FoxyTunes

Do you listen to Music while surfing the Web?
Now you can control your favorite media player without ever leaving the browser and more...

Supports WinAmp, iTunes, Yahoo Music Engine, Pandora, foobar2000, Windows Media Player, Xbox Media Center, Musicmatch, Quintessential, J. River, jetAudio, XMPlay, MediaMonkey, Media Player Classic, Sonique, wxMusik, Real Player, XMMS, Noatun, Juk, Amarok, Music Player Daemon, Rhythmbox and many other players.

Just click on the orange note and select your player.

CNET Editor's Rating: 5/5 stars
PC Magazine: Top 15 Firefox Extensions
PC World: Top Download Picks

Works with:

	Firefox	1.5 - 2.0.0.*	ALL
	Mozilla	1.6 - 1.8	ALL
	SeaMonkey	1.0 - 1.0	ALL
	Thunderbird	1.5 - 3.0a1	ALL

Install Now

Version 2.2, released on Jan 2, 2007.

Developer Comments

We'd like to thank the thousands of users who sent us their suggestions, comments, translations, skins and letting us know just how much they love FoxyTunes.

Many issues reported here can be easily solved by either looking at the FoxyTunes FAQ (http://foxytunes.com/firefox/faq.html) or by directly contacting us (http://foxytunes.com/feedback.html). If you contact us instead of just reporting your problem here, we will do our best to resolve it.

Keep on rocking!
-Alex and the FoxyTeam

*************************************************************
* FoxyTunes 2.0:
* New: Web searches, "FoxyTunes Mini" desktop widget, album covers and more!
*************************************************************

Firefox 2.0.0.1 Phishing Protection bypass

+ Subject:
Firefox 2.0.0.1 Phishing Protection bypass

+ Version:
Firefox 2.0.0.1 [ Linux | Windows ]

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ Phishing Protection Description:
Phishing Protection takes Firefoxs security to a new level, helping to safeguard your financial information and protect you from identity theft. When you encounter a Web site that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to take you to a search page so you can find the real Web site you were looking for.

+ Bypass Description:
It is possible to bypass Phishing Protection by add some characters to URL address. URL will be still valid and will work properly but we are not aware of Phishing warning.

When we add "/" char at the end of domain in URL field - for Phishing Protection it will be another site than original and Phishing Protection Test will fail. Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL: http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near future to abusive actions.

Timeline:
2007.01.09 bug discovered
2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538]
2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
2007.02.06 posted to Bugtraq

Original Advisory: http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php

Firefox 2.0 vs. Internet Explorer 7

Web browsers are among the most commonly used software. Recently, both Internet Explorer 7 (IE7) and Firefox 2.0 trumpeted new or improved security features during their well-publicized launch campaigns. While these features are primarily aimed to attract the business user, they also are directed toward the everyday user who has started to take Internet security more seriously. But what are these new features and do they make using the Web any safer?

Internet Explorer 7 and Firefox 2.0 enhancements
Both Internet Explorer 7 and Firefox 2.0 filter and analyze the Web address, the page content and the structure of a page. And, though both make use of blacklists, only Internet Explorer 7 offers this as a default setting. Firefox 2.0 makes up for this by offering the choice of two blacklists, one of which happens to be a live database maintained by Google. Also impressive is the speed with which all lists are updated.

Both browsers' development groups have upped the ante regarding user warnings, especially warnings applicable to providing personal information. Internet Explorer 7 now uses color-coded warnings in the URL bar based on whether a site is trusted and Firefox's dialog box to warn of cross-domain scripting. Internet Explorer 7 has also enhanced their default settings: the Medium setting has been raised to Medium-high, and the Low setting has been removed altogether. Unfortunately, the much-anticipated Internet Explorer 7 Protected Mode, which stops Web sites from changing a computer's critical files or settings, will work only in Windows Vista! Nonetheless, these improvements take steps to enhance the user experience as each browser now offers enough information to enable users to make intelligent decisions about the safety of a Web site.

Both Web browsers tackle downloads with a barrage of warnings. It seems that Microsoft really learned from past problems caused by ActiveX. Now, a download dialog box only appears when you click a direct link to a download. This prevents pop ups from prompting you to download a file. In addition, if there's a need to install a software program, the prompt will only appear once. Microsoft has also reworked ActiveX prompts; they now appear in the Info bar where they don't interfere with navigation and can be ignored. And, although drive-by ActiveX installs are now impossible, users still need to change their habits. While Internet Explorer has provided publisher program information for some time, simply doing so hasn't deterred people from installing malicious programs.

Alternatively, Firefox allows Web pages to trigger a download dialog box that users must deal with. Firefox also has its own add-on model, and there are concerns about the ease with which they can be installed.

