Tópico do Firefox

[Jorge-Vieira]

Mozilla Blocks Flash In Firefox To Protect Users Against Recent Zero-Day Vulnerabilities (Update: Flash Updated, Ban Lifted)

Yesterday, Facebook's new Chief Security Officer (CSO), Alex Stamos, called on Adobe to kill Flash once and for all, to end the stream of critical vulnerabilities that have plagued the software over its entire lifetime. The message came after a couple of more zero-day vulnerabilities were found in the Hacking Team data leak. Recognizing how serious these vulnerabilities are, Mozilla's Head of Firefox Support, Mark Schmidt, announced that "all versions of Flash are blocked by default in Firefox as of now."
He also made it clear that the block is only temporarily until Adobe patches the vulnerabilities over the next few days. The change shouldn't give most users problems, as many video sites on the Web right now are powered by HTML5 technology. This includes major ones such as YouTube and Facebook.
There are a few places, such as restaurant websites for example, where Flash might still be used, so the content there won't load. If you need to visit such sites you can still enable Flash manually in Firefox with a single click on the "Activate Adobe Flash" message, which will appear on the blocked content. Therefore, the inconvenience caused to users should be minimal, while the company is also ensuring the maximum security for its users over the next few days until Adobe pushes out the appropriate updates.
Although the block is temporary, we may finally see browser vendors begin a more aggressive campaign for killing Flash sooner rather than later. Google recently announced that the next version of Chrome will block auto-playing Flash ads by default, and that was before the latest Flash zero-days were found in the Hacking Team data leak.
After Steve Jobs' permanent ban of Flash on the iOS platform, and then Adobe's surrender in making Flash work well on the Android platform, everyone knew that Flash is going to eventually die. It was always just a matter of how quickly that will happen.
Many would have expected Flash to be gone from the Web by now, but it managed to survive longer because HTML5 couldn't fully replace it for many years. Now, HTML5 is much more mature, and the days of Windows XP and obsolete Internet Explorer versions are over, which makes it much easier for developers to begin completely replacing Flash with HTML5 as their web development tool of choice.
Update, 7/15/15, 2:30pm PT: Mozilla posted an update on Twitter lifting the ban on Flash, re-enabling it by default, noting that Flash has been updated and the current security risks abated.

Noticia:
http://www.tomshardware.com/news/moz...fox,29583.html


Acabaou o ban ao Flash, mas espero que a Mozilla retire rapidamente o suporte ao Flash, pois para já é das unicas coisas negativas que se pode apontar ao browser.

[Dape_1904]

Boa tarde,

O problema em retirar o suporte ao Flash é que ainda muitos sites arcaicos (tempo do IE6) usam e abusam do Flash. E o maior aliado do Flash hoje em dia chama-se mesmo Facebook. Todas as aplicações no Facebook relativas a jogos e companhia ilimitada são em Flash e aquilo é um cancro da internet. Felizmente cada vez mais gente usa o Facebook através de aplicações móveis e nessas não há aplicações e jogos e etc, portanto não há flash. Mas no site, isso sim, é um cancro do camandro. E visto que o Facebook fatura bem com o site através das publicidades nas apps, não me parece que se vão desfazer disso tão cedo.

Cumprimentos.

[Jorge-Vieira]

Mozilla Issues Urgent Patch To Protect Firefox Users From Ukrainian Data Vampires

If you’re a Firefox user, you should update your browser immediately. Mozilla was informed earlier this week by an astute Firefox user that a Russian news site was was using malicious advertisements to take advantage of an exploit in the browser when installed on Windows and Linux machines.
The exploit takes advantage of a vulnerability in the PDF viewer that is built into the Firefox browser. That also means that the mobile version of Firefox, which doesn’t include the PDF viewer, is not affected. Mac users were also spared from this particular exploit, but Mozilla still suggests that they upgrade Firefox to combat against future mutations of the exploit.

But for affected versions of Firefox, malicious parties were able to sniff out “sensitive files” on your computer and upload them to a Ukrainian sever. Mozilla describes the modus operandi of the exploit, stating:

On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.

