The user-agent string contains information such as the name of the browser, its version number, and information about the various technologies it uses. So, when a person visits a website, the browser’s user-agent is sent along with the web page request. This allows the resource to check the visitor’s software version and change their response depending on the features supported by the browser.

For example, the current user-agent of Mozilla Firefox version 97 looks like this: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0. And the user-agent for Google Chrome 98 is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36.

Bleeping Computer says that back in August 2021, Mozilla engineers began an experiment to find out if the three-digit user-agent “Firefox/100” would cause problems when working with sites. Google developers soon conducted a similar experiment for Chrome 100. As a result, the experts found a small number of sites that did not work correctly with the new user-agent.

Since then, Mozilla has been monitoring version 100 bugs and has already found issues on HBO Go, Bethesda, Yahoo, Slack, and resources created with the Duda builder. Most of these bugs are limited to “browser not supported” messages, as well as user interface issues that can affect different parts of sites.

If problems with sites do arise and are too numerous, and Mozilla or Google cannot fix it before the release of new versions, developers have backup plans. In particular, Firefox has a mechanism that allows to “freeze” the user-agent to “Firefox/99” or inject CSS into a problem site. Similarly, Chrome can “freeze” the version displayed by the user-agent at 99 and list the actual browser version on a different part of the string.

Mozilla asks site administrators to check in advance whether their resources accept the user-agent Firefox 100 and Chrome 100 normally. To do this, in Firefox admin needs to open the Firefox Nightly settings menu, find “Firefox 100”, and then activate the “Firefox 100 User-Agent String” flag . This will change the Firefox user-agent string to Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0.

In Chrome, go to chrome://flags/#force-major-version-to-100, enable the setting, and the user-agent string will change to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4758.102 Safari/537.36.

If problems are found, then bug reports should be submitted to webcompat.com so that the developers have time to fix them.

Let me remind you that we also reported that Chrome 90 gets a new security feature to protect against attacks on Windows 10.

And, you may be interested in the information that Mozilla Downsizing Affects Security Professionals.

The post Firefox 100 and Chrome 100 may have user-agent issues appeared first on Gridinsoft Blog.

On average, companies took 52 days to fix bugs, while three years ago they needed an average of 80 days. Thus, almost all vendors fixed the vulnerabilities within the industry standard of 90 days.

According to statistics collected for 2019-2021 and based on 376 zero-day vulnerabilities discovered by Google Project Zero experts, 26% of the problems related to Microsoft products, 23% to Apple and 16% to Google. That is, the three software giants accounted for 65% of all detected problems, and, according to experts, this well reflects the complexity and volume of their software products, which inevitably have “white spots” that even numerous security engineers miss.

Overall, the report named Linux, Mozilla, and Google as the best in terms of timely release of patches, while Oracle, Microsoft, and Samsung were named as the worst.

Recall, by the way, that we wrote that 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues.

In the highly competitive field of mobile OS, iOS and Android go hand in hand: the former has an average bug fix time of 70 days, while the latter has 72 days.

In the browser category, Chrome outperforms all competitors with an average bug fix period of 29.9 days, while Firefox comes in second with 37.8 days. Apple, in third place, took twice as long to fix bugs in WebKit, taking an average of 72.7 days.

Google Project Zero experts explain:

You might also be interested in reading what Google says that a quarter of all 0-day vulnerabilities are new variations of old problems.

READ ALSO: Zero Day Attacks – How To Prevent Them? What does a zero day attack mean? Or is there a way to avoid this danger?

The post Google analysts noticed that software vendors began to fix Zero-day vulnerabilities faster appeared first on Gridinsoft Blog.

For example, Thunderbird users recently realized that when they open a program, they can view emails encrypted by OpenPGP without entering their master passwords. Such messages in Thunderbird should only be viewable after authentication.

The vulnerability has been identified as CVE-2021-29956 and has a low severity level. The bug affected the mail client of all versions between 78.8.1 and 78.10.1. It allowed a local attacker to see imported OpenPGP keys stored on users’ devices without encryption. Thus, an attacker could view and copy someone else’s keys and then impersonate the sender of the protected emails.

Thunderbird maintainer Kai Engert admits that this was his personal mistake due to lack of testing. The fact is that a few months ago, the key processes were rewritten in order to improve their security.

Previously, the process for handling newly imported OpenPGP keys in Thunderbird looked like this:

• import of the secret key into a temporary memory area;
• unlocking the key using the password entered by the user;
• copying the key to permanent storage;
• protection of the key using the automatic OpenPGP password in Thunderbird;
• saving a new list of secret keys to disk.

But, according to Engert, after making changes to the code, the following happened (steps 3 and 4 were reversed):

• import of the secret key into a temporary memory area;
• unlocking the key using the password entered by the user;
• protection of the key using the automatic OpenPGP password in Thunderbird;
• copying the key to permanent storage;
• saving a new list of secret keys to disk.

In fact, when the key was copied to persistent storage, the protection was not copied along with it due to a bug in the RNP library that Thunderbird and Mozilla Firefox use to protect OpenPGP keys.

In Thunderbird version 78.10.2, the bug has been fixed, and now the mail client will check for unprotected keys in secring.gpg. If such keys are found, they will be converted to protected ones.

Let me remind you that I also wrote that Hackers used Firefox extension to hack Gmail.

The post Mozilla Thunderbird email client stored OpenPGP keys in clear text appeared first on Gridinsoft Blog.

Thus, users will no longer be able to upload files via FTP, as well as view the contents of FTP links and folders in the browser.

The refuse from FTP had to be postponed due to the coronavirus pandemic, and so did the Google developers, who even managed to disable FTP in their browser, but then temporarily turned on support for the protocol back.

Google developers have been talking about ditching FTP since 2014, as very few browser users (0.1-0.2%) use the protocol. In 2018, the company first announced plans to officially move away from FTP, and Google engineers began implementing those plans last summer.

As such, it was planned that FTP support would be disabled by default with the release of Chrome 81, and after the release of version 82, all traces of the protocol would be permanently removed from the code.

But the fact is that many government agencies, including the National Institutes of Health, are still actively using FTP, and the developers decided not to create additional problems for them during the crisis.

Now Mozilla engineers have returned to the issue of dropping FTP support by default. In Firefox 88, released today, protocol support was disabled by default, and now Firefox, when faced with an FTP link, tries to pass it to an external application.

In the next release (Firefox 90), the developers are going to permanently remove all code related to the FTP implementation from the browser. Firefox for Android will also be affected by these changes. That is, in the end, users will need a separate client to work with FTP.

The post Mozilla Drops FTP Support Permanently with Firefox 88 Release appeared first on Gridinsoft Blog.

Let me remind you that these attempts began back in 2015, when the government first announced the introduction of a “national security certificate”.

It was supposed that users would be obliged to download and install a government certificate on all devices through which all protected traffic, including from foreign websites, would pass. Moreover, it was assumed that not only all HTTPS traffic but also other TLS connections will be decrypted.

In 2015, the attempt was unsuccessful, but in 2019, the country’s government returned to this idea once again. So, last summer, local operators began to send out warnings to their subscribers about the need to install a security certificate, allegedly designed to protect against cyberattacks and help fight illegal content.

Then the browser makers responded by blocking the certificate, and the Kazakh government soon announced the “end of the exercise.”

In early December 2020, the authorities of Kazakhstan again announced cyber exercises and ordered the residents of Nur-Sultan and tourists to install a special security certificate on their devices. The authorities also forced local Internet providers to block users’ access to foreign sites if the certificate was not installed.

Censored Planet soon reported that the certificate was working against dozens of web services, mostly owned by Google, Facebook and Twitter. Censored Planet lists the following affected sites:

• google.com
• youtube.com
• facebook.com
• vk.com
• instagram.com
• twitter.com
• Mail.ru
• allo.google.com
• android.com
• cdninstagram.com
• dns.google.com
• docs.google.com
• encrypted.google.com
• goo.gl
• mail.google.com
• messages.android.com
• messenger.com
• news.google.com
• ok.ru
• picasa.google.com
• plus.google.com
• sites.google.com
• tamtam.chat
• translate.google.com
• video.google.com
• vk.me
• www.youtube.com
• www.messenger.com
• www.google.com
• www.facebook.com
• www.instagram.com
• groups.google.com
• Hangouts.google.com

According to Censored Planet, the percentage of hosts in Kazakhstan that were intercepted increased from 7% to 11.5% this year.

However, this time browser developers responded with a blocking. So, starting from December 18, 2020, users of Safari, Edge, Chrome and Firefox, on whose devices is installed MITM certificate, will see warnings about a security violation and information that the certificate cannot be trusted.

In a blog post, the Mozilla developers remind that back in 2019 they concluded that “this act undermines the security of users and the Internet, and also directly contradicts Principle 4 of the Mozilla Manifesto, which states: “The safety and privacy of people on the Internet is fundamental and should not be considered optional”.

