Firefox Now Set To Utilize BITS for Downloading New Software Updates


Mozilla Firefox is all set to utilize the Windows Background Intelligent Transfer Service, or BITS, to download the software updates in the background, this initial phase in the possible release of a standalone "Update Agent" that will perform updates despite when the browser's closed.
Presently Firefox will look for the new updates when the user opens the browser and either show a notification that an update is available or automatically install it.

Mozilla developers are likewise taking a shot at an independent application written in Rust called "Update Agent" which will discreetly run while checking for new browser updates notwithstanding when Firefox isn't open. For the users who don't run Firefox every now and again, it'll make it simpler for them to receive the new updates.

The purpose behind the Update Agent being planned as a 'background process’ which will remain running even after the browser is closed to download and apply updates is to make updating progressively helpful for everybody and lessen the time to get the new updates for users who aren't all around bolstered by the present update process since they don't run Firefox very much or they do not have an access to a proper internet connection.

This technique makes Firefox progressively secure, as regardless of whether a user immediately installs the update when prompted to do so, despite everything it comes up with an open door for a vulnerability which could be exploited before the update as well as its security fixes, can be installed.

For Windows users, Mozilla will utilize the Windows Background Intelligent Transfer Service, or BITS, since it enables updates to be downloaded in a manner that can be recovered if a download ends or is paused for reasons unknown. This enables the update to keep downloading where it left off when it can and spare time completing the update.

As the Update Agent application isn't prepared as of yet and requires a few different bugs to be settled with first, Mozilla is empowering BITS in Firefox with the goal that the browser can start utilizing the support and service of download browser updates.


Firefox BITS preferences


While the Mozilla developers are effectively taking a shot at this venture, with the goal that they can positively finish it sooner rather than later, then again in the Firefox Nightly build, Mozilla has included two new flags that can be utilized to test downloading software updates through BITS. Users can thus enable this test by setting the app.update.BITSenabled and app.update.BITS.inTrialgroup preferences to true in about:config.


Mozilla advices its users' to update their web browser to fix critical vulnerability






Mozilla has issued a warning to its users and asked them to upgrade their web browser Firefox, after company found some critical vulnerabilities.

The company has issued an advisory on Tuesday, 18 June, 2019, it includes a details about security vulnerabilities that have been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.

 The advisory detailed flaws stating, “A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

It further read “We are aware of targeted attacks in the wild abusing this flaw.” The company has marked the update as ‘critical’. 

According to reports, the bug is classified as critical because  it allows outside users to remotely execute code on your machine without your permission.


The bug was spotted for the first time by Samuel Groß, who is reportedly a security researcher with Google Project Zero and Coinbase Security.

Mozilla Fixes Actively Exploited Zero-Day Flaw with Firefox 67.0.3



Mozilla has fixed the Firefox and Firefox ESR zero-day vulnerabilities with the release of its latest versions, Firefox 67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the hackers to remotely execute arbitrary code onto the systems of the users who ran vulnerable versions of the Browser.
The zero-day flaw tracked as CVE-2019-11707 takes place when JavaScript objects are manipulated because of the issues in Array.pop; before Mozilla came up with the patch, hackers could set off the attack by misguiding users using vulnerable versions of the browser to visit a malicious web address which is designed to take control of the infected systems and consequently, execute arbitrary code onto the machines.
Referencing from the statements given by security advisory of Mozilla, the Browser developers are "aware of targeted attacks in the wild abusing this flaw" that could allow hackers who take advantage of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day vulnerabilities which were reported to Mozilla by Coinbase Security team and Samuel Groß from Google Project Zero, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users "to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates."
Commenting on the matter, Groß tweeted, “The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” 
“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” he added. 
Mozilla has released a similar emergency patch, Firefox 50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was exploited by cybercriminals to de-anonymize Tor Browser users and accumulate their private data such as MAC addresses, hostnames, and IP addresses.



