Jawed’s Blog

Firefox 3 has been launched and with notable impact. Downloads crossed the 10 million mark on day 2. Last download count, while writing this post, was approx. 13 millions.

To promote Firefox 3, Mozilla has created Download Day campaign designed to persuade users to download Firefox 3 the same day as it ships in an effort to set the Guinness World Record as the most downloaded software in 24 hours. For users who want to display pride in their effort to help set a world record, Mozilla is offering certificates. By going to http://spreadFirefox.com and clicking on the ‘ Flaunt It‘ tab, Firefox 3 Download Day participants can print out a personalized certificate.

Some of the features Firefox 3 offers:

• Password Manager: Remember site passwords without ever seeing a pop-up.
• One-Click Bookmarking: Bookmark, search and organize Web sites quickly and easily.
• Improved Performance: View Web pages faster, using less of your computer’s memory.
• Smart Location Bar: Find the sites you love in seconds—enter a term for instant matches that make sense.
• Instant Web Site ID: Avoid online scams, unsafe transactions and forgeries with simple site identity.
• Full Zoom: See any part of a Web page, up close and readable, in seconds.
• Platform-Native Look & Feel: Browse with a Firefox that’s integrated into your computer’s operating system.

Firefox will soon enter into the mobile market with Mozilla’s mobile web browser, which is under development as part of Firefox 4 platform and code named Fennec. The team is planning to release the first alpha version by the end of August and a viable beta by year’s end. But Fennec won’t launch until 2009 and is expected to reach another milestone on June 20 with the release of M4.

A security flaw has been discovered in Mozilla Foundation’s Firefox 2 and Microsoft’s Internet Explorer 7 web browsers. Hackers can use this flaw to capture the username and password of users.

Firefox’s Password Manager Software seems to be the source of the flaw. This software automatically fills the username and password into another login page. A hacker can make use of this flaw by creating a fake login page and the browser would be tricked into providing the username and password.

This can be done on sites that allow user created pages such as blogs and forums. This method was used on the social networking site MySpace reported late October. The hacker registered a username with MySpace and used it to host a fake login page. Users who accessed MySpace using Firefox thereafter had their information compromised.

This flaw has been named Reverse Cross Site Request vulnerability (RCSR) by Robert Chapin, who detected this flaw. RCSR poses a greater threat than Cross-site scripting (XCS) as the page is more convincing and shows no sign of external content or open redirects. The reason why RCSR succeeds in Firefox and IE is that both the browsers do not check the destination server, where the password is being sent. Besides since such a reversal happens at a trusted site the browser brings up no alerts.

Robert Chapin has provided a detailed description of the type of attack that can happen and a presentation of how it works on his site. The site also warns that firewalled local network servers and HTTP addresses that are not generally accessible are most vulnerable to these attacks as the hacker does not require direct access.

Though Firefox has been proven to be completely vulnerable to this attack IE seems to have a better defense. IE will not automatically fill the username and password till it accurately checks the source of the login form. Hence it will be tricked only if the RCSR page appears on the same page as a legitimate login page.

A bug report regarding this flaw has been filed with Mozilla but no fix has yet been found. Security experts have recommended that Firefox’s Password Manager be disabled and the Master Password Timeout extension be installed.

This extension locks the master security device after a specific period of inactivity. Users have also been advised to disable the Remember password for sites option in Firefox.

Firefox 2.0 was originally slated to debut in August, but last-minute bugs and security issues have led to delay. Mozilla expects to issue three release candidates of Firefox 2.0 before it goes gold in October.

The Firefox 2.0 RC1 is available for download. New features in Firefox 2.0 include enhancements in security, tabbed browsing, performance, and extensions. The browser update also includes a built-in spell checking and an anti-phishing feature, much like Microsoft’s Internet Explorer 7. JavaScript 1.7 and improved subscribing of RSS feeds are also among the additions.

The goal of Firefox 2: Launch Day Activity is to make more people aware of the release of Firefox 2 and emphasize people have an alternative to other browsers.

Despite the delays, Firefox is making considerable strides competing against Microsoft’s Internet Explorer. Firefox has passed 15 percent usage in the United States, and recently topped 200 million total downloads since the browser’s 1.0 launch in November 2004. Read my post Firefox 200 Million Downloads – what it means.

Lets help firefox rule the internet.