Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren’t using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal’s warning about the Apple browser last month.
"’At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe–usually the oldest–browsers,’ he declared. Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of ‘unsafe browsers,’ but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."
Archive
Tag: Internet ExplorerToday Web developers everywhere breathed a sigh of relief when Microsoft’s Internet Explorer team revealed their latest milestone: IE8 now renders the Acid2 face properly!
For those who aren’t familiar with this test, Acid2 is designed to determine how compliant a given web browser is with published HTML. A fully compliant browser displays a smiling yellow face. However, non-compliant browsers show varying degrees of garbage.
While we appreciate Microsoft’s effort to embrace open web standards (finally), there is something a bit suspicious about the wording of the announcement. Apparently, IE8 only passes the test when operating in something called “Standards Mode”.
We can only wonder what Microsoft is up to with such an odd distinction. Will IE8 run in Standards Mode or another mode by default in the future? Only time will tell.
The first real, official, and honest to-goodness beta release of Firefox 3 is out. You know, not like that little false alarm pre-beta version we told you about a few weeks ago.
Still, the main differences between this beta and that pre-release copy are that the Firefox team has spent a few more weeks hammering out bugs. The feature set is pretty much what we knew it would be.
- Updates to the Gecko rendering engine which should improve stability.
- New Places feature makes it easier to find the sites you’ve visited most recently, most often, or starred for coming back to later.
- New security features alert you when you’re visiting insecure web sites and let you auto-scan downloads with your antivirus software
We’re still not quite ready to replace Firefox 2 with an admittedly still buggy beta. But it’s pretty exciting to see where Mozilla is going with its flagship web browser.
Security researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When installed on Windows, Firefox registers a URL protocol handler to handle firefoxurl:// URLs (this works much like a http:// or ftp:// URL protocol handler). If an IE user visits a webpage that tries to call a firefoxurl:// URL (for example, using an iframe), IE will launch Firefox with no further prompting, passing it the URL. Neither IE nor Firefox escape or sanitise the URL, which allows an attacker to inject additional parameters into the command line used to invoke Firefox. Used in combination with the -chrome parameter, the attacker can make Firefox execute dangerous JavaScript code.
There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, whileSecunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs ofSymantec's Security Response Center, who says, "It's a little bit of both." continue reading…
Lest you think that the ANI thing was the only thing going on today, you’d miss the other part of today’s entertainment. There’s a new Trojan spam going around trying to entice you to download MSFT IE7.0 Beta 2 (never mind that it’s been released). This is, in fact, a new Trojan (Grum) and appears to be entirely unrelated to the ANI threat. The emails have a shiny “download IE7″ graphic in them: continue reading…
This would fall under the cataegory of why I do not personally use autoupdate for Microsoft Windows. Of course, I do not use autoupdate for any program – just in case. It has been good practice to give any update a week or so before downloading and/or applying as most bugs for popular programs are discovered fairly quickly.
After people apply the MS06-042 update, rated “critical” by Microsoft, IE may crash when certain Web sites are viewed, the company said in a notice on its customer support Web site. The problem affects IE 6 with Service Pack 1 on Windows XP and Windows 2000 systems, it said.
“Microsoft has identified an issue with the security update MS06-042,” the company said in a statement Tuesday. It plans to re-release the bulletin and patch on Aug. 22 for all affected users.
The problem occurs when IE users view Web sites that use version 1.1 of HTTP alongside compression, according to Microsoft’s notice. HTTP, or hypertext transfer protocol, is the standard protocol used to browse Web sites.