New OS takes on Apple, Android

Firefox, a web browser made by the non-profit Mozilla Foundation, was born as “Phoenix”. It rose from the ashes of Netscape Navigator, slain by Microsoft’s Internet Explorer. In 2012 Mozilla created Firefox os, to rival Apple’s ios and Google’s Android mobile operating systems. Unable to compete with the duopoly, Mozilla killed the project.

Another phoenix has arisen from it. Kaios, an operating system conjured from the defunct software, powered 30m devices in 2017 and another 50m in 2018. Most were simple flip-phones sold in the West for about $80 apiece, or even simpler ones which Indians and Indonesians can have for as little as $20 or $7, respectively. Smartphones start at about $100. The company behind the software, also called Kaios and based in Hong Kong, designed it for smart-ish phones—with an old-fashioned number pad and long battery life, plus 4g connectivity, popular apps such as Facebook and modern features like contactless payments, but not snazzy touchscreens.

With millions of Indians still using feature phones, it’s no surprise that this brainchild of San Diego startup KaiOS Technologies is already the second most popular mobile operating system in Indiaafter Android, capturing over 16% market share. iOS is second with 10%share, as per an August 2018 analysis by tech consulting firm Device Atlas.

The new category of handsets powered by KaiOS, which has partnered with Reliance Jio, require limited memory while still offering a rich user experience through services like Google Assistant, Google Maps, YouTube, and Facebook, among others.

Faisal Kawoosa, founder, techARC, credits KaiOS with bringing about a paradigm shift in infotainment in India. “This (the feature phone platform) becomes the first exposure of mobile users to a digital platform. It is also helping the ecosystem and new users to digital services without much increase to the cost of the device,” he said.

Firefox update fixes critical security vulnerability

Firefox 66.0.1 Released with Fix for Critical Security Vulnerabilities that discovered via Trend Micro’s Zero Day Initiative. The vulnerability affects all the versions of Firefox below 66.0.1.

An attacker could exploit these vulnerabilities to take complete control over the target system of the process.

CVE-2019-9810: Incorrect alias information

Incorrect alias information with IonMonkey JIT compiler for Array.prototype.slice leads to missing bounds check and a buffer overflow.

The bounds checking is a method used for detecting the variable is present within the bounds, a failed bound check would through the exception and results in security vulnerabilities.

CVE-2019-9813: Ionmonkey type confusion with proto mutations

Mishandling of proto mutations leads to the type of confusion vulnerability in IonMonkey JIT code.

The type confusion vulnerability occurs, when the code doesn’t verify what objects it is passed to, and blindly uses it without type-checking.

By exploiting this vulnerability an attacker can execute arbitrary commands or code on a target machine or in a target process without user interaction.

This vulnerability discovered by an independent researcher Niklas Baumstark targeting Mozilla Firefox with a sandbox escape in Trend Micro Zero-day initiative contest and he successfully demonstrates the JIT bug in Firefox, for that he earned $40,000.

In Pwn2Own 2019 contents researchers exploit multiple bugs with leading providers such as Edge, Mozilla Firefox, Windows, VMware and earned $270,000 USD in a single day by submitting 9 unique zero-day exploits.

The Firefox bug was introduced in the second day of the contest by Fluoroacetate team and an individual security researcher Niklas Baumstark.

Mozilla Firefox Considers Blocking Cyber security Company Darkmatter; Reports Arise of Its Link to a Cyber Espionage Program




Firefox 'browser-maker' Mozilla is under talks about considering whether to block the cyber security organization DarkMatter from serving in as one of its internet security gatekeeper after a Reuters report connected the UAE-based firm to a cyber-espionage program.

The international news organization announced in January that the cyber-security company gave the staff the secret to a hacking operation with the codename Project Raven, on behalf of an Emirati intelligence agency. The unit there included previous U.S. intelligence officials who led hostile cyber operations for the UAE government.

The shrouded program, which operated from a converted Abu Dhabi house far from DarkMatter's headquarters, included hacking into the internet accounts of human rights activists, journalists and officials from rival governments.

Mozilla said the company is under talks to arrive at a decision on whether to deny the authority possessed by DarkMatter, however expects to decide within weeks. While two Mozilla officials said in a meeting a week ago that Reuters' report raised their worries about whether DarkMatter would abuse their position to certify sites as safe or not.

