IBM sees influx in zero-day exploits

IBM’s X-Force security team has released a mid-year report(PDF) stating that the number of zero-day exploits is growing at an alarming rate. For those of you unfamiliar with the term, a zero-day exploit is a program that is created and implemented within 24 hours of the disclosure of a security flaw. These exploits usually affect users before they even know the vulnerability exists and long before a patch is made available. The researchers also found that many of these exploits were targeted at browser plug-ins, which most users utilize on a daily basis.

[Kris Lamb], X-Force operations manager, is blaming the problem on a lack of a unified process for disclosing vulnerabilities. He also claims that the long-held practice of publishing example code of vulnerabilities should be frowned upon.

[via Liquidmatrix]

Javascript Vi

Few would dispute that Vi was a great text editor in its day, but no one has done anything to bring it back until now. A company called Internet Connection has developed JSVI, a clone of Vi that was written in javascript and runs inside editable text areas on virtually any browser with javascript support.

It functions identically to Vi, offering ed/ex command support, vi-keys, unicode awareness, and a number of other features available on Vi. You can see a demo of JSVI here. If you prefer to run vi on your own page, download this javascript document. JSVI is open source, and we certainly agree with [Jason Striegel] that this would make a fitting addition to any Unix blog or forum.

emacs sucks.

[via Hackzine]

Firefox 3 vulnerability

TippingPoint’s Zero Day Initiative reported a critical vulnerability affecting Firefox 3.0 yesterday. It includes the 2.0 versions as well. It’s unreleased and Mozilla is working on a fix already. Whatever the exploit is, it does require the user to visit a malicious site or click a link to executed. It came in 5 hours after the FF3 release, but since it affects previous versions, we wonder if the researcher was just sitting on it to be first. The Zero Day Initiative pays researchers for the exploits they submit.

Mozilla’s first public release

In honor of Firefox 3.0 download day, has posted the full Code Rush documentary. It spans March ’98 to April ’99, as the Mozilla team publishes the first source code and then the eventual AOL acquisition of Netscape. Embedded above is a short clip of [Jamie Zawinski] pushing the code live at 10AM on March 31, 1998. The hour documentary is well worth watching.

If you’re unsure about moving from FF2 to 3, MultiFireFox still works perfectly fine with the new release.

xB Browser for anonymous browsing

Download Squad highlighted the xB Browser today. It’s a product offered by XeroBank and is the successor to the TorPark project. The browser anonymizes your browsing using the Tor network and doesn’t remember passwords, sites visited, or any other personal information. Scripts and plugins are disallowed by default, since they could be used to identify you. Remember that Tor just anonymizes; you’re still at the mercy of the exit nodes when it comes to security.

That’s just the free version though. Subscribers to XeroBank have access to an anonymous mail server and VPN service. If you’re a subscriber your bowser session is tunneled through XeroBank’s pool of servers and not the Tor network. We think they should have maintained a separate product name since this distinction isn’t clear outside of the FAQ.

Speed testing the latest web browsers

With the imminent release of Firefox 3 and Opera 9.5 being finalized this week, Lifehacker decided it was a good time to run the browsers head to head to see which was the fastest and least resource intensive. The testing system was a 2GHz 2GB Vista machine. The timing system used wasn’t directly hooked to the browser, so tests were repeated multiple times to improve accuracy. The cold start winner was Opera, but most browsers opened in about a second if they had been run recently. Safari did well loading content in multiple tabs at the same time, probably due to its short render times for JavaScript and CSS. The final test was memory usage; we’re sure many people will be happy to know that Firefox 3 RC3 only used 66% of the RAM required by the other three browsers.

Using multiple browsers for security

[Rich] over at Securosis takes us through some of his browser paranoia exercises. He uses different browser profiles for different types of web activities. Based on potential risk, various tasks are separated to protect from CSRF attacks and more. Everyday browsing with low risk passwords is done in one. RSS reading with no passwords is done in another. He runs his personal blog in a browser dedicated just to that.

For high risk research, he uses virtual machines to further minimize any potential nasty code getting through. Very high risk sites are browsed through a non-persistent read-only Linux virtual machine. While these techniques can be less effective if the entire OS is comprised, they can still provide a few layers of additional security.

Fellow browser paranoia sufferers may want to consider Firefox plug-ins like NoScript and memory protection from Diehard.