Some of your guys are living under a false sense of security -
Ducati
=========================================================
Mozilla Patches Firefox Hole
Wed Mar 23, 4:00 PM ET Technology - PC World
Paul Roberts, IDG News Service
The Mozilla Foundation issued a patch this week for a previously undisclosed hole in its popular Firefox Web browser and is encouraging Firefox users to download the software update as soon as possible.
• Symantec: Hackers Turn Attention to Mozilla Browsers
• Mozilla Ditches Browser Suite
• Are Fewer People Switching to Firefox?
• Mozilla Warns of Firefox Security Holes
• Poll: Safari's Popularity Scorched By Firefox
The nonprofit organization released Firefox 1.0.2 (available as a free download) to fix a buffer overflow vulnerability in a Firefox feature for processing GIF image files. The patch is the second security patch issued in less than a month, but the foundation reassured users that the browser's open source platform is secure, and says it does not know of any active exploits for the hole.
The GIF processing hole was discovered by Internet Security Systems (ISS) and makes Firefox users who are running earlier versions of the browser vulnerable to buffer overflow attack, according to a statement released by the Mozilla Foundation.
ISS discovered the hole in a review of the Firefox source code, which is available on the Internet.
In a statement attributed to Chris Hofmann, the foundation's director of engineering, the discovery of the hole and release of a patch shortly after are evidence that the open source software model is safer and more secure than closed-source commercial code, because it is "scoured by thousands" of contributors, developers and professionals, and "not just the company's development team."
Cause for Concern?
In February, the Mozilla Foundation released Firefox 1.0.1 to fix 17 security vulnerabilities in Firefox, including changes to guard against spoofing of Web addresses and the security indicator on Web sites. However, the foundation is not planning to adopt a regular patch release cycle, which Microsoft uses, and will continue to issue updates as they are needed, Hofmann says in a statement.
Firefox has been gaining in popularity since the first full version of the browser was released in November. More than 27 million copies of Firefox have been downloaded since then, pushing Microsoft's Internet Explorer (IE) share of the browser market below 90 percent for the first time in years.
Firefox installations were 5.7 percent of the U.S. browser market as of February 18. IE controlled 89.9 percent, according to statistics released by Web tracking company WebSideStory.
However, Hofmann denies that Firefox is becoming a more attractive candidate for hackers as it gains market share.
"There is this idea that market share alone will make you have more vulnerabilities. It is not relational at all. Not being in the operating system and not supporting Microsoft's proprietary Active X are phenomenal advantages to us," he says in a statement.
=======================================================
Are Hackers Now Gunning for the Mac?
Macs still have fewer bugs than Windows PCs, but Apple moves to plug security holes before problems crop up.
========================================================
Rebecca Freed, PC World
Friday, October 15, 2004
In early October Apple released a small series of patches for Mac OS X version 10.2 and later. Most of the fixes in this group blocked possible denial-of-service problems that are, to date, theoretical. For example, one addresses vulnerability in a Unix printing system that might expose passwords to hackers, in uncommon situations.
In the Windows world, no sooner is an OS hole publicized than someone writes a hack to exploit it. Since the last Mac OS X security update was the third in a month, and because some of the holes looked ripe for exploiting, I have to wonder whether the Mac is now attracting more unwanted attention from hackers.
According to Tim Bajarin, principal analyst with research firm Creative Strategies and a longtime Apple watcher, "The vulnerabilities unfortunately are inherent in the Unix world, and Apple's choice to build OS X on a Unix foundation brings with it this risk. Apple's move is more proactive: They are constantly testing the OS to catch any potential security holes before they become an issue. In that sense, they have gone to school on Microsoft's problems in this space and are making sure they leave no stone unturned in their quest to keep the OS as secure as possible."
"At the same time," Bajarin continues, "the media attention about Apple's OS being secure has clearly tweaked the interest of hackers, but as of now we have not seen any serious effort by the hacking community to deliberately expose any holes or attack the OS."
John Gruber, author of the Weblog Daring Fireball and another savvy Mac observer, thinks the recent spate of updates is just a small, short-term uptick, and doesn't indicate that the Mac is losing the high ground in the war against viruses, worms, and Trojan horses. On the Mac's reputation for being more secure than Windows, he says, "It's important to note that Macs tend not to get attacked, not that they can't be attacked. The vast majority of the fixes in Mac OS X security updates are in response to potential exploits, not actual exploits."
"And many of the fixes in typical Mac OS X security updates aren't Mac-specific," Gruber says, "but rather are updates to open-source components and tools. Apple has been diligent with regard to keeping Mac OS X's Unix layer up-to-date."
My take? This just means that Mac users have to keep their OS patched--like Windows users--but there's no cause for alarm. Apple has an automatic update service, just as Microsoft does for Windows. Using this service is the best way to keep your Apple software current.
The Unix-based nature of Mac OS X remains much more of a strength than a liability. Although it allows greater exposure, it also makes it likely that programmers can and will respond with fixes quickly.
Regardless of whether this tarnishes Apple's halo, the bottom line remains that attacks on the Mac have been vastly fewer than those on Windows. Most typical Mac users still have little to fear from the miscreants we Windows users have to vigilantly guard against.
cwiz:
