Search This Blog

Showing posts with label Firefox Security. Show all posts

Firefox 60 world’s first browser to go for password-free logins

Mozilla has released its new browser, Firefox 60, which supports password-free logins to websites using Web Authentication API.

The browser comes with the Web Authentication or WebAuthn enabled by default. With the WebAuthn API, users will be able to use authentication keys such as YubiKey, fingerprint readers or facial-recognition features on smartphones, and such for logging into websites rather than passwords.

For now, WebAuthn supports security keys like Yubico but in future will also support mobile authentication using notifications from supporting websites.

“This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords),” Mozilla wrote.

Some are saying that this will replace passwords entirely, but for now it is being used as an extra layer of protection for users. In support of the same, Dropbox this week introduced WebAuthn login support as well.

“Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device,” wrote Dropbox programmer Brad Girardeau in a blogpost. “There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.”

WebAuthn is also expected to be seen in Chrome 67 and Microsoft Edge.

Mozilla Firefox 21 closes three critical security holes

Mozilla has released Firefox 21 that closes eight security vulnerabilities including four High level and three critical security flaws.

Critical vulnerabilities : Memory corruption found using Address Sanitizer(MFSA 2013-48 ),  Use-after-free with video and onresize event(MFSA 2013-46), Miscellaneous memory safety hazards ( MFSA 2013-41).

High level vulnerabilities:  Uninitialized functions in DOMSVGZoomEvent( MFSA 2013-47),  Mozilla Updater fails to update some Windows Registry entries( MFSA 2013-45), Local privilege escalation through Mozilla Maintenance Service ( MFSA 2013-44 ),  Privileged access for content level constructor(MFSA 2013-42).

Firefox 21 introduces new feature Social API that "makes it easy for your favorite social providers to add a sidebar with your content to Firefox or notification buttons directly on the Firefox toolbar."

It also introduces Health report that "logs basic health information about your browser and then give you tools to understand that information and fix any problems you encounter".

Users are advised to upgrade the firefox as soon as possible, you can check version and update your browser by selecting to Help->About firefox.

Memory Corruption Vulnerability in Firefox 13

A security researcher Ucha Gobejishvili has discovered a memory corruption vulnerability in the Firefox 13, the latest version of Mozilla Firefox.

The vulnerabilities can be exploited by local privileged user accounts with low user inter action or remote via manipulated http request & high required user inter action.

According to softpedia report, the researcher notified the Mozilla about the vulnerability. He told that Mozilla confirmed the existence of the vulnerability and planned on fixing it in the upcoming versions.

In a Proof-of-concept video , the researcher showed that by launching the specially crafted HTML file the vulnerability would be triggered, causing a denial-of-service (DOS) state.

In practice, an attacker would have to host a website that contains the malicious webpage. Then, with the aid of cleverly designed emails or instant messages, he could lure potential victims to the website.

The POC video:

NoScript Anywhere (NSA) Firefox Security Add on Available for Mobiles

NoScript Anywhere (NSA) is one of Famous Firefox Add on that provides protection from Cross site Scripting ,Clickjacking,etc. It blocks malicious script.  Now this extension is available for Mobile Operating systems also(Android and Maemo builds).

This is first complete version(NoScript 3 alpha 9) of Noscript extension for mobile. NSA provides features like Desktop version. Like Desktop version, You can allow javascript in trusted sites (whitelist) and block for all other sites(Blacklist).

  • Easy per-site active content permissions management.
  • The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
  • ClearClick, the one and only effective client-side protection against Clickjackings available on the client side.
  • ABE (App Boundaries Enforcer), a true webapp firewall inside your mobile browser to protect your router and web applications against CSRF and DNS rebinding attacks.
  • Restartless: no need to restart after you install the add on.
  • new page permission editing UI, specifically redesigned for smartphone usage and easily accessible by tapping on a navigation bar icon.
Blocks XSS Attack(Malicious Javascript)

Blocks Clickjacking Attack

Install NSA 3 Alpha 9 now: