Last 50 'Browsers' Tagged Posts

Summary of Google+ browser security protections

Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: https://www.barracudanetworks.com/blogs/labsblog?bid=1743

Results of internet SSL usage published by SSL Labs

Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....

Another use of Clickjacking, Cookiejacking!

Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx

Easy Method For Detecting Caching Proxies

While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit :)...

Interesting IE leak via window.onerror

Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror...

CGISecurity.com Turns 10!: A short appsec history of the last decade

Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...

Paper: Feasibility and Real-World Implications of Web BrowserHistory Detection

Artur Janc and Lukasz Olejnik have published a whitepaper outlining CSS history techniques along with results of what they found from real world users. From the whitepaper"Browser history detection through the Cascading Style Sheets visited pseudoclass has long been known to the academic security community and browser vendors, but has been largely...

Mozilla releases browser checker to see if you're running vulnerable plugins

Mozilla has released a tool that identifies which browser plugins you have installed, identifies if it is vulnerable, and provides you with links to get the updates. Very handy! Browser Plugin Check: https://www.mozilla.com/en-US/plugincheck/

Release of Strict Transport Security https module for ASP.NET.

Sacha Faust has published an IIS https module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate...

Random FireFox URL handling Behavior

About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [https://www.cnn.com] [https://]www.cnn.com [https://www].cnn.com Etc... You can also substitute [] for {} or " and it...

Firefox 3.6 locks out rogue add-ons

From computerworld "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. The new feature, which Mozilla dubbed "component directory lockdown," will bar access to Firefox's "components" directory, where most of the browser's own code is stored. The company...

Strict Transport Security (STS) draft specification is public

Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on https, and to only visit the site over https and is entirely opt in. This can prevent MITM...

Chrome adds defence for cross-site scripting attacks, already busted

"The 4.0.207.0 release uses a reflective XSS filter that checks each script before it executes to check if the script appears in the request that generated the page. Should it find a match, the script will be blocked. According to Chromium developer Adam Barth, the developers plan to post an academic paper...

Firefox 3.5 0Day published

"The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of...

Google Chrome Fixes Buffer Overflow Vulnerability

"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could...

Browser Security: Lessons from Google Chrome

An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security...

New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks

Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross...

Compromising web content served over SSL via malicious proxies

Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs...

Apple releases OS X 10.5.7 security updates

"Apple released an update to its Leopard operating system yesterday that comes loaded with a host of security and bug fixes as well as added hardware support. The Cupertino-based firm said OS X 10.5.7 patches several security loopholes related to PHP, CoreGraphics, Apache Web server and the company’s browser Safari. Three separate...

Google Chrome Update Addresses 2 Security Flaws

CVE-2009-1441: Input validation error in the browser process. A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to...

Google Chrome Universal XSS Vulnerability

"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome. These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. Using a vulnerability in the...

Opera JavaScript for hackers

Gareth Heyes wrote a nice blog entry on JavaScript hacks: "I love to use JavaScript in unexpected ways, to create code that looks like it shouldn't work but does, or produces some unexpected behavior. This may sound trivial, but the results I've found lead to some very useful techniques. Each of the...

Firefox 3.0.9 Released to Fix Multiple Security Flaws

MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString MFSA 2009-18 XSS hazard using third-party stylesheets...

Browsers hacked in seconds in Pwn2Own contest

"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more...

Firefox 3.0.7 fixes multiple security flaws

"Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines. Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago. Of the eight vulnerabilities,...

Opera 9.64 Security Updates and Enhancements

From Opera's changelog Fixed an issue where specially crafted JPEG images ccould be used to execute arbitrary code, as reported by Tavis Ormandy of the Google Security Team; see our advisory Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by Adam Barth; details will be...

Seven Must-Have Firefox Security Add-Ons

"Ensuring that the browser is up to date can help minimize security risks, but perhaps the most interesting feature of Firefox from a security perspective is the possibility of enhancing the browser's security with the addition of browser extensions or add-ons. Of course any add-ons risks adding new vulnerabilities, but if they...

Apple goes public with security in Safari 4

"Apple announced on Tuesday the public availability of its next browser, Safari 4, seemingly adding a host of new security features to the program along with speedier Javascript processing and additional eye candy, such as cover flow. The security features are not new, however. The company quietly added anti-malware and phishing protection,...

