CNAME Collusion – Seven Exchange 0-Days, Firefox Enhanced Tracking Protection, SolarWinds Password

Seven Exchange 0-days, Firefox Enhanced Tracking Protection, SolarWinds Password.

• Chrome to default to trying HTTPS first when not specified.
• Firefox’s “Enhanced Tracking Protection” just neutered 3rd-party cookies!
• As easy as “SolarWinds123”.
• Rockwell Automation’s CVE-2021-22681 is a CRITICAL 10 out of 10.
• VMware’s vCenter troubles.
• SpinRite update.
• Microsoft issues emergency patches for 4 exploited 0-days in Exchange.
• CNAME Collusion.

Mozilla retires Firefox’s sponsored tiles, hunts for new revenue streams

By | Ars Technica

Way back in 2014, Firefox rolled out an unpopular feature to its nightly builds: sponsored tiles on its “new tab” page. The feature, which was opt-in by default, showed ads that were based on your browsing history. Eventually, after a very long beta testing period, the sponsored tiles were loosed upon all 500 million-or-so Firefox users in May this year.

Now, just a few months later, the feature is being retired. Sponsored tiles will continue to appear for the next few months while Mozilla “fulfils its commitments” (i.e. clears out ad inventory), but then they’ll be gone entirely. Writing on the official Mozilla blog, vice president Darren Herman explains that, “advertising in Firefox could be a great business, but it isn’t the right business for us at this time because we want to focus on core experiences for our users.”

Later in the blog post, which was probably published on Friday afternoon in an attempt to dodge the news cycle, Herman repeats the refrain that we’ve heard many times over the last few years: “We believe that the advertising ecosystem needs to do better … Mozilla will continue to explore ways to bring a better balance to the advertising ecosystem for everyone’s benefit, and to build successful products that respect user privacy and deliver experiences based upon transparency, choice and control.”

In the meantime, Herman says that Mozilla wants to “reimagine content experiences and content discovery in our products.” As for what these reimaginations might look like though, we have no idea. Firefox did recently launch on iOS, however, so that’s something. Instead of sponsored tiles, maybe the new tab page will somehow suggest new sites for you to visit, based on your browsing history and category selections? Kind of like a mini in-browser Reddit?.

Firefox’s targeted sponsored tiles always seemed a little out of place for a browser that is essentially predicated on free, libertarian ideals. You can’t exactly blame Mozilla for trying, though. Since its inception, Mozilla has been entirely reliant on revenues from search engines. For years, Google paid Mozilla hundreds of millions of dollars to be Firefox’s default search engine. In recent years, Mozilla has diversified its search engine defaults—Yahoo is now the default in the US, Yandex in Russia, and Baidu in China—but according to its 2014 financial report, 98 percent of its revenue still came from these search engine deals. If something dramatic causes those deals to fall through, Mozilla does ideally need another way of making money.

Speaking of which, just like Wikipedia, Mozilla’s annual donation drive is currently live: when you open up Firefox, you’ll be greeted with a screen that asks you for a donation. If you want to donate money, but the plea doesn’t appear in your browser, you can donate directly on the Mozilla website.

Firefox will stop supporting plugins by end of 2016, following Chrome’s lead

Google Chrome recently dumped support for plugins such as Java and Silverlight, and now it’s Firefox’s turn. Late Thursday, Mozilla announced on its blog that Firefox would stop supporting plugins based on the Netscape Plugin Application Programming Interface (NPAPI) architecture by the end of 2016.For many years, NPAPI plugins helped browsers add functionality such as gaming, rich interactive maps, and video support. But plugins also came with problems such as security vulnerabilities, stability issues, and performance drawbacks. The Web standards community overcame these problems by creating native functionality, such as HTML 5 video, in order to do away with plugins.

For Mozilla’s Firefox, that journey will end at an unspecified date in 2016, three years after Firefox first started restricting plugin behavior with click-to-play functionality.

Even though plugins are going away, Flash will continue to receive special status in Firefox, as it does with Chrome. Although it’s falling out of fashion, Flash video and Flash-based ads are still widely available online. Once Flash becomes less pervasive support for it will likely disappear, and many companies are working toward that end. Amazon, for example, recently announced it would ban Flash-based ads.

