Category off-topic

  • I received a payment over $2,500 from Google today. Now the conspiracy theorists among you can go off and rant in all forums that Adblock Plus is sponsored by Google and can no longer be trusted. For those of you who are still with me: the money came though Google’s Vulnerability Reward Program. Recently Google extended the scope of the program to web applications. I took up the challenge and sure enough, in a few hours I found four vulnerabilities in various corners of google.com.

    Posted , Author

  • Apparently, I am not the only one who noticed that the Flash installation experience has turned from bad to worse. Paul O’Shannessy uses pretty strong language to describe the procedure but I think it is justified. Until recently you could ignore all the bells and whistles and still download the executable which would then install Flash (and only Flash, regardless of the pre-checked crap that you might have forgotten to uncheck). Now you have to install the Adobe DLM extension (never mind that plug-in installation doesn’t usually require a browser restart) and there doesn’t seem to be a way to avoid it. Still wonder why so many people want to see Flash obsoleted by HTML5?

    Posted , Author

  • Only two days ago I wrote how browser plugins are the biggest security risk today. And yesterday I experienced first-hand how one would get outdated and insecure plugins installed. I installed Lexware Steuer 2009 (for the German readers: yes, that’s the one you get at Aldi and that always gets good marks in software tests). And then Secunia PSI went berserk warning me about various security threats on my computer. Turned out, this application installed without even telling me: Java Runtime Environment 1.6.0 Update 2 (released July 2007, current version is 1.6.0 Update 18), Flash Player ActiveX 9.0.124.0 (released April 2008, current version is 10.0.42.34), MSXML 4.0 SP2 (released June 2003, current version is 4.0 SP3).

    Posted , Author

  • Brian Krebs came across one of those websites throwing a battery of exploits at users and took a close look at its administration page. It lists seven exploits, the two most successful ones being for Adobe Reader and Java, followed by two Internet Explorer exploits. At the far end of the list two Firefox exploits can be found as well. From what I understand, only one Adobe Reader vulnerability was unpatched at that time, all other vulnerabilities have been fixed already. For example, the Java exploit targets a security hole that was closed in December 2008, the exploited Firefox vulnerabilities have been closed in Firefox 1.0.5 and 1.5.0.5 respectively.

    Posted , Author

  • Recently I found an application that I wrote more than 10 years ago — atomic orbital viewer. Back then I got interested in the pictures of atomic orbitals you get presented in chemistry class, found the special-case formulas for electron distribution and generalized them. And then I wrote an application to visualize these orbitals. Since I didn’t have access to 3D hardware or even literature on 3D graphics I ended up reinventing everything — yes, I used to have that kind of time back then. What came out was a Turbo Pascal (DOS) application where I’ve written almost everything myself, including low-level mouse handling and GUI library.

    Posted , Author

  • A while ago there was an announcement that the company Xenocode was providing virtualized versions of applications, particularly browsers. While what they provide isn’t real sandboxes (the applications that you run there can still write files to the disk, e.g. if you download something from the web) it is still an easy way of running browsers without having to install them — Xenocode makes sure that from application’s point of view everything that should be there after installation is there. In particular, you can run Internet Explorer 6 and Internet Explorer 7 on the same machine at the same time — no need for complicated registry hacks. Of course, this should only be used for testing websites that are safe, you won’t get security updates for these Internet Explorer instances.

    Posted , Author

  • Since everybody is talking about Firefox 3.5 demos these days I though that I would dig up one that I created myself in November. It allows selecting areas of complex shape on an image — e.g. countries on a map. This idea didn’t end up being used for anything but somebody else might find it useful.

    Ten years ago I already had to solve this problem. How do you present the user with a map and let him choose a country? Back then I ended up using Win32 API and two bitmaps — one to display to the user and a second invisible bitmap to let the application translate clicks into actual countries by checking the color corresponding to the click position. The visible bitmap was static meaning that it wasn’t possible to show the selected country on the map. But that wasn’t necessary anyway back then. And now I had to solve the same problem, this time for the Mozilla platform.

    Posted , Author

  • I came across a Venkman “feature” that was so unexpected that I even filed a JavaScript engine bug on it. Only after Gijs Kruitbosch asked me to test with a clean profile I realized that the JavaScript performance issue I was seeing wasn’t inherent to Firefox but rather something the Venkman extension was responsible for. That’s right, Venkman is degrading JavaScript performance just by being installed, even if you don’t use it. I had Venkman installed “just in case” and this was a big surprise to me.

    Posted , Author

  • Pretty much every Flash movie on the web today uses Flash Player’s global storage feature to store data on your disk, similar to regular browser cookies. What makes this feature so problematic is the lack of proper control mechanisms. For example, for browser cookies I selected “Keep until I close Firefox” which makes sure that cookies can be set (no site functionality is broken) but won’t survive too long. But this setting won’t apply to Flash data. Same goes for the Private Browsing mode in Firefox 3.1, it has absolutely no effect on Flash. Note also that Flash data is the same for all browsers and all profiles.

    Posted , Author

  • Since Haploid solved my previous puzzle way too fast, here is another one: what is that page really trying to load? And why is it that NoScript and Adblock Plus disagree so much on that — none of the dozen domains NoScript is showing show up in Adblock Plus and the one request showing up in Adblock Plus doesn’t show in NoScript.

    Posted , Author

← Older Newer →