Dr. Bill | The Computer Curmudgeon

Lookout! Check to see if your favorites are in the sites!

Firefox Add-on Armageddon arrives: How to see if you are going to be hit

ZDNet – By: Chris Duckett – “Firefox 57 is set to bring the biggest shake-up that Mozilla’s browser ecosystem has seen in quite some time, and the simple reason is that a huge number of extensions and add-ons are set to stop working.

Appearing on November 14, Firefox Quantum brings together a number of long-running programs to speed up the browser — including using its C++ alternative language Rust and multi-process functionality — but it comes at the cost of Firefox’s best feature, its extensibility.

This is far from a surprise, with the switch from XUL to WebExtensions first signalled in mid-2015, but it is a hard break with the past.

Many popular extensions have already been ported to the new framework, but due to extra restrictions imposed by WebExtensions, some existing add-ons are simply unable to do what they once did.

For those still using Firefox 56 and earlier who would like to know what they are going to lose when they upgrade to 57, you are able to see what will disappear thanks to the Add-on Compatibility Reporter.

Sometimes your favourite add-ons are not long for this world.

After installing the add-on, head over to the about:addons page in your browser, and any extensions with a bright yellow Legacy label are sitting on death row.

Ironically, the Add-on Compatibility Reporter is among the extensions that will stop working when Firefox is updated to Quantum.

How to deal with add-ons that will not work is something each user will need to investigate, but Mozilla has said most users should not be impacted by the shift to Quantum.

For users who absolutely have to keep using a XUL-based extension, it is possible that using a fork of Firefox dubbed Pale Moon could work, or switching to Firefox’s extended support release will get another 11 months on Firefox 52, or sitting on Firefox 56 for as long as is needed.

For everyone else, enjoy a much faster browser.”

You will have coal in your stocking if you are waiting for a free version of Prime!

Amazon denies that it’s developing a freemium version of Prime Video, despite reports

The Verge – By: Dani Deahl – “Update November 14th, 11:06AM ET: This article was updated to include a statement from Amazon denying the claims.

Amazon is reportedly working on a free, ad-supported version of its Prime video streaming service, according to sources that spoke with AdAge. Currently, Prime members pay $99 to access a variety of video streaming content, which is usually ad-free.

This alternate version described by AdAge would be available to non-Prime members and would be supported by the advertisers. AdAge says Amazon may also share audience information and ad revenue in order to bolster its initial efforts with the project. One unnamed executive told AdAge that ‘Amazon is talking about giving content creators their own channels, and sharing ad revenue in exchange for a set number of hours of content each week.’

People have been migrating away from traditional TV and toward subscription-based services like Netflix, in part because these platforms offer ad-free experiences. This version of ad-supported streaming will certainly be attractive to advertisers and content creators, but the question is whether consumers will bite on watching shows interrupted with commercial breaks, even if they’re free.

A ‘freemium model’ could be beneficial to Amazon as movies and TV shows are one of the main reasons people sign up for Prime accounts. So sure, a free version is a good deal, but freemium could drive people to upgrade to a Prime account to access ad-free streaming, along with all the other benefits Prime offers, like free two-day shipping on eligible purchases.

According to AdAge, the free, ad-supported version will feature a lot of back catalog from Amazon, including children’s programming as well as lifestyle shows that revolve around topics like cooking and travel.

Despite all the details, however, an Amazon spokesperson told The Verge: ‘We have no plans to create a free, ad-supported version of Prime Video.'”

Will YOU consider switching back?

Firefox Quantum arrives with faster browser engine, major visual overhaul, and Google as default search engine

VentureBeat – By: Emil Protalinski – “Mozilla today launched Firefox 57, branded Firefox Quantum, for Windows, Mac, Linux, Android, and iOS. The new version, which Mozilla calls ‘by far the biggest update since Firefox 1.0 in 2004,’ brings massive performance improvements and a visual redesign.

The Quantum name signals that Firefox 57 is a huge release that incorporates the company’s next-generation browser engine (Project Quantum). The goal is to make Firefox the fastest and smoothest browser for PCs and mobile devices — the company has previously promised that users can expect ‘some big jumps in capability and performance’ through the end of the year. Indeed, three of the four past releases (Firefox 53, Firefox 54, and Firefox 55) included Quantum improvements. But those were just the tip of the iceberg.

Firefox 57 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play, and the iOS version (which is usually updated separately from the other platforms) should eventually arrive on Apple’s App Store.

Mozilla doesn’t break out the exact numbers for Firefox, though the company does say that ‘half a billion people around the world’ use the browser. In other words, it’s a major platform that web developers target — even in a world increasingly dominated by mobile apps.