While most NPAPI plugins can be replaced by native Web solutions, browser games based on the Unity gaming engine aren’t so lucky. Mozilla and Unity hope to bring Unity-based games to the browser without the need for plugins by optimizing the Web Graphics Library (WebGL). On Thursday, Unity officially deprecated its Web Player plugin and said Unity 5.4 will ship in March 2016 without Web Player support. Looks like Flash-based gaming websites will have to change this message:

The impact on you at home: The average web user probably won’t notice much of a change when NPAPI disappears from Firefox. Very little functionality is being lost thanks to native Web technologies. A major exception to that would be gaming. If you play a Unity-based browser game, one solution is to keep the final NPAPI-supporting version of Firefox—or a Firefox-based alternative—around so you can continue to play. Using an outdated browser is not advisable, however, so make sure you use it only for gaming. For banking, email, and the like, stick with a regularly updated browser.

Source: Firefox will stop supporting plugins by end of 2016, following Chrome’s lead | PCWorld

Firefox’s VoIP service, Firefox Hello, adds instant-messaging

If you suffered through the Skype outage earlier this week, Mozilla would like you to know that you have another option: Firefox Hello.

The latest update of the Firefox browser (version 41.0) adds instant-message capabilities to Firefox Hello, the integrated VoIP client that Mozilla has put in the browser with assistance from Telefonica. It’s not perfect, but it doesn’t need a dedicated client—or even a Mozilla browser—to work.

To access Firefox Hello’s new capabilities, you’ll need the latest version of Firefox. (Firefox should update automatically, but you can force an update by opening the “hamburger” menu in the upper right, then finding the tiny “?” or help button near the bottom of the menu choices. Then click on “About Firefox” and the browser will kick off the update.)firefox hello snip retryMark HachmanFirefox Hello allows you to connect via video, or you can chat in the accompanying text box.

To access Hello, you’ll need to click the “smiley-face” conversation icon in the menu bar, to the upper right. A small video window will then open, and you’ll have the option to send or share a link with your friends. (You can also adjust the “context” of the chat, meaning that you can send a quick note to let a friend know what it will be about.)

Hello seems to work just fine—if it can detect the correct hardware. I tried it with a Lenovo Yoga 13, and it couldn’t find either my microphone or video camera. (Skype found my video camera, but not an attached microphone, so there may be issues there.) On a Surface Pro 3, FirefoxHello used the rear camera rather than the front-facing camera, so I shared a lovely view of my monitor stand. I can’t see an easy way to fix that, either. Chatting worked fine, however, as you might expect. There’s even an option to share your screen (either tabs or windows) through I did not try that out.

Although Firefox fared well in our latest browser tests, the company has struggled to compete with the more entrenched browsers: Internet Explorer (built into Windows), Apple’s Safari (integrated into Mac OS), and the Chrome browser that ships with Chromebooks and that millions of users have independently downloaded on other platforms. According to NetApplications, Firefox ranks fourth, with 9.5 percent of the market in August.

Why this matters: You might argue that Firefox Hello is a gimmick. On the other hand, it’s also a way to add value. Browsers like Edge can tap services like Microsoft’s Cortana to add new capabilties, but Mozilla doesn’t have that option. On the other hand, Firefox has always been known for its extensive plugin support; Hello simply pushes one of these into the spotlight.

Source: Firefox’s VoIP service, Firefox Hello, adds instant-messaging

Firefox 40 adds Windows 10 UI tweaks, expanded malware protection and more

The Mozilla Foundation has released Firefox version 40 to its public channel for both desktop and Android devices. The milestone update includes a minor Windows 10-inspired UI update and expanded malware protection in addition to the usual batch of bug fixes.

Mozilla said it has made “thoughtful” tweaks to the Firefox interface to give it a streamlined feel. Specifically, version 40 includes larger design elements – a larger “close” button on tabs and a bigger font in the address bar, for example – to make it easier to use with touchscreen devices on small screens.