The most interesting part about this whole exploit is that it leaves no trace of its existence on your machine, so you would never know if you were the victim of these data vampires. As a result, Mozilla is asking users to “change any passwords and keys found in the above-mentioned files if you use the associated programs.”
Interestingly enough, Mozilla also says that Firefox users with adblocking software installed were likely protected from the exploit. Regardless of whether you’re a Mac user or use adblocking software, you should still upgrade to Firefox 39.0.3 to be fully protected in the future.
Mozilla was in the news last week when its CEO blasted Microsoft for taking it upon itself to seemingly make Edge the default browser in Windows 10 when upgrading, and making it slightly more difficult to revert back to the previously default browser. Unfortunately for Mozilla, most people were unsympathetic to its outrage and Microsoft of course didn’t issue a response (not that we expected them to).

Noticia:
http://hothardware.com/news/mozilla-...-data-vampires

[Jorge-Vieira]

EFF Finally Launches Privacy Browser Extension

The Electronic Frontier Foundation, after over a year of development, has released Privacy Badger 1.0 for Firefox and Chrome.

The Electronic Frontier Foundation (EFF) today released Privacy Badger 1.0, a browser extension that blocks some of the sneakiest trackers that try to spy on your Web browsing habits. The new Privacy Badger 1.0 includes blocking of certain kinds of super-cookies and browser fingerprinting—the latest ways that some parts of the online tracking industry try to follow Internet users from site to site.

Noticia:
http://www.hardocp.com/news/2015/08/...wser_extension

[Jorge-Vieira]

Sensitive Files On Mozilla Firefox May Be Vulnerable

Security researcher, Cody crews, reported and showed that a policy had been violated during the built-in process of Firefox PDF Viewer due to which sensitive files can easily be read and stolen by hackers, at least it made it more viable than ever before. It was publicly revealed on a Russian news website which explained the vulnerability of a local file system. In android this PDF viewer is not so vulnerable because there are certain versions of browsers which do not have PDF viewer installed in them. The users of Firefox were urged to update to Firefox 39.0.3, however Firefox Enterprise users can patch to 38.1.1.
Update as soon as possible!

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer,” wrote Mozilla security lead Daniel Veditz in a blog post.
“The vulnerability does not enable the execution of arbitrary code, but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.”

The internet users who use ad-blocking software are safe from this exploit but it depends on the particular software they use for filters. It will not exploit the Mac users but according to Veditz another payload could apply the same susceptibility.

“The exploit leaves no trace it has been run on the local machine,” said Veditz. “If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs.”

This specific malware is planned to find S3 Browser, Apache Subversion, and Filezilla configuration files; website configuration files for eight popular FTP clients; and .purple and Psi+ Jabber account information on Windows systems.Whereas on Linux, the exploit steals configuration files such as /etc/passwd; .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys; shell scripts; configuration files for Filezilla, Remmina, and Psi+; and text files which cover the sequence “access” and “pass.” The taken information is uploaded to a server located in Ukraine.

Mozilla was forced to release update to Firefox 39 due to the number of vulnerabilities they were facing. According to Mozilla these bugs could not be easily bugged by the users. The company explains that this is one astonishing malware which is designed for targeting files related to developers which are considered to be served for news websites and it is expected to be deployed on various other websites as well.

Noticia:
http://wccftech.com/sensitive-files-...#ixzz3iK9FbQX6

[Jorge-Vieira]