Speed

Mozilla says that Firefox Quantum will feel speedier when you browse your favorite websites, thanks to faster page loading, smoother scrolling, and a more responsive user interface. The company noted three ways Firefox now bests the competition:

Firefox Quantum is 2X as fast as Firefox was 6 months ago, according to the (still-in-development) Speedometer 2.0 benchmark
Firefox Quantum is oftentimes perceivably faster than Chrome in a side-by-side comparison
Firefox Quantum often uses less memory than Chrome (~30 percent less using a Windows 10 PC)
While Firefox has historically run mostly on just one CPU core, Firefox Quantum finally takes advantage of multiple CPU cores on desktop and mobile. Firefox Quantum features a faster CSS engine written in Rust that runs quickly, in parallel across multiple CPU cores, instead of running in one slower sequence on a single core. ‘No other browser can do this,’ Mozilla claims.

Firefox Quantum prioritizes the tab you’re actively using — that tab downloads and runs before other tabs you have open in the background — and includes a new CSS engine called Stylo, which takes better advantage of multiple CPU cores that are optimized for low power consumption. Mozilla has also fixed hundreds of issues related to Firefox speed in the past several months, which adds to the feeling of a faster browser.

You can check out Mozilla’s tests here and the technical background here.

New features

Performance aside, Firefox Quantum includes a visual refresh, called Photon, that ‘feels fast, fluid, and at home with modern operating systems.’ Photon takes advantage of today’s High DPI displays and other hardware across Windows 10, macOS High Sierra, Android Oreo, and iOS 11.

‘We call this initiative Photon, and its goal is to modernize and unify anything that we call Firefox, while taking advantage of the speedy new engine,’ the team explained. ‘You guessed it: The Photon UI itself is incredibly fast and smooth. To create Photon, our user research team studied how people browsed the web. We looked at real-world hardware to make Firefox look great on any display, and we made sure that Firefox looks and works like Firefox, regardless of the device you’re using. Our designers created a system that scales to more than just current hardware but lets us expand in the future.’

Photon on a Windows PC with a touch display, for example, adjusts the menu size based on whether you click with a mouse or touch with a finger. You can expect square tabs, a dark color scheme, smooth animations, and a restructuring of menus. There’s also a Library feature that provides quick access to bookmarks, Pocket, history, downloads, synced tabs, and screenshots.

Speaking of Pocket, Firefox Quantum integrates the read-it-later app, which Mozilla acquired in February, even further. When you open a new tab, you’ll see currently trending web pages recommended by Pocket users, in addition to your top sites. Firefox Quantum lets you save to Pocket right from the address bar. If you have the Pocket app for Android or iOS, you’ll also get offline access to your saved stories.

In Canada, Hong Kong, Taiwan, and the U.S., Firefox will use Google as its default search provider. Back in November 2014, Mozilla swapped the default from Google to Yahoo for these countries. Firefox default search providers in other regions are Yandex in Russia, Turkey, Belarus, and Kazakhstan; Baidu in China; and Google in the rest of the world. Firefox still lets you swap between search providers — Mozilla says Firefox offers more than 60 search providers pre-installed across more than 90 languages, which is more than any other browser.

Here’s the full Firefox 57 for desktop changelog:

A completely new browsing engine, designed to take full advantage of the processing power in modern devices
A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
An updated product tour to orient new and returning Firefox users
AMD VP9 hardware video decoder support for improved video playback with lower power consumption
An expanded section in preferences to manage all website permissions
Various security fixes
Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn more about our efforts to improve the performance and security of extensions
The browser’s autoscroll feature, as well as scrolling by keyboard input and touch-dragging of scrollbars, now use asynchronous scrolling. These scrolling methods are now similar to other input methods like mousewheel, and provide a smoother scrolling experience
The content process now has a stricter security sandbox that blocks filesystem reading and writing on Linux, similar to the protections for Windows and macOS that shipped in Firefox 56
Middle mouse paste in the content area no longer navigates to URLs by default on Unix systems
Removed the toolbar Share button. If you relied on this feature, you can install the Share Backported extension instead.
Some older versions of the ATOK IME, including ATOK 2006, 2008, 2009 and 2010, can cause crashes and are therefore disabled on the Windows 64-bit version of Firefox Quantum. To fix those incompatibility issues, please use a newer version of ATOK or one of other IMEs.
The default font for Japanese text is now Meiryo
Complete visual refresh of both the Light and Dark DevTools themes, matching the new visual style of Firefox Quantum
The Inspector shows the values of CSS variables on hover
Completely new and re-designed Console panel. Joining the Debugger and the Network Monitor, the Console has been rewritten using modern web technologies such as React and Redux. It now also allows to inspect objects in context.
If you’re a web developer, more details are available for you here: Firefox Quantum 57 for developers.