Following Mozilla’s public outcry to Microsoft regarding the Windows 10 upgrade process, it’s comes as little surprise to see the foundation address some of its qualms in the new version of Firefox. Mozilla has created some support material to help show users how to restore or select Firefox as their default browser in Windows 10.

When using the search field on the Windows 10 taskbar to search the web, Firefox will display results from whichever search engine you select as your default instead of relying on Bing. Other browsers require third-party extensions to pull off the same task although that’s likely to change in the near future.

New developments in Google’s Safe Browsing service now allow Firefox 40 to issue a warning if you’re about to navigate to a website known to contain malicious or deceptive software.

via Firefox 40 adds Windows 10 UI tweaks, expanded malware protection and more – TechSpot.

New Firefox features will eventually be limited to secure websites only

Mozilla is planning to gradually favor HTTPS (HTTP Secure) connections over non-secure HTTP connections by making some new features on its Firefox browser available only to secured sites.

The browser developer decided after a discussion on its community mailing list that it will set a date after which all new features will be available only to secure websites, wrote Firefox security lead Richard Barnes in a blog post. Mozilla also plans to gradually phase out access to browser features for non-secure websites, particularly features that could present risks to users’ security and privacy, he added.

The community has to still agree on what new features will be blocked for non-secure sites. Firefox users could, for instance, still be able to view non-secure websites. But those websites would not get access to new features such as access to new hardware capabilities, Barnes said.

“Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit,” he said, adding that Mozilla is already considering less severe restrictions for non-secure websites to find the right balance. At the moment, Firefox already blocks, for example, persistent permissions from non-secure sites for access to cameras and phone.

Mozilla’s move follows the introduction of “opportunistic encryption” to Firefox last month, which provides encryption for legacy content that would otherwise have been unencrypted. While that does not protect from man-in-the-middle attacks like HTTPS does, it helps against passive eavesdropping and was welcomed by security experts.


via New Firefox features will eventually be limited to secure websites only | PCWorld.

Firefox 37 supports easier encryption option than HTTPS

The latest version of Firefox has a new security feature that aims to put a band-aid over unencrypted website connections. Firefox 37 rolled out earlier this week with support for opportunistic encryption, or OE. You can consider OE sort of halfway point between no encryption (known as clear text) and full HTTPS encryption that’s simpler to implement.

For users, this means you get at least a modicum of protection from passive surveillance (such as NSA-style data slurping) when sites support OE. It will not, however, protect you against an active man-in-the-middle attack as HTTPS does, according to Mozilla developer Patrick McManus, who explained Firefox’s OE rollout on his personal blog.

Unlike HTTPS, OE uses an unauthenticated encrypted connection. In other words, the site doesn’t need a signed security certificate from a trusted issuer as you do with HTTPS. Signed security certificates are a key component of the security scheme with HTTPS and are what browsers use to trust that they are connecting to the right website.

The impact on you: Firefox support is only half of the equation for opportunistic encryption. Websites will still have to enable support on their end for the feature to work. Site owners can get up and running with OE in just two steps, according to McManus. But that will still require enabling an HTTP/2 or SPDY server, which, as Ars Technica points out, may not be so simple. So while OE support in Firefox is a good step for users it will only start to matter when site owners begin to support it.

More than OE

Beyond support for OE, the latest build of Firefox also adds an improved way to protect against bad security certificates. The new feature called OneCRL lets Mozilla push lists of revoked certificates to the browser instead of depending on an online database.

The new Firefox also adds HTTPS to Bing when you use Microsoft’s search engine from the browser’s built-in search window.


via Firefox 37 supports easier encryption option than HTTPS | PCWorld.

Fully patched versions of Firefox, Chrome, IE 11 and Safari exploited at Pwn2Own hacking competition

As in years past, the latest patched versions of the most popular web browsers around stood little chance against those competing in the annual Pwn2Own hacking competition. The usual suspects – Apple Safari, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer – all went down during the two-day competition, earning researchers a collective total of $557,500 in prize money.