Mozilla Updates Firefox For Windows 10 As Edge Browser Looms

Even if Mozilla isn't happy about some of the changes in Windows 10, the company still needs to work to optimize its software for the new OS. Mozilla updated the Firefox web browser with a tweaked interface and safety features, making the browser more secure and easier to use.
The key focus of these updates was to give Firefox a more streamlined feel, and to overcome the search issues in Windows 10 that Mozilla previously complained about. Although Cortana is designed to work only with Bing, Mozilla stated that, after installing its browser, all Windows 10 web search functions, including those done with Cortana, will be carried out via your default search engine in Firefox.
Currently, Mozilla uses Yahoo as the default search provider on its Firefox browser, and as such, after installing Firefox, Cortana will also carry searches out in the Yahoo search engine. However, this can easily be changed inside of Firefox's settings if you desire to do so.
Although it wasn't the primary focus of this update, Mozilla also instituted some security features related to its browser add-ons. Add-ons allow users to customize the functionality and design of the web browser to suit their needs, but virtually anyone can create them. As a result, someone could use these add-ons for malicious purposes without Mozilla knowing.
To guard against this, Mozilla pushed out a series of guidelines that add-on developers must follow to ensure security. All current add-ons will continue to work during this transitional period, but a warning will be displayed on uncertified add-ons. Mozilla stated that future releases of the Firefox browser will disable these add-ons in the future, though.
Clearly, the recent Windows 10 release and the new Edge browser from Microsoft have destabilized the balance of power in the web browser market, at least in terms of perception. These feature updates and improved security policies may help Mozilla stave off Microsoft's Edge browser.

Noticia:
http://www.tomshardware.com/news/moz...ate,29819.html


Cá está a resposta da Mozila ao Edge e ás tretas da MS com a Cortana e o Bing, arruma-os para canto e espera-se uma guerra nos proximos tempos.
O que me parece é o Edge não vai ter a vida facilitada, tanto a Google como a Mozila continuam a evoluir os seus browsers com mais e melhores funcionalidades e quem os usa terá certamente motivos mais que suficientes para os continuar a utilizar.
O Edge será um novo IE, só o tempo o dirá, mas os anos de paragem da MS com o IE por teimosia sua em querer dominar a Internet e incluir um browser num SO que nem dá para actualizar refletem-se agora, reage tarde e quando reage já os outros estão à frente.

[Jorge-Vieira]

Mozilla Expands Firefox Private Browsing Tools To Thwart Online Tracking

If you're keen on not wanting your movements tracked online, Mozilla may have just saved you the need for installing extensions to prevent it. Well, as long as you don't mind using the Developer Edition of Firefox, that is.
Mozilla for quite some time has offered robust protection tools, such as Private Browsing mode, where remnants of what you do online are not saved anywhere on your computer (unless, of course, you specifically save content from them), but it's never prohibited tracking. Given that recent concerns have heightened the desire for that, many have turned to third-party extensions. With this move built-in, though, all someone has to do is use Private Browsing if they do not wish to be tracked.

One thing that's important to note is that this feature only works when you are using the browser's Private Browsing. Those who want to use their browser more normally may still wish to opt for third-party plugins, although something tells me that given Mozilla's clear determination to have Firefox excel over the others from a privacy standpoint, we could see a toggle option for it in the future.
If you want to give this non-tracking feature a go, you can snag the Firefox Developer Edition here. Don't worry: you can install it alongside your regular Firefox.

News of Firefox's Private Browsing mode enhancements comes just days after Mozilla released Firefox 40, which has been designed specifically for the Windows 10 operating system. Firefox 40 also includes a sneaky little trick which is meant to stab Microsoft in the back after a perceived slight in default browser settings when upgrading to Windows 10.

Noticia:
http://hothardware.com/news/mozilla-...nline-tracking

[webtiger]

infelizmente o firefox não se arrasta no win10,a fazer scroll parece que fica a pensar o que fazer a seguir e sim já esta atualizado.

[Lima21]

hum, ja usei no windows 7 e maravilha ,mas para o uso que estou a dar ao pc ,parece-me ideal o chrome.

