The Browser Den

Marketing Pilgrim have taken a look at the feedback the blogging world has produced about IE7. Most of it has appeared not so good. Although when I done my IE7 review a week after release I said the browser was an improvement over IE6 I did mention that the non-standard user interface could be very off putting to users who have the automatic upgrades enabled. Although Firefox tries to make their interface comfortable for migrating IE6 users, the interface in IE7 is drastically different.

Although I was fairly positive with IE7 when I did the review, I’ve recently had to use the browser fairly frequently over the past week (work related testing) I do find the flaws in IE7 a lot more apparent when it’s used alongside Firefox. Therefore, if I had used IE7 alongside Firefox when I had written my review I probably would have given IE7 a lower rating. Like their Zune, IE7 just appears to have been rushed out too early.

What I think they should have done is make a user interface for the XP version of IE7 that fits in with the XP user interface standards and left the new look to Vista. Their best bet for XP would have been to resemble the look of IE6 as much as possible but with the addition of tabs.

Asa Dotzler mentions the Heise Security article about Opera 9.10 which was released in December. The release notes fail to mention two fairly critical security problems that were fixed in 9.10 but were present in the previous version 9.02. The main features listed in 9.10 were the online fraud protection and some stability updates.

The main concern being raised is that by not mentioning the security updates is that people may just choose to skip this release if none of the new features appeal to them but they would be more likely to upgrade if they knew that it fixes security issues.

This could be Opera trying to hide security problems from their users to appear more secure in their minds or it may just be an omission that should have made it but didn’t through a breakdown in internal communication.

(more…)

Opera 9 was chosen as one of the top products of 2006 by eWeek. It’s the only browser to receive an award from eWeek for 2006.

(more…)

After criticism from Blake Ross and probably many others, Google has decided to remove its ‘tips’ service. (more…)

One of the most useful resources I use for keeping track of Firefox development is The Burning Edge it features regular updates on developments in Firefox nightly builds. For those that don’t follow Firefox development closely they may not know that Mozilla release nightly development builds that incorporate the changes of the day. These builds are not intended for general use, but for those who want to help with Firefox development or testing.

(more…)

Brian Krebs of the Washington Post has looked back over a year of IE6 vulnerabilities and came to the conclusion that a fully patched IE6 installation would have been unsafe for 284 days in the year.

(more…)

The flaw in Google’s webapps that affected Gmail (aka Google Mail in UK and Germany for legal reasons) appears to have been fixed by Google. The JavaScript page that used to list your contacts now returns the following empty list:

google ({
Success: false,
Errors: []
})

This means that the problem reported yesterday is no longer an issue. However, this demonstrates the importance of security in web applications is just as important as security in the browser.

As Slashdot still didn’t update their article, despite numerous comments, I will stress again that this is not a Firefox issue. It is a bug in the site and therefore will show in all browsers.

UPDATE: it seems although that particular issue has been fixed it’s still possible to access the contact list as an XML file, it’ll take a bit more coding for people to steal your contact list but may still be relatively easy. I will keep this site updated with any further news. But for the moment follow the advice in my previous post.

UPDATE 2: it appears that the contact list being accessible via an XML file is not a security risk as standard browser security should not allow JavaScript hosted on one site to process XML from a different domain. Therefore I was not able to create any steps to exploit this and there appears nothing out there in the wild either. Therefore I’m changing the title of this article back to ‘Google Fixes Contact List Flaw’. I thought it was best to err on the side of caution until I could verify if the problem was fixed.

There appears to be a cross site scripting vulnerability with Gmail that affects IE, Firefox and Opera. It’s to do with the way Gmail stores the contact list when you’re logged in. The website that supposedly demonstrates the vulnerability is currently down stating ‘Causing too much trouble already… I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.‘ I will see if I can find out more about this within the next few hours.

UPDATE: I’ve checked and this vulnerability does affect all browsers on my system with JavaScript enabled. That’s because the bug is not with the browser, it’s just some badly designed coding from Google. The problem is caused by the fact that the contacts are stored as a plain JavaScript file and this file can be included in a HTML file and manipulated. This functionality has legitimate uses - Google Analytics and Adsense both load external JavaScript files from Googles servers, so browsers shouldn’t remove this functionality, in this instance it’s up to the application developers to consider security in their design.

Slashdot, as usual, have put up a story about this without reading the linked to article. According to Slashdot only Firefox is affected which is not true as it’s a webapp issue not a browser issue.

If you trust this site you can see an example of this vulnerability here. If you don’t trust this site then make sure you’re logged out of Gmail before visiting the page - you will see nothing in this case but selecting ‘view source’ will show you how easy accessing this data is.

Qatar, the country whose airline sponsors the weather forecasts on a number of major news channels, has been repeatedly banned from editing Wikipedia.

(more…)