FoxyTunes

Do you listen to Music while surfing the Web?
Now you can control your favorite media player without ever leaving the browser and more...

Supports WinAmp, iTunes, Yahoo Music Engine, Pandora, foobar2000, Windows Media Player, Xbox Media Center, Musicmatch, Quintessential, J. River, jetAudio, XMPlay, MediaMonkey, Media Player Classic, Sonique, wxMusik, Real Player, XMMS, Noatun, Juk, Amarok, Music Player Daemon, Rhythmbox and many other players.

Just click on the orange note and select your player.

CNET Editor's Rating: 5/5 stars
PC Magazine: Top 15 Firefox Extensions
PC World: Top Download Picks

Works with:

	Firefox	1.5 - 2.0.0.*	ALL
	Mozilla	1.6 - 1.8	ALL
	SeaMonkey	1.0 - 1.0	ALL
	Thunderbird	1.5 - 3.0a1	ALL

Install Now

Version 2.2, released on Jan 2, 2007.

Developer Comments

We'd like to thank the thousands of users who sent us their suggestions, comments, translations, skins and letting us know just how much they love FoxyTunes.

Many issues reported here can be easily solved by either looking at the FoxyTunes FAQ (http://foxytunes.com/firefox/faq.html) or by directly contacting us (http://foxytunes.com/feedback.html). If you contact us instead of just reporting your problem here, we will do our best to resolve it.

Keep on rocking!
-Alex and the FoxyTeam

*************************************************************
* FoxyTunes 2.0:
* New: Web searches, "FoxyTunes Mini" desktop widget, album covers and more!
*************************************************************

Firefox 2.0.0.1 Phishing Protection bypass

+ Subject:
Firefox 2.0.0.1 Phishing Protection bypass

+ Version:
Firefox 2.0.0.1 [ Linux | Windows ]

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ Phishing Protection Description:
Phishing Protection takes Firefoxs security to a new level, helping to safeguard your financial information and protect you from identity theft. When you encounter a Web site that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to take you to a search page so you can find the real Web site you were looking for.

+ Bypass Description:
It is possible to bypass Phishing Protection by add some characters to URL address. URL will be still valid and will work properly but we are not aware of Phishing warning.

When we add "/" char at the end of domain in URL field - for Phishing Protection it will be another site than original and Phishing Protection Test will fail. Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL: http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near future to abusive actions.

Timeline:
2007.01.09 bug discovered
2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538]
2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
2007.02.06 posted to Bugtraq

Original Advisory: http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php

Firefox 2.0 vs. Internet Explorer 7

Web browsers are among the most commonly used software. Recently, both Internet Explorer 7 (IE7) and Firefox 2.0 trumpeted new or improved security features during their well-publicized launch campaigns. While these features are primarily aimed to attract the business user, they also are directed toward the everyday user who has started to take Internet security more seriously. But what are these new features and do they make using the Web any safer?

Internet Explorer 7 and Firefox 2.0 enhancements
Both Internet Explorer 7 and Firefox 2.0 filter and analyze the Web address, the page content and the structure of a page. And, though both make use of blacklists, only Internet Explorer 7 offers this as a default setting. Firefox 2.0 makes up for this by offering the choice of two blacklists, one of which happens to be a live database maintained by Google. Also impressive is the speed with which all lists are updated.

Both browsers' development groups have upped the ante regarding user warnings, especially warnings applicable to providing personal information. Internet Explorer 7 now uses color-coded warnings in the URL bar based on whether a site is trusted and Firefox's dialog box to warn of cross-domain scripting. Internet Explorer 7 has also enhanced their default settings: the Medium setting has been raised to Medium-high, and the Low setting has been removed altogether. Unfortunately, the much-anticipated Internet Explorer 7 Protected Mode, which stops Web sites from changing a computer's critical files or settings, will work only in Windows Vista! Nonetheless, these improvements take steps to enhance the user experience as each browser now offers enough information to enable users to make intelligent decisions about the safety of a Web site.

Both Web browsers tackle downloads with a barrage of warnings. It seems that Microsoft really learned from past problems caused by ActiveX. Now, a download dialog box only appears when you click a direct link to a download. This prevents pop ups from prompting you to download a file. In addition, if there's a need to install a software program, the prompt will only appear once. Microsoft has also reworked ActiveX prompts; they now appear in the Info bar where they don't interfere with navigation and can be ignored. And, although drive-by ActiveX installs are now impossible, users still need to change their habits. While Internet Explorer has provided publisher program information for some time, simply doing so hasn't deterred people from installing malicious programs.