[Jorge-Vieira]

How Firefox Will Get Better Security By Changing Its Add-ons Model

Mozilla announced three significant changes to Firefox's add-on model, which also involve many tradeoffs that many of its users are guaranteed to dislike. However, the changes should ultimately significantly improve Firefox's security architecture and put it more in line with Chrome and Microsoft's recently released Edge browser. Electrolysis Sandboxing

"Elecrolysis" is Mozilla's project to bring a multi-process sandbox system to Firefox, similar to what Chrome has had since day one of its existence, and what Microsoft's Edge browser has now. There are some differences between the three sandbox models, though, and so far Mozilla's system still seems to be the weakest one, although it will improve later on.
Elecrolysis will initially only separate the web content into another process. This means it shouldn't consume quite as much RAM as Chrome, but at the same time it won't be as secure, either. Over time, Mozilla will work on splitting the web content into multiple processes, too.
Right now, Chrome keeps every tab and extension in a different process, which makes it much harder for malicious web code to attack other parts of the browser. Microsoft's Edge also uses "app containers" for every tab, for the same reason, and it could prove to be an even better model.
The reason Elecrolysis is not quite as strong as the others is because unlike Chrome and Edge, Firefox wasn't written from scratch to use a multi-process sandbox system. Mozilla largely has to work around existing features of Firefox to provide this system.
That's why Mozilla announced today that Elecrolysis will require its add-on system to become much more simplified. In order to do that, the company created the "WebExtensions API," which is largely compatible with Chrome's extension model.
This hits two birds with one stone, as developers won't have to rewrite their Chrome extensions to work for Firefox to a large extent. Opera has already made it possible for Chrome extensions to work in its browser, and Microsoft promised something similar for Edge.
Elecrolysis should go live in the release channel starting with Firefox 43, which should ship by the end of the year.
Extension Signing

Mozilla recently announced that it intends to require all extensions to be cryptographically signed by the company itself. The reasoning behind this is that adware providers manage to sneak through unsigned add-ons on millions of users' PCs, and Mozilla believes that its vetting process for extensions combined with cryptographic signing should greatly reduce this risk.
Mozilla has to manually verify the code of these extensions, which can take weeks or months in some cases because the current add-ons are more complex. The new WebExtensions API should help developers build cleaner extensions that are easier to read by Mozilla's employees during the vetting process. The company hopes this will reduce the vetting time to only five days per extension.
Mozilla expects to start enforcing the extension signing beginning with Firefox 42.
Deprecating The Old Add-On Model

One of Mozilla's biggest features has always been its permissive add-on model that gave add-ons power over the browser's internals. This has been great for developers coming up with new innovative features for browsers.
However, it also means that whenever Mozilla changes something more significant in Firefox's core, those add-ons will stop working because of the lack of modularity. Sometimes those add-ons will also crash the Firefox browser itself, because of their tight interconnection.
Mozilla even said that without a fundamental shift to how Firefox add-ons work, technologies such as Elecrolysis, Servo (the much faster rendering engine that's written in Rust, Mozilla's new programming language) and browser.html wouldn't be able to exist in Firefox.
Mozilla said that add-ons that use XUL, XPCOM and XBL technologies will be deprecated within 12 to 18 months, and developers should switch to using the new WebExtensions API. Most of the older add-ons should be ported easily. For those who can't work within the WebExtensions framework, Mozilla is willing to listen to suggestions and feedback from developers for how to make them compatible with the new system.
Starting Fresh

Over the next few years, Firefox should go through some painful transitions, because many things will need to stop working the way they did in order to make room for the new features and the improved security architecture (which might still not be as good as Chrome's and Edge's in the end).
However, one has to wonder whether it may have been better for Mozilla to deprecate Firefox entirely and create a brand new, highly secure, and ultra-fast browser, all written in Rust.
After many failed attempts from Microsoft to improve Internet Explorer, it decided that it's better to start fresh, and that allowed Edge to have likely the strongest security model right now, as well as high performance.
Mozilla could do the same thing instead of trying to port new technologies to an old browser core. It may even rejuvenate excitement about the company's new "modern browser" (whichever it may be), because Firefox's market share has kept declining over the past few years, even though it's been keeping up with Chrome in terms of support for new web features.