Firefox 2.0 vs. Internet Explorer 7: End-user appeal
However, Firefox 2.0 will likely appeal more to the technically knowledgeable user and its options and dialog boxes reflect that. It offers more customization, such as allowing users to choose which warning messages they receive, and which cookies they can view and remove. On the other hand, if Internet Explorer 7 considers its browser settings to be unsafe, the "Fix Settings for Me" option can help the less technically savvy surfer.

Presently, Firefox has a better reputation for security than Internet Explorer, but Internet Explorer 7 definitely reflects Microsoft's increased focus on security. Regardless, in order to consume Firefox's loyal user base, Microsoft has to show that it can match Firefox's fast response when new security issues arise.

About the Author:
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Michael Cobb
12.14.2006

Firefox Popup Blocker Allows Reading Arbitrary Local Files

There is an interesting vulnerability in the default behavior of Firefox built-in popup blocker. This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information.

Credit: The information has been provided by Michal Zalewski.

Vulnerable Systems:
* Firefox version 1.5.0.9

For security reasons, Firefox does not allow Internet-originating websites to access the file:// namespace. When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. The attacker may fool the browser to parse a chosen HTML document stored on the local filesystem, and because Firefox security manager treats all file:/// URLs as having "same origin", such a document could read other local files at its discretion with the use of XMLHttpRequest, and relay that information to a remote server.

Now, to make the attack effective, the attacker would need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't: Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications; even if we ignore this possibility (since it requires the user to take an additional step that may be difficult to justify), "random" temporary files are created using a flawed algorithm in nsExternalAppHandler::SetUpTempFile and other locations.

The problem here is that stdlib linear congruential PRNG (srand/rand) is seeded immediately prior to file creation with current time in seconds (actually, microseconds, but divided by 1e6); rand() is then used in direct succession to produce an "unpredictable" file name. Normally, were the PRNG seeded once on program start and then subsequently invoked, results would be deterministic, but difficult to blindly predict in the real world; but here, the job is much easier: we know when the download start, we know what the seed would be, and how many subsequent calls to it are made - we know the output.

In a different setting, there would be a level of uncertainty caused by the fact that system clocks tend to drift or have imprecise settings (although today, most Windows systems either synchronize with Windows Time, or domain time services, so this is less of a factor). Still, there's a yet another nail to the coffin: on first call, Javascript Math.random() is seeded using the same call in the same manner, PR_Now() * 1e-6. The seed, and hence a time very close to the moment of file creation, can be trivially computed by analyzing Math.random() output. But wait, why bother at all - Javascript can be used to directly read system clock with a 1-second resolution.

One of several attack scenarios Michal could think of might look as follows:
1) Have user click on a link on a malicious page. The link would point to "evil.cgi", and have onClick handler set to function foo(). This function would acquire current system time, and use setTimeout to invoke window.open("p2.html?" + curtime,"new",""); in 100 ms. The aforementioned cgi script would return:

Content-type: text/html
Content-disposition: attachment; filename="foo.html"

2) After user clicks the link, a download prompt will appear, and a copy of evil.cgi output would be saved in - for example - C:\WINDOWS\TEMP\c3o89nr7.htm. The download prompt will be immediately hidden under the newly created p2.html window (this, by default, bypasses popup blocker. because the window is created in response to user action).

3) The page currently displayed on top, p2.html, instructs the user to accept the popup to open a movie player or whatnot; since unsolicited popups are an annoyance, not a security risk, even an educated user is likely to comply.

To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm','new2',''),

with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time).

4) When the user opens that particular popup, attacker-supplied HTML file is loaded and executed with local file read privileges (in the aforementioned example, the contents of BOOT.ini file would be reported back to the victim).

Source: www.securiteam.com

Two security flaws discovered in Firefox

A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks.

Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox's pop-up blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow websites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them.

A possible scenario for such an attack would involve the user clicking on a malicious link that would furtively plant a target file equipped with an exploit code on the computer's hard drive. Then it would display a prompt asking the user to allow a pop-up to appear in order to play a video file or download. The attacker-supplied file would then be loaded thanks to the browser flaw, which could give the attacker local file read privileges.

It appears that this flaw may only apply to older versions of Firefox, prior to the current 2.0 release, but Beyond Security was unavailable for comment on the matter.

The second flaw, announced by SecuriTeam on Wednesday, concerns Firefox's phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its website.

The phishing flaw does appear to apply to the current 2.0.0.1 version of Firefox.

Mozilla was unavailable for comment at the time of writing.

Release notes Firefox Alpha 3 - Known Issues

This list covers some of the known problems with Gran Paradiso Alpha 2. Please read this before reporting any new bugs, and watch for updates as new bugs are discovered.

All Systems

• The browser may consume excessive amounts of memory after prolonged browsing. In order to better handle memory issues, a new garbage collection system has been implemented. However, as the process of integrating Gecko into this system is still ongoing, there are some known leaks that result in large memory usage when the browser is used for a long period of time. A restart should resolve the problem, which will be fixed in Alpha 3.
• The Cairo graphics system has drastically changed the way all text and images are rendered from previous versions of Gecko, so occasional misrenderings of non-latin scripts and fonts may occur.
• The Phishing Protection notification bubble is hidden by the content area (see bug 341950.)