Let me remind you that for iOS was discovered a special exploit, with the help of which China traced the Uyghurs.

The post Apple, Google, Microsoft and Mozilla block MitM certificate of the Kazakhstan government appeared first on Gridinsoft Blog.

Let me remind you that Firefox Send was launched in March 2019. The service was a private file hosting service that allowed Firefox users to share files.

“All files uploaded and transferred via Firefox Send were encrypted, and users could set the age for which files were stored on the server, and also set the number of downloads allowed before the expiration date”, – said the developers.

Although Mozilla engineers planned Firefox Send, caring for privacy and security of other users, since the end of 2019, the service has become very popular not with ordinary people, but with malware developers. In most cases, hackers exploited the service in a very simple way: they downloaded malware payloads in Firefox Send, where the file is saved in encrypted form, and then inserted links to this file, for example, in phishing emails.

While Mozilla initially said the Send shutdown was temporary, though it changed a few weeks later when the organization cut more than 250 employees and announced that it would generally reorient the business to commercial products. As a result, most of the employees who were supposed to rework Send were fired, and the rest focused on developing commercial products, including Mozilla VPN, Firefox Monitor and Firefox Private Network.

“For the same reasons, the Firefox Notes service, which was a tool for saving and synchronizing encrypted notes, will be closed”, – writes ZDNet.

Notes was available for syncing across Firefox browsers, as a standalone Android app and as a browser extension.

The developers have announced that they will be phasing out the Notes Android app and sync service at the end of October 2020. The browser add-on (talking about existing installations) will continue to work for now, and the ability to export all notes will be active, but Mozilla will no longer support it, and will not allow new installations.

The post Mozilla completely stops development of Firefox Send and Firefox Notes appeared first on Gridinsoft Blog.

Mozilla head and Mozilla Foundation CEO Mitchell Baker said the organization is forced to rethink its plans and adapt to the new realities that have changed greatly after COVID-19, and in various ways to strengthen its financial position.

Given that Mozilla had approximately 1,000 employees, and the organization had already laid off 70 employees earlier this year, Mozilla lost a third of its workforce in 2020.

“In the near future, Mozilla will rethink its business model and focus on financially viable products”, – said Mitchell Baker.

It should be noted that previously about 90% of all Mozilla’s revenue came from a deal with Google (Google is turned off in Firefox as a default search engine), but this contract ends at the end of this year, and it has not been renewed. Because of this, many experts have expressed concerns about what will happen to Mozilla after 2021.

However, this week the ZDNet, citing its own anonymous sources in the industry, assured that the contract with Google is likely to be extended until 2023.

Mozilla indirectly confirmed this information, informing reporters that the organization intends to continue cooperation with Google and even expand it.

Nevertheless, let us return to the topic of staff reduction. Although Mitchell Baker did not disclose in her statement which specialists would be fired, SecirutyWeek writes that at least two cybersecurity specialists were laid off.

One of them is Sarah Huffman, who has served as an information security risk manager for two and a half years, and the second is Michal Purzynski, an information security expert from the threat management team.

Purzinski, who has been working at Mozilla for more than eight years, says on Twitter that he is not the only employee that was laid off: the entire threat management team was disbanded. In his opinion, in this way, Mozilla has completely lost opportunity to detect and respond to incidents.

The publication notes that now some members of the cybersecurity community argue that this decision by Mozilla can be interpreted as a disregard for security, although others believe that the Mozilla leadership is doing the right thing.

Mozilla representatives commented on the situation and said that the security restructuring in the organization should have a positive effect and in that future, it will only improve security of Mozilla itself and its users.

“During the restructuring, some positions were indeed abolished, but the teams responsible for the security of the Firefox browser and Firefox services were not affected”, — explaine the company.

According to ZDNet, programmers working on Mozilla’s experimental Servo engine, developers overseeing the Mozilla Developer Network, and the Firefox developer tools team also fell under the cuts.

Let me remind you that earlier Mozilla suspended Firefox Send service due to abuse and malware and because of the COVID-19 pandemic, the company returned support for the unsafe FTP protocol to Firefox.

The post Mozilla Downsizing Affects Security Professionals appeared first on Gridinsoft Blog.

Firefox Send was launched in March 2019. The service is a private file hosting service and allows Firefox users to share files. All files downloaded and transferred via Firefox Send are stored in encrypted form, and users can set the retention period for files on the server, as well as set the permissible number of downloads before this “expiration date” expires. The service was available to all users at send.firefox.com.

