Mozilla, Google Plug Critical Browser Holes

Just 48 hours after the release of exploit code targeting a zero-day vulnerability in Firefox 3.5, Mozilla’s security response team has rushed out a patch to protect users from code execution attacks.
With Firefox 3.5.1, rated a “critical” update, the open-source group corrects a browser crash that could result in an exploitable memory corruption problem.

Password Strength and Keeping Online Accounts Safe

From Google Online Security Blog (Macduff Hughes)
There’s been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we’re highly invested in providing a high level of security in our products. While we can’t discuss individual user or customer cases, we thought we’d try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure. Read the full story [Google Online Security Blog].

Dowd, Hawkes Win Google Native Client Attack Contest

Mark Dowd and Ben Hawkes, two well-known security researchers, have won a contest put on by Google to find exploitable security flaws in the company’s Native Client system. The pair discovered 12 exploitable issues, seven more than the next most successful team.

A collection of some of the top names in the security community has sent a letter asking Google to force users of its online applications to use secure connections by default. And Google has responded quickly, saying that it is investigating the possibility of enabling HTTPS connections by default for users of Gmail, Google Calendar and other applications.

From The H Security
A vulnerability in WebKit can be exploited by an attacker to crash a tab or execute arbitrary code in Google Chrome due to a memory corruption issue in WebKit’s handling of recursion in certain DOM event handlers. For an attack to be successful, a victim must first visit a maliciously crafted website. The malicious code, however, will be sandboxed, limiting the damage that an attacker can do when exploiting the vulnerability. Nonetheless, Google considers the vulnerability to be a high risk. Read the full story []

By Nate Lawson, Root Labs
I recently found a security flaw in the Google Keyczar crypto library. The impact was that an attacker could forge signatures for data that was “signed” with the SHA-1 HMAC algorithm (the default algorithm).
Firstly, I’m really glad to see more high-level libraries being developed so that programmers don’t have to work directly with algorithms. Keyczar is definitely a step in the right direction. Thanks to all the people who developed it. Also, thanks to Stephen Weis for responding quickly to address this issue after I notified him (Python fix and Java fix).

From The Register (Dan Goodin)

A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday [].

The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot. Read the full story []

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.