is a discount voucher, which gives clear instructions for use, and T&C in the details tab.

Account Settings

Under the central option in the bottom bar, My Quidco allows you to view your most recent activity and change your account settings.

You can choose to hide Gambling offers, Hide 18+ offers, and modify your in-store cashback settings, and even register a card if you’re not yet set up.

 

Smart Shopping

With digital vouchers, and  in-store cashback, the Quidco mobile app is a convenient way to earn and to save money in the real world.
Download the app, try it out today!