The event, which took place at the CanSecWest conference in Vancouver, was sponsored by the Hewlett-Packard Zero Day Initiative. During the first day, HP awarded $317,500 to researchers that exploited flaws in Adobe Flash, Adobe Reader, Internet Explorer and Firefox.

eWeek notes that the first reward, paid to a hacker by the name of ilxu1a, was for an out-of-bounds memory vulnerability in Firefox. It took less than a second to execute which earned him a cool $15,000.

Firefox was exploited twice during the event. Daniel Veditz, principal security engineer at Mozilla, said the foundation was on hand during the event to get the bug details from HP. Engineers are already working on a fix back at home, he added, that could be ready as early as today.

Another security researcher, JungHoon Lee, managed to demonstrate exploits against Chrome, IE 11 and Safari. As you can imagine, he walked away with quite a bit of money: $75,000 for the Chrome bug, $65,000 for IE and $50,000 for the Safari vulnerability. He also received two bonuses totaling $35,000.


via Fully patched versions of Firefox, Chrome, IE 11 and Safari exploited at Pwn2Own hacking competition – TechSpot.

First 64-bit Firefox build released, promising speed boost and beefier web gaming

Mozilla has joined the 64-bit browsing party with Firefox for Windows, but only in the Developer Edition for now.

The Developer Edition is a special version of Firefox with built-in tools for creating websites and web apps. While OS X and Linux already have a 64-bit version, Mozilla is just adding a Windows build with 64-bit support now.

The main advantage of 64-bit browsing is the ability to address more than 4 GB of RAM, allowing for beefier web apps. As an example, Mozilla points to games that run on Epic’s Unreal Engine, noting that a 64-bit browser can store significantly more assets in memory. “For some of the largest of these apps, a 64-bit browser means the difference between whether or not a game will run,” Mozilla wrote in a blog post.

firefox64bit Mozilla

An Unreal Engine game running inside 64-bit Firefox.

Beyond the additional memory, Mozilla says the 64-bit browser is simply faster, speeding up JavaScript code through new hardware registers and instructions that aren’t available with the 32-bit version. In one test of certain JavaScript applications, throughput improved by 8 percent to 17 percent.

It’s unclear when 64-bit browsing will make its way to the main version of Firefox for Windows. But given that the Developer Edition is on version number 38, and the stable version is on 36, a mainstream release is probably a few months out. If you’re running the Developer Edition now and want to switch to 64-bit, Mozilla recommends uninstalling the Win32 without deleting your profile, and then downloading the 64-bit version.

Why this matters: Internet Explorer and Chrome already offer 64-bit browsers, so you might view Firefox as merely hopping on the trend. Still, it’s telling that Mozilla called out gaming as a potential application. The group has been a major proponent of gaming in the browser, collaborating with Unity on a tool to port games to the web without plug-ins, and working with Epic Games on a web version of Unreal Engine 4. Powerful web-based gaming has been a dream for years, and 64-bit browsing is a key piece of the puzzle.


via First 64-bit Firefox build released, promising speed boost and beefier web gaming | PCWorld.

‘Super cookies’ can track you even in private browsing mode, researcher says

If there’s one thing websites love to do it’s track their users. Now, it looks like some browsers can even be tracked when they’re in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called “HSTS Super Cookies.” Greenhalgh shows how a crafty website could still track users online even if they’ve enabled a privacy-cloaking setting.

The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn’t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.

Say, for example, John types into his browser with HSTS enabled. SecureSite’s servers can then reply to John’s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John’s browser will use HTTPS by default.

The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you’re in private or normal mode—meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.


Even under cover of incognito mode, HSTS Super Cookies still make browsers trackable.

When in private browsing or incognito mode (sometimes called as “porn mode”) your browser won’t store data such as cookies and browsing history once the private browsing session has ended—unless it’s tricked into doing so by a Super Cookie.

The story behind the story: Although Greenhalgh’s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert “RSnake” Hansen raised the issue on his blog in 2010.

Protecting yourself

Although this issue has been known for some time it’s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.

Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.

HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.

As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It’s because IE doesn’t support HSTS at all.

via ‘Super cookies’ can track you even in private browsing mode, researcher says | PCWorld.