Here’s the full Firefox 57 for Android changelog:

Performance improvements for faster page loading and stability
Updated interface, including a revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada and Germany)
Video decoding is shut down when the tab playing the media is sent to the background. Video resumes when the tab is brought to the foreground. Audio will not be affected.
Added an option to enable tracking protection outside of private browsing
Automatically enable private mode on compatible keyboards during private browsing
Long URLs in the URL bar are now scrollable
Added Wolof (wo) locale
Various security fixes
Firefox for Android now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn how we made extensions faster and more secure
Allow Android Apps to launch a customized web browser
Mozilla releases new Firefox versions every six to eight weeks, and Firefox 58 is currently slated for late January.”

The new Windows 10 Fall Update is on the way! Maybe you should not be “cutting edge” and install it immediately! It might be worth waiting to let things shake out.

Windows 10 Fall Creators Update: New features to try, but don’t rush to install it

ZDNet – By: Ed Bott – “After a little more than two years, Microsoft has finally settled into a rhythm with its new, fast-paced development cadence for Windows 10.

What Microsoft’s marketers are calling the Fall Creators Update (officially version 1709) begins arriving on desktop PCs today via Windows Update and will soon be available for download at all the usual places.

The final build number for this release is 16299.

This is the fourth feature update to Windows 10 in a little over two years. And that pace will continue, with new feature updates (essentially full upgrades) due on a predictable twice-yearly cadence going forward.

As with previous feature updates, there are no last-minute surprises in this update. It’s been developed in the open, with dozens of preview releases to members of the Windows Insider Program. For those who haven’t been paying close attention, though, this article should get you up to speed quickly.

More importantly, it means you have to decide whether to allow the upgrade to happen on Microsoft’s schedule or to take charge of the upgrade timing yourself. IT pros responsible for managing a fleet of Windows 10 PCs can use group policy settings to temporarily delay the Fall Creators Update for up to 18 months; individual Windows 10 users have simpler options in the user interface. In either case, it’s crucial to act now.

In Microsoft’s arcane language, today’s release goes to the Semi-Annual Channel for deployment to targeted consumer devices; it will be declared ready for broad deployment to business PCs after several months of cumulative updates and feedback. (Those “targeted” and “broad deployment” milestones replace the previous Current Branch and Current Branch for Business concepts.)

For most business PCs, the correct option is to defer upgrades for at least a few months, while testing the new release on a limited number of pilot devices to identify compatibility issues with existing applications and hardware.

WHAT’S NEW
The new and changed features in this release encompass a wide array of user scenarios, including a healthy assortment aimed at IT pros and developers.

One of the most important benefits of the twice-annual feature update schedule is that it allows Windows developers to incrementally improve features that previously would have languished for years between major releases. In this feature update, for example, you’ll find the following small but meaningful usability tweaks:

Every Wi-Fi connection now has a prominent option to configure whether it’s part of a public or private network, as shown here. In previous versions, that option was difficult to locate.

Setting a wireless network connection as public or private is easier in this release.

Similarly, the venerable Task Manager has several small improvements, including options that allow you to track GPU activity on a per-application basis and more convenient grouping of related processes. This release also incorporates changes designed to improve the experience of running Windows on high-DPI displays; built-in utilities like Registry Editor and Snipping Tool are no longer blurry when moving between multiple displays running at different scaling factors..

The Power Throttling feature makes its debut in this release, offering a simple slider-based option that lets you tune Windows 10 for better battery life or better performance.

The built-in Windows 10 apps also include major improvements in this release. I’ll have a more detailed look at them in a follow-up post.

THE USER EXPERIENCE
After a few gyrations in the first year, the basic design of the Windows 10 Start experience has remained consistent. This build is the first to incorporate elements of Microsoft’s new Fluent Design, which adds subtle performance and usability improvements, including easier resizing and smoother transitions.

Action Center, which hosts notifications on the right side of the screen, also gets Fluent Design features (most noticeable when you have transparency turned on) and is redesigned to make it easier to deal with notifications.

Cortana’s settings, which used to be available only from within the Cortana app, are now integrated into Settings. And in a cool design change, Cortana now displays answers in a flyout from the Start menu. That also includes results from web searches (powered by Bing only), which means you don’t have to open a browser to do a search.

