Security Watch

Firefox an Upstart for IE?

Plus: Cybersecurity czar quits; drama in the ATL; semper Facebook.

• By Jabulani Leffall
• 08/04/2009

Security pros and some users are starting to take notice and opining that Mozilla is much more responsive to its security issues than Redmond has been with IE. On Monday, it patched Firefox 3.5 and Firefox 3.0 to stave off six bugs, which include two disclosed last week at the Black Hat conference and a third revealed with Monday's announcement.

The open source collective Mozilla said that Firefox 3.0.13 will drop off the support list in January 2010 but that this latest rollout fixes three holes, while Firefox 3.5.2 fixes four. There is also patch overlap.

This comes after Friday's announcement that Firefox had reached its one-billionth download of its browser.

The praise for Mozilla's responsiveness started in mid-July, when it said it fixed a critical flaw in the TraceMonkey JavaScript engine's just-in-time compiler for Firefox 3.5.1. The patch, Mozilla said, staves off a scenario where an attacker could run arbitrary code and install malware.

The announcement came at least two weeks before Microsoft finally released its off-cycle patch for issues related to Internet Explorer from an ancillary perspective vis-à-vis Visual Studio.

Cyber Official Quits
Obama's acting cybersecurity czar Melissa Hathaway just quit her job, according to reports this week.

Randy Abrams, technical director for security firm ESET, said that the difficulty filling the now vacant position has been ongoing and is "not limited to an administration or political camp."

"The fundamental problem is that the person who holds the job is expected to please too many masters. Still, this is a position that needs to be filled and one must measure success by improvement," Abrams wrote in an e-mail note referencing other comments made on ESET's blog. "Different factions in the government are to blame for the list of people who have left the role of cyber security advisor, which is fundamentally what the new position still is."

There's Still Drama in the ATL
No, not Atlanta but Microsoft's Active Template Library. Adobe Systems announced that it would during selected months have Patch Tuesday releases, to coincide with Microsoft's patch rollout. And now it's apparent that Windows plays a vital role in the third-party software firm's security strategy. Such was the sentiment with a security advisory released late Thursday.

In the advisory, Adobe said it would patch 12 bugs, three of which, the company implied, were caused by vulnerabilities in Windows products. Regarding one of the fixes, the advisory said, "The update for Adobe Flash Player resolves the vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory this past Tuesday."

Semper Facebook -- Not
There won't be any U.S. Marines Twittering or Facebooking or any other social-network-action-verbing because of recent security problems on both sites, the U.S. Marine Corps said this week. The U.S. Marine Corps has banned use of those social media Web sites from its networks, effective immediately.

These internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries," wrote the Marine High command in its official statement.

The ban will last for a year. What this says about the apparent danger of the sites is pretty important. There's no word on how friends and followers of these brave men and women in uniform will be affected or if some will sneak some tweets under assumed names.