Alternatively, Firefox allows Web pages to trigger a download dialog box that users must deal with. Firefox also has its own add-on model, and there are concerns about the ease with which they can be installed.

Firefox 2.0 vs. Internet Explorer 7: End-user appeal
However, Firefox 2.0 will likely appeal more to the technically knowledgeable user and its options and dialog boxes reflect that. It offers more customization, such as allowing users to choose which warning messages they receive, and which cookies they can view and remove. On the other hand, if Internet Explorer 7 considers its browser settings to be unsafe, the "Fix Settings for Me" option can help the less technically savvy surfer.

Presently, Firefox has a better reputation for security than Internet Explorer, but Internet Explorer 7 definitely reflects Microsoft's increased focus on security. Regardless, in order to consume Firefox's loyal user base, Microsoft has to show that it can match Firefox's fast response when new security issues arise.

About the Author:
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Michael Cobb
12.14.2006

Firefox Popup Blocker Allows Reading Arbitrary Local Files

There is an interesting vulnerability in the default behavior of Firefox built-in popup blocker. This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information.

Credit: The information has been provided by Michal Zalewski.

Vulnerable Systems:
* Firefox version 1.5.0.9

For security reasons, Firefox does not allow Internet-originating websites to access the file:// namespace. When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. The attacker may fool the browser to parse a chosen HTML document stored on the local filesystem, and because Firefox security manager treats all file:/// URLs as having "same origin", such a document could read other local files at its discretion with the use of XMLHttpRequest, and relay that information to a remote server.

Now, to make the attack effective, the attacker would need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't: Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications; even if we ignore this possibility (since it requires the user to take an additional step that may be difficult to justify), "random" temporary files are created using a flawed algorithm in nsExternalAppHandler::SetUpTempFile and other locations.

The problem here is that stdlib linear congruential PRNG (srand/rand) is seeded immediately prior to file creation with current time in seconds (actually, microseconds, but divided by 1e6); rand() is then used in direct succession to produce an "unpredictable" file name. Normally, were the PRNG seeded once on program start and then subsequently invoked, results would be deterministic, but difficult to blindly predict in the real world; but here, the job is much easier: we know when the download start, we know what the seed would be, and how many subsequent calls to it are made - we know the output.

In a different setting, there would be a level of uncertainty caused by the fact that system clocks tend to drift or have imprecise settings (although today, most Windows systems either synchronize with Windows Time, or domain time services, so this is less of a factor). Still, there's a yet another nail to the coffin: on first call, Javascript Math.random() is seeded using the same call in the same manner, PR_Now() * 1e-6. The seed, and hence a time very close to the moment of file creation, can be trivially computed by analyzing Math.random() output. But wait, why bother at all - Javascript can be used to directly read system clock with a 1-second resolution.

One of several attack scenarios Michal could think of might look as follows:
1) Have user click on a link on a malicious page. The link would point to "evil.cgi", and have onClick handler set to function foo(). This function would acquire current system time, and use setTimeout to invoke window.open("p2.html?" + curtime,"new",""); in 100 ms. The aforementioned cgi script would return:

Content-type: text/html
Content-disposition: attachment; filename="foo.html"

2) After user clicks the link, a download prompt will appear, and a copy of evil.cgi output would be saved in - for example - C:\WINDOWS\TEMP\c3o89nr7.htm. The download prompt will be immediately hidden under the newly created p2.html window (this, by default, bypasses popup blocker. because the window is created in response to user action).

3) The page currently displayed on top, p2.html, instructs the user to accept the popup to open a movie player or whatnot; since unsolicited popups are an annoyance, not a security risk, even an educated user is likely to comply.

To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm','new2',''),

with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time).

4) When the user opens that particular popup, attacker-supplied HTML file is loaded and executed with local file read privileges (in the aforementioned example, the contents of BOOT.ini file would be reported back to the victim).

Source: www.securiteam.com

Two security flaws discovered in Firefox

A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks.

Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox's pop-up blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow websites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them.

A possible scenario for such an attack would involve the user clicking on a malicious link that would furtively plant a target file equipped with an exploit code on the computer's hard drive. Then it would display a prompt asking the user to allow a pop-up to appear in order to play a video file or download. The attacker-supplied file would then be loaded thanks to the browser flaw, which could give the attacker local file read privileges.

It appears that this flaw may only apply to older versions of Firefox, prior to the current 2.0 release, but Beyond Security was unavailable for comment on the matter.

The second flaw, announced by SecuriTeam on Wednesday, concerns Firefox's phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its website.

The phishing flaw does appear to apply to the current 2.0.0.1 version of Firefox.

Mozilla was unavailable for comment at the time of writing.