Firefox 4 Improves Speed and Security

Firefox 4 Improves Speed and Security
from WatchGuard Security Center by Corey Nachreiner

For any Firefox fans out there, Mozilla has released version 4, which you can download now. Firefox 4 contains a number of improvements, but the most relevant to this blog are its security updates.

One of Firefox 4′s new features is called Content Security Policy (CSP). This feature helps to prevent Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. In the past, extensions like NoScript could try to prevent XSS attacks, by just preventing one site (or domain) from injecting script into another site (or domain). However, this basic XSS detection often results in false positives, as some developers actually design sites to work that way. Mozilla’s new CSP feature takes a more active approach. Web servers share special headers telling the browser what sort of content or scripts to expect. Mozilla won’t processes any content that the server didn’t specify, thus potentially avoiding injected scripts. That said, for all this to work the web sites we visit need to start supporting CSP headers.

Another new feature is Firefox’s support of the Strict-Transport-Security header. When you go to sites like gmail.com, you really want to visit the HTTPS version of the site. However, if you don’t bother typing the full URL into your browser, you may accidentally visit the normal HTTP site first, before being redirected to the HTTPS version. This little transition could provide attackers with what they need to exploit a Man-in-the-Middle attack (MitM). The Strict-Transport-Security header — which Firefox 4 supports — allows a web site to specify that it will only allows HTTPS connections, thus preventing the scenario mentioned above.

Firefox 4 contains many other old and new security features which you can read about on Mozilla’s site, or in this SANS ISC handlers diary post.

Besides the security improvements I mentioned above, Firefox 4 is also a lot faster. Browsers like Chrome and Safari have done a lot to make the browsing experience much faster, mostly by improving JavaScript rendering. Firefox 4 includes similar improvements, making it three times faster than Firefox 3.x, and on par with the fastest browsers on the market.

If you use Firefox, I highly recommend you download version 4 for its security and performance improvements. Don’t forget to also grab the latest version of NoScript, which I never browse without. – Corey Nachreiner, CISSP (@SecAdept on Twitter)

Prepare for a Record Breaking Microsoft Patch Day Tomorrow

Prepare for a Record Breaking Microsoft Patch Day Tomorrow
from WatchGuard Security Center by Corey Nachreiner

I don’t know about you, but I really don’t like hearing “record breaking” and “Microsoft Patch Day” in the same sentence. Unfortunately, April’s Black Tuesday will be just that — a record breaking patch day.

According to their Advanced Notification page, Microsoft plans to release an unprecedented 17 Security Bulletins tomorrow. The bulletins will fix security flaws in Windows, Office, and Internet Explorer (IE), as well as some issues in some of Microsoft’s Server and Developer software. Microsoft rates more than half the bulletins (nine) as Critical, which typically means attackers can leverage them to execute code on your computer, and gain control of it.


The quicker you can apply Microsoft’s patches the better. Attackers often take advantage of the “vulnerability window,” which is the period of time between when an attacker learns about a vulnerability and when you patch that vulnerability. Often, attackers and security researchers will reverse engineer Microsoft’s patches to learn more about the underlying vulnerabilities they fix. In fact, it’s not uncommon for exploit code to surface shortly after patch day. For this reason, I recommend you prepare your staff for a deluge of patches tomorrow, and try your best to test and apply them quickly, despite their great number.

I’ll know more about these bulletins tomorrow, and will publish alerts about them here. — Corey Nachreiner, CISSP