The Multi-Principal OS Construction of the Gazelle Web Browser

I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract "Web browsers originated as applications that people used to view static web sites sequentially. As web sites evolved into dynamic web applications composing content from various web sites, browsers have become...

Firefox 3.0.6 Released To Address Multiple Security Issues

Fixed in Firefox 3.0.6 MFSA 2009-06 Directives to not cache pages ignored MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies MFSA 2009-04 Chrome privilege escalation via local .desktop files MFSA 2009-03 Local file stealing with SessionStore MFSA 2009-02 XSS using a chrome XBL method and window.eval MFSA 2009-01 Crashes with evidence of memory...

Microsoft Fixes Clickjacking in IE8?

"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique -- first detailed...

Safari RSS Reader Vulnerability

In 2006 I gave a talk at blackhat on the risks of RSS vulnerabilities. It appears Safari has a flaw in its RSS reader as outlined by Brian Mastenbrook. "The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I...

HTTPS-only mode added to Chrome Browser

Google has added a HTTPS browsing feature to chrome. From the changelog "A new HTTPS-only browsing mode. Add --force-https to your Google Chrome shortcut, and it will only load HTTPS sites. Sites with SSL certificate errors will not load. " Release Notes 2.0.156.1 https://dev.chromium.org/getting-involved/dev-channel/release-notes/releasenotes201561 Very cool.

Thunderbird 2.0.0.19 Released With Security Fixes

MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored by CSS parser...

Thousands of legitimate sites SQL injected to serve IE exploit

"Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites. The SQL injection attacks serving the just patched Internet Explorer XML...

Firefox Halting 2.x security patching/support, urges users to upgrade to 3.0 or get pwned

"Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical. The critical problems involve cross-site scripting. That’s a serious concern as it...

Microsoft issues emergency patch for IE

"Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious...

FireFox 3.0.5 fixes three critical security flaws

"Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege escalation”...

Opera releases update for 'extremely severe' vulns

"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively....

Google Chrome Receives Lowest Password Security Score

"Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when combined,...

Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities

Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely...

Google publishes Browser Security Handbook

Michal Zalewski from google has published an an extremely in depth guide describing the various behavioral differences between the major browsers. "I am happy to announce the availability of our "Browser Security Handbook" - a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop reference...

Inside Safari 3.2’s anti-phishing features

An article over at macworld discusses the anti phishing features in the new safari. "The release of Safari 3.2 on November 13 displayed Apple’s penchant for cryptic release notes, as the company describes all three versions as featuring “protection from fraudulent phishing Web sites.” Let's decode that for you: Safari 3.2 offers...

Firefox 3.0.4 Released to address multiple security flaws

A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespace MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation MFSA 2008-55 Crash and remote code execution in nsFrameManager MFSA 2008-54...

Firefox 3.0.2 released to address multiple security flaws

Firefox 3.0.2 has been released which addresses the following security flaws. MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag Read more at : https://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2

Mozilla security chief: Apple should open up

"Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security departments...

Google Chrome criticised over lack of security

"Users should wait to use Google Chrome after its vulnerabilities were exposed. Randy Abrams, director of Technical Education at ESET, claimed that as vulnerable code was used users should only use Chrome when they are not viewing sensitive pages. He claimed that the oversight by Google is indicative of either a lack...

Microsoft IE8 and Google Chrome - Processes are the New Threads

"I happened to install Google Chrome (Alpha) the same day I installed Internet Explorer 8 (Beta). I noticed immediately, as I'm sure many of you have, that both browsers isolate tabs in different processes. Unix folks have known about the flexibility of forking a process forever. In Unix, fork() is just about...

Google releases Chrome Web browser

UPDATED: Yet another issue is discovered, this time a DOS. UPDATED: 3 hours later a vulnerability has been published. Google has just released an open sourced browser based on Apple's Webkit. I'm guessing it will be less than 48 hours before the first vulnerability is discovered. Since Safari uses Webkit it will...

Firefox 2.0.0.15 Addresses Multiple Security Issues

Firefox 2.0.0.15 was released addressing the following security issues. MFSA 2008-33 Crash and remote code execution in block reflow MFSA 2008-32 Remote site run as local file via Windows URL shortcut MFSA 2008-31 Peer-trusted certs can use alt names to spoof MFSA 2008-30 File location URL in directory listings not escaped properly...

Microsoft outlines extensive IE8 security improvements

Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have been made to the following area's. - Cross-Site-Scripting Defenses - Safer Mashups (HTML and JSON Sanitization) - MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out) - Add-on Security - Protected Mode - Application Protocol Prompt - File Upload...