“Although Mozilla engineers planned Firefox Send, thinking about the privacy and security of their users, since the end of 2019, the service has become very popular not among ordinary people, but among malware developers”, – write ZDNet reporters.

In majority of cases, hackers exploit the service in a very simple way: they download the malware payloads into Firefox Send, where the file is stored in encrypted form, and then insert links to this file, for example, in their phishing emails.

ZDNet writes that in the past few months, Firefox Send has been used to store payloads of a wide variety of campaigns, from ransomware to financially oriented malware, from bank Trojans to spyware that attacked human rights defenders. Such well-known hack groups as FIN7, REVil (Sodinokibi), Ursnif (Dreambot) and Zloader abused the service.

British information security expert Colin Hardy explains exactly what factors attract malware authors to the Firefox Send service. So, Firefox URLs are considered reliable in many organizations, that is, spam filters do not detect or block them.

“In addition, attackers do not have to invest time and money in creating and maintaining their own infrastructure if they use Mozilla servers. And Firefox Send encrypts the files, which prevents the work of security solutions, and the download links for the malware can be configured so that they expire after a certain time or number of downloads, which complicates the work of information security experts”, – said Colin Hardy.

The growing number of malicious operations associated with Firefox Send has not escaped the attention of the information security community. Because of this, over the past few months, experts have regularly complained about the lack of a mechanism for reporting abuse or the “Report about a file” button that could be used to stop malicious operations.

While preparing a publication about these problems, ZDNet reporters turned to Mozilla for a comment, wanting to know the organization’s position regarding the placement of malware, as well as the progress in developing a mechanism for reporting about violations.

Mozilla’s response surprised both journalists and information security professionals, as the organization immediately suspended the Firefox Sens service and announced that it was working to improve it.

“We will temporarily take Firefox Send offline while we improve the product. Before starting the [service] again, we will add a violation reporting mechanism to supplement the existing feedback form, and we will also require all users who want to share content using Firefox Send to log in using their Firefox account,” — said Mozilla representatives.

Currently it is unclear when Firefox Send will return online. All links to Firefox Send have stopped working, which means that all malicious campaigns that used the service are also temporarily disabled.

Let me remind you that Firefox Refuses to Support FTP Protocol.

The post Mozilla suspended Firefox Send service due to abuse and malware appeared first on Gridinsoft Blog.

Therefore, users will no longer be able to upload files via FTP, and may not be able to view the contents of FTP links and folders in a browser.

“We do this for security reasons. FTP is an insecure protocol, and there is no reason to choose it to download resources instead of HTTPS. Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past», — said Michal Novotny, a software engineer at the Mozilla Corporation, the company behind the Firefox browser.

Mozilla plans to abandon FTP support with the release of Firefox 77, which is scheduled for release this June. If users want to be able to view and upload files via FTP in spite of the ban, they can temporarily manually enable protocol support through the settings on the about: config page.

However, at the beginning of 2021, Mozilla will remove all code that supports the FTP protocol from its browser. After that, returning the protocol to Firefox will fail. Let me remind you that the plans of browser developers to abandon FTP became known back in 2018.

Let me also remind you that in the “parallel universe” Microsoft fixed 0-day vulnerability in Internet Explorer.

Most likely, Mozilla came up with decision on FTP after Google made a similar decision regarding the FTP protocol in Chrome last year.

In August 2019, Google announced plans to remove access and option of viewing FTP links from Chrome.

FTP support will be disabled by default in Chrome v81 and all traces of the FTP protocol will be removed from the Chrome codebase in Chrome 82, which is scheduled for release in late spring or early summer this year. ,

However, Google was forced to suspend the release of new versions of Chrome and Chrome OS due to the coronavirus pandemic. The main reason is “adjusted work schedules”. The fact is that due to the global distribution of COVID-19, Google engineers work at home, like employees of other companies.

“Due to the adjusted work schedules, we are suspending the release of new versions of Chrome. Our main goals are to ensure their stability, security and reliable operation for all who rely on them. We will continue to give priority to the release of security updates that will be included in Chrome 80,” – the Google blog said.

When the company announced that it was removing FTP support from Chrome, Google said that only a small part of its user base had access to and use FTP channels, which was the main factor in making this decision.

The post Firefox Refuses to Support FTP Protocol appeared first on Gridinsoft Blog.