[IS&T Security-FYI] Newsletter, March 28, 2008

[Monique Yeaton]

In this issue:

1. Mozilla Security Updates
2. Security in Browser

----------------------------------
1. Mozilla Security Updates
----------------------------------

Products affected:

  * Mozilla Firefox
  * Mozilla Thunderbird
  * Mozilla SeaMonkey

The  Mozilla and the SeaMonkey projects have released Mozilla Firefox  
2.0.0.13, Thunderbird 2.0.0.13, and SeaMonkey 1.1.9 this week to  
address several vulnerabilities. An attacker could exploit these  
vulnerabilities by convincing a user to view a specially crafted HTML  
document, such as a web page or an HTML email message. The Firefox  
update fixes six vulnerabilities, two of which were rated as critical  
by Mozilla.

To download the latest Mozilla product, visit:
<http://www.mozilla.org/download.html>


-----------------------------
2. Security in Browsers
-----------------------------

Why is security in browsers so important? Because many attacks are  
now designed to exploit the flaws in the browsers we use. Spoofing,  
cross-site scripting, and malicious code installation are some of the  
results of these exploits. So when a browser releases a new update,  
it is always done to try to fix these kinds of holes where attacks  
can be made.

The result of all these security features, however, is that although  
users want web browsers that keep them safe on the Web from phishing,  
malware, and web irritants such as popups, they'll stubbornly click  
through warnings dialogs, ignore security indicators, and generally  
behave in reckless ways in order to complete their tasks. Who could  
blame them? Historically the techniques used in web browsers to  
communicate to users about security has been a rogues' gallery for  
the User Interface Hall of Shame. Security indicators are out of the  
way and hard to interpret, terminology is relentlessly confusing, and  
the responsibility for who decides what is safe and what isn't is  
tossed into the user's lap like a hot potato.

In the recent release of Firefox 2.0.0.13 and last year's release of  
IE7 users will notice the abundance of warning dialogs. Firefox  
2.0.0.13 changed the default behavior of personal certificates to  
prompt the user each time a web site requests a certificate. The old  
behavior, of not prompting a user, made it easier for malicious web  
site to track users' activities by requesting the client certificate,  
even though they were from a different domain. To get past this  
warning, you will need to select "OK" in response to this message  
when visiting MIT pages that require a personal certificate.

Is this going to be tedious after a while? It may be. Those users who  
have used Vista or IE7 will already be familiar with this type of  
security behavior. It is important to stay aware of what you are  
doing when on the Web. It's easy to be distracted and click "OK" even  
when it might be better not to.

Tips on securing your web browser can be found on the US-CERT site here:
<http://www.us-cert.gov/reading_room/securing_browser/ 
browser_security.html#how_to_secure>

[portion of article source: Johnathan Nightingale, Mozilla Corporation]


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security