Securityfocus interview with Mozilla security team

"Mozilla released its latest browser, Firefox 3.0, this week. SecurityFocus contributor Federico Biancuzzi tracked down two key members of Mozilla's security team, Window Snyder and Johnathan Nightingale, to learn more about the security features included in this major release. They discussed the protection against phishing and the new malware protection, the new...

Firefox3 Released

Firefox3 has been released. This release improves memory management, speed, and has introduced a number of new security features. Download Link: https://www.firefox.com

Tools: The Browserrecon Project

"Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for https web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks. Client-based attacks, especially targeting web clients, are becoming more...

Browser makers focus on reducing malware and phishing

"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the features...

Mozilla Dismisses New Firefox Flaw Warning

"Mozilla chief evangelist Mike Shaver says the latest Firefox information leakage bug warning is exaggerated. Published reports of an information leakage vulnerability affecting fully patched versions of the open-source Firefox browser have been greatly exaggerated, according to Mozilla chief evangelist Mike Shaver. Shaver's sharp retort follows the release of an advisory by...

Netscape Assinated by AOL

It is with great sadness that I post news stating that Netscape will receive no more updates after February 1, 2008. I've been a long netscape user (since 1995). "AOL has a long history on the internet, being one of the first companies to really get people online. Throughout its lifetime, it...

WASC Script Mapping Project released

Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on the...

Mozilla beefs up security with Firefox 3

"The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security. Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that...

Browser Security: I Want A Website Active Content Policy File Standard!

UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn't...

How to Turn Your Browser Into a Weapon

"I wrote about three of my favorite Firefox extensions that help me stay safe when I'm browsing the darker areas of the Web and incoming email. Today, let's look at three other extensions: Those that can turn Firefox into a feature-filled, Web-hacking weapon. These extensions aren't required to use Firefox for hacking...

Presentation: Future of Firefox and JavaScript

An interesting presentation was posted on the future of firefox, javascript, and the web worth checking out (click through the slides). "I just finished giving a presentation at the Future of Web Apps conference, here in London. Thanks to everyone who attended - I hope I didn’t sound too sleep deprived! In...

Raising the bar: dynamic JavaScript obfuscation

"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe...

Mozilla Releases JavaScript Fuzzer at Blackhat

"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in...

Mozilla Protocol Abuse

Larholm writes "First they came for Safari, but no one complained because it was beta. Then they came for Internet Explorer, but no one cared because that was to be expected. Finally they came for Mozilla, but there was no one left to speak out." Article Link: https://larholm.com/2007/07/25/mozilla-protocol-abuse/

Mozilla confirms own URL handling bug

"The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker. In early July, three researchers found a way to execute code in Firefox -...

Securing Firefox: How to avoid hacker attacks on Mozilla's browser

"Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers. However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks. The following configuration changes, recommended by CERT/CC, can disable various features...

New Security Features in Internet Explorer 7

"Markellos Diorinos from the IE team at Microsoft introduces the new security features in IE 7 and speaks about extended validation SSL certificates. He also covers the Certification Authority Browser Forum whose members apart from Microsoft include also the Mozilla Foundation, Opera Software and KDE." Article Link: https://www.net-security.org/article.php?id=1003

Same-Origin Policy Part 1: Why we're stuck with things like XSS and XSRF/CSRF

"The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a...

Hacking Web 2.0 Applications with Firefox

"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning...

IE7 Is out, and vulnerable

IE7 has finally been released but according to Secunia a vulnerability has already been published. They also provide a test that can be performed to see if you're vulnerable. Article Link: https://www.theregister.co.uk/2006/10/19/ie7_release/ Advisory Link: https://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ Download IE7: https://www.microsoft.com/windows/ie/default.mspx

Firefox Zero-Day Code Execution Hoax?

"A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax. On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefox's implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozilla's engineers...

IE 7 plus Vista security measures stop latest IE 0day

A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day from exploiting the machine. "The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which...

Browser Fun Security Blog

"This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen...

Microsoft Releases 8 Patches on Security Patch Tuesday

"Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint. The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can...

Getting on the right side of IE 7 security

"But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the...

Opera Browser has several Javascript vulnerabilities

Georgi Guninski has found that the opera browser is vulnerable to multiple Javascript holes. These holes could allow an attacker to gain further privileges. Opera Browser problems