Noticia:
http://www.tomshardware.com/news/fir...ons,29902.html

[Jorge-Vieira]

Firefox has been updated, here's why Mozilla thinks you need it

We've seen some interesting emails and marketing campaigns come out of Mozilla in recent times, including it's FoxYeah! slogan - asking all users to 'invite your peeps' over to what Firefox has to offer.

image: http://imagescdn.tweaktown.com/news/...hinks-need.png

This email is a little more tame - informing users that the newest Firefox is now here and stating three simple reasons as to why Mozilla thinks that its browser is worth a look at. First up is more security, with the company stating that its download protection will prevent you gathering nasty virus'. Next up is better performance, which comes in the form of improved video playback, smoother animation and better scrolling. Lastly is "the independent choice," with Mozilla priding itself on respect for your private information.

With some users being unhappy with Chrome reportedly hogging resources, have you made the change to Firefox? If so, what's your own reasoning?

Noticia:
http://www.tweaktown.com/news/47286/...eed/index.html

[Jorge-Vieira]

Mozilla Updates Firefox 40 to Patch Two Serious Flaws

Those of you using Firefox will be happy to know that Mozilla has patched up two major security flaws.

The first flaw, a use-after-free triggered when a canvas element is resized (CVE-2015-4497), has been rated critical. An attacker can exploit the vulnerability by setting up a malicious webpage that causes Firefox to crash. The weakness can potentially be exploited to execute arbitrary code with the privileges of the attacked Firefox user. The second flaw, rated high-severity, has been described as an add-on notification bypass through data URLs (CVE-2015-4498).

Noticia:
http://www.hardocp.com/news/2015/08/...s#.VeVtQpf0OTQ

[Jorge-Vieira]

Mozilla: Hackers Stole Information From Bugzilla

Mozilla says that it is updating Bugzilla’s security practices after hackers stole security-sensitive information and used it against Firefox users.

The account that the attacker broke into was shut down shortly after Mozilla discovered that it had been compromised. We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6. We have no indication that any other information obtained by the attacker has been used against Firefox users. The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users.

Noticia:
http://www.hardocp.com/news/2015/09/...a#.VewBvZf0OTQ

[Jorge-Vieira]

Mozilla Blog Reveals That Bug Tracker Was Hacked

When are we going to hear good news out of Mozilla? It turns out that some of the security fixes in the last Firefox update were the result of someone hacking Bugzilla.

…we are disclosing today that someone was able to steal security-sensitive information from Bugzilla. We believe they used that information to attack Firefox users. Mozilla has conducted an investigation of this unauthorized access, and we have taken several actions to address the immediate threat. We are also making improvements to Bugzilla to ensure the security of our products, our developer community, and our users.

Noticia:
http://www.hardocp.com/news/2015/09/...d#.VewB-5f0OTQ

[Jorge-Vieira]

Firefox close to having 64-bit browser for Windows

Just don’t expect it to be easy
For some reason the Mozilla Foundation are unable to get a stable version of Firefox which operates in 64-bit Windows.

It managed to get a rather nice version working in Linux and even the Mac, but bringing the Windows browser in line with the way computers have been running for the last five years seems to be beyond it.
Mozilla has told us on and off for the last five years that a 64-bit version of Windows has been coming. Then it almost dumped it before realising that was incredibly stupid and making it priority again in 2014.
Since then, Mozilla has been trying to get a stable version out without much luck. Odd really since Firefox spin-offs like Pale Moon or Waterfox have been available as 64-bit versions for years.
Now according to the outfit’s Bugzilla bug tracking website, Mozilla may finally be ready to release a stable 64-bit version of the browser for Windows.
Firefox 42 will be released November 3, 2015. Mozilla will only release the 64-bit version of Firefox 42 Stable to the official FTP directory but not to the download pages on the Mozilla website.This will make it jolly difficult for the great unwashed to find, but not impossible for developers. Mozilla said:

“We won't update the download page with Windows 64 builds for 42. We are waiting for some partner changes before making that public. However, the binaries will be available on the ftp for testing:


“The reason for this is that Mozilla is waiting for "some partner changes" for the 64-bit version of Firefox. It is unclear who these partners are and what these changes entail though.”

Apparently the 64-bit version of Firefox would ship without NPAPI plugin support.

Noticia:
http://www.fudzilla.com/news/39051-f...er-for-windows