Windows

• Upscaling images can result in misrendering, causing the edges of the image to appear blurry.

Mac OS X

• The user's choice of a default font may not always be honored.
• Font decorations such as underline and strikethrough may be drawn incorrectly.
• Complex script (ex: Indic) may be misrendered.

Linux and Unix systems

• Loading any page with Chinese, Japanese or Korean text can hang the browser (see bug 357637).
• Performance on complex script (ex: Indic) may be slower than previous versions of Gecko.
• Compatibility issues have been reported when users are not running Xorg 7.0 or better.
• Users may experience problems when attempting to print complex pages.

Troubleshooting

• Poorly designed or incompatible Add-ons can cause problems with your browser, including make it crash, slow down page display, etc. If you encounter strange problems relating to parts of the browser no longer working, the browser not starting, windows with strange or distorted appearance, degraded performance, etc, you may be suffering from trouble with your Add-ons. Restart the browser in Safe Mode. On Windows, start using the "Safe Mode" shortcut created in your Start menu or by running firefox.exe -safe-mode. On Linux, start with ./firefox -safe-mode and on Mac OS X, run:

  cd /Applications/GranParadiso.app/Contents/MacOS/
./firefox-bin -safe-mode

  When running in Safe Mode, you can disable the add-ons that are causing trouble and then restart to try again.

If you uninstall an extension that is installed with your user profile (i.e. you installed it from a web page) and then wish to install it for all user profiles using the -install-global-extension command line flag, you must restart the browser once to cleanse the profile extensions datasource of traces of that extension before installing with the switch. If you do not do this you may end up with a jammed entry in the Extensions list and will be unable to install the extension globally.

If you encounter strange problems relating to bookmarks, downloads, window placement, toolbars, history, or other settings, it is recommended that you try creating a new profile and attempting to reproduce the problem before filing bugs. Create a new profile by running Firefox with the -P command line argument, choose the "Manage Profiles" button and then choose "Create Profile...". Migrate your settings files (Bookmarks, Saved Passwords, etc) over one by one, checking each time to see if the problems resurface. If you do find a particular profile data file is causing a problem, file a bug and attach the file.

Downloading Gran Paradiso Alpha 2

Downloading Gran Paradiso Alpha 2

Mozilla.org provides Gran Paradiso for Windows, Linux, and Mac OS X in a variety of languages.

• Windows: Gran Paradiso Setup Alpha 2.exe
• Mac OS X: Gran Paradiso Alpha 2.dmg
• Linux: granparadiso-alpha2.tar.gz

For builds for other systems and languages not provided by mozilla.org, see the Contributed Builds section at the end of this document.

Source: Mozilla.org

Release notes Firefox Alpha 3 - Changes in this Development Milestone

Changes in this Development Milestone

Gecko 1.9 Alpha 2 introduces several new features which can be tested by using Gran Paradiso Alpha 2:

• Core layout code affecting the calculation of widths in tables, floats, and absolutely positioned elements has been rewritten. The code for handling incremental layout of pages (as data arrives over the network, as images load, or as dynamic changes are made) has also been changed extensively. (See the Reflow-Refactoring wiki page for more information.
• Resolved remaining issues with ACID2 test compliance.
• Support for the Web Apps 1.0 API for changing stylesheets.
• The inline-block and inline-table values of CSS 2.1's display property are now implemented.
• XML documents can now be rendered as they're downloaded instead of only after the full document has been loaded.
• Greatly improved Mac widgets support since Alpha 1.
• Improvements in the Cairo graphics layer.

Some of the changes in Gecko 1.9 Alpha 2 will affect the web and platform compatibility of Gran Paradiso Alpha 2:

• Windows 95, Windows 98, and Windows ME are not supported for Gecko 1.9.
• OS X 10.2 is no longer supported, and OS X 10.3.9 or better is required.
• The non-standard JavaScript Script object is no longer supported.
• Moving DOM nodes between documents now requires a call to importNode or adoptNode as per the DOM specification.

Gran Paradiso release notes

Gran Paradiso Alpha 2 is an early developer milestone for the next major version of Firefox that is being built on top of the next generation of Mozilla's layout engine, Gecko 1.9. Gran Paradiso Alpha 2 is being made available for testing purposes only, and is intended for web application developers and our testing community. Current users of Mozilla Firefox should not use Gran Paradiso Alpha 2.

These Release Notes cover what's new, download and installation instructions, known issues and frequently asked questions for the Gran Paradiso Alpha 2 release. Please read these notes and the bug filing instructions before reporting any bugs to Bugzilla.

Give us your feedback through this feedback form.