Selena Deckelmann, a senior director of engineering for Mozilla, said "We don't currently have technical evidence of misuse (by DarkMatter) but the reporting is strong evidence that misuse is likely to occur in the future if it hasn't already."

Likewise informing that Mozilla was thinking about stripping a few or the majority of the 400 certifications that DarkMatter has granted to sites under a limited authority since 2017.

In any case DarkMatter CEO Karim Sabbagh denied the Reuters report connecting his company in any way to Project Raven."We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality," he said in a letter to Mozilla on February 25th, posted online by the cyber security company.

While in the past Mozilla has depended heavily on technical issues when choosing whether to trust a company with certification authority or not, the Reuters investigation has driven it to re-evaluate its arrangement for affirming candidates.


Bug in Google Breaking Search Result Links




Discovered by a Twitter account of the site wellness-heaven.de , there exists a bug in Google Search known to break the search results when utilizing Safari in macOS if the connection contains a plus symbol.


First observed on around September 28th, when there was critical drop in the site's activity from Safari users.For example, on the off chance that you search for a specific keyword and one of the search results contains a plus symbol, similar to https://forums.developer.apple.com/search.jspa?q=crash+app+store&view=content,
then when you tap on the connection it won't do anything.

At the point when the issue was accounted for to John Mu, a webmaster trends analyst at Google, he answered back that it was undoubtedly unusual and that he would pass on the bug report.

The BleepingComputer could affirm this bug utilizing the search results for Apple found on Safari in macOS Sierra. They have likewise reached out to Google as well for more comments in regards to this bug, however did not heard back.

This bug is likewise influencing Firefox 61.0.1 in macOS, however seems, by all accounts to be working fine with Chrome 69.


Anyway, it is recommended for the users who may have seen a plunge in traffic beginning around September 28, to check their analytics software to decide whether this is originating from Safari users being unable to click on their links.


New Malware Variant Designed To Swindle Financial Data from Google Chrome and Firefox Browsers



Researchers have as of late discovered Vega Stealer a malware that is said to have been created in order to harvest financial information from the saved credentials of Google Chrome and Mozilla Firefox browsers.

At present,  the Vega Stealer is just being utilized as a part of small phishing campaigns, however researchers believe that the malware can possibly bring about major hierarchical level attacks as it is just another variation of August Stealer crypto-malware that steals credentials, sensitive documents, cryptocurrency wallets, and different subtle elements put away in the two browsers.

On May 8 this year, the researchers observed and obstructed a low-volume email campaign with subjects, for example, 'Online store developer required'. The email comes with an attachment called 'brief.doc', which contains noxious macros that download the Vega Stealer payload.

The Vega Stealer ransomware supposedly focuses on those in the marketing, advertising, public relations, and retail/ manufacturing industries. Once the document is downloaded and opened, a two-step download process begins.

The report said "...The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer, the payload is then saved to the victim machine in the user's "Music" directory with a filename of 'ljoyoxu.pkzip' and once this file is downloaded and saved, and it is executed automatically via the command line."

At the point when the Firefox browser is in utilization, the malware assembles particular documents having different passwords and keys, for example, "key3.db" "key4.db", "logins.json", and "cookies.sqlite".

Other than this, the malware likewise takes a screenshot of the infected machine and scans for any records on the framework finishing off with .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
While the researchers couldn't ascribe Vega Stealer to any particular group, regardless they guarantee that the document macro and URLs associated with the crusade propose that a similar threat actor is responsible for campaigns spreading financial malware.

So as to be protected, Ankush Johar, Director at Infosec Ventures, in a press statement said that "...Organisations should take cyber awareness seriously and make sure that they train their consumers and employees with what malicious hackers can do and how to stay safe from these attacks. One compromised system is sufficient to jeopardize the security of the entire network connected with that system."

Because while Vega Stealer isn't the most complex malware in use today, but it does demonstrates the adaptability and flexibility of malware, authors, and actors to accomplish criminal objectives.