Cortana now makes full use of the space to the right of Start.

These advanced controls for peer-based updates are new in version 1709.

Windows Update has also evolved significantly in the two years since Windows 10’s initial release. When new updates are available, you’ll see an interactive toast notification that doesn’t interrupt whatever you’re doing now. In addition, the Windows Update display now offers detailed information about the status of individual updates, so you don’t have to wonder whether anything’s happening in the background.

The Delivery Optimization feature, which uses peer-to-peer networking to improve download performance of updates for Windows and Store apps, gets a much-needed set of advanced options that allow you to fine-tune the amount of bandwidth it’s allowed to use and also limit the total uploads on a monthly basis.

One of my favorite classic Windows features, Volume Mixer, has finally been updated to include Universal Windows Platform (UWP) apps, including Microsoft Edge and Groove Music. This option, accessible by right-clicking the speaker icon in the taskbar, lets you set the volume of each app independently without affecting the overall system volume.

UWP apps finally work with the Volume Mixer feature.

Another minor but welcome change is the addition of GPU performance information in Task Manager for systems with a discrete GPU.

The My People feature, which lets you pin icons for frequent correspondents to the taskbar, looks like a gimmick at first but in my experience has become incredibly useful. If you connect mail, calendar, and messaging accounts, it can show appointments, email messages, Skype conversations, and contact details in a scrolling window that’s available with a single click.

SETTINGS IMPROVEMENTS
The migration of Windows knobs and levers from Control Panel to the modern Settings app continues with this update. Here are a few noteworthy changes:

Settings > System > About has been reorganized and streamlined. Previously, the information displayed here was in a single long, scrolling list. The new arrangement organizes the information into three blocks, covering system health, device information, and Windows details.

Remote Desktop settings, which were scattered in several locations in earlier versions, now get a single home: Settings > System > Remote Desktop.

Remote Desktop options are now available in Windows 10 Settings.

The incredibly useful Magnifier tool, which eases eyestrain by allowing you to zoom in on text and objects, also gets its own top-level category in Settings > Ease Of Use.

SECURITY
The long list of improvements to the security architecture of Windows 10 starts with a momentous change. The horribly insecure SMBv1 protocol is being removed from clean installs of Windows 10. (The SMBv1 components will continue to be included on upgrades where they are already installed.)

Home and Professional editions have the SMBv1 server component uninstalled but keep the client software; Enterprise and Education editions have all SMBv1 components uninstalled.

As a side effect of that change, the legacy Computer Browser service is also being removed.

The Windows Defender Security Center, which was introduced in an earlier feature update, has two major additions. The first is Exploit Protection, which offers many of the mitigations that were previously part of the separate Enhanced Mitigation Experience Toolkit (EMET).

Most of the settings previously found in EMET are now here.

The Fall Creators Update also debuts an anti-ransomware feature called Controlled Folder Access, which is also available through the Windows Defender Security Center, under Virus & Threat Protection Settings. When this feature is enabled, only approved apps can access Windows system files and data folders. (You can customize the list of data folders and whitelist specific apps, using the instructions in this online documentation: Protect important folders with Controlled folder access.)

Finally, there’s Windows Defender Application Guard, a security feature that uses Hyper-V virtualization to create sandboxed browser sessions using Microsoft Edge. For now, this feature is available only in Windows 10 Enterprise edition.

HYPER-V
One of the single most useful features in the Professional and Enterprise editions of Windows 10 is Hyper-V. This extremely robust virtualization platform gets more than its share of attention in this release.

A new Virtual Machine Gallery should make it easier for task-focused users to create useful virtual machines without having to wade through a long series of technical settings. Currently, this gallery includes a preconfigured development environment running an evaluation version of Windows 10 Enterprise.

This one-click option to create a virtual machine is new in version 1709.

After you create a virtual machine, you can export it more easily as well, by clicking the new Share button and compressing its pieces into a .vmcz file that can be imported on another Hyper-V capable PC.

In a change of default settings, checkpoints are now on, allowing you to roll back any VM even if you forgot to create a checkpoint manually.

A new advanced feature worth noting is the addition of virtual battery support in Hyper-V. When this feature is enabled on a VM running on a battery-powered device, you can see your physical machine’s battery state inside a VM.

SMARTER STORAGE
It took much longer than it should have, but the OneDrive Files on Demand feature is now built into Windows. The settings take some getting used to (I’ll publish a tutorial later) but the results are worth it, with a much better way to work with large amounts of cloud storage on devices with minimal local storage.

fall-creators-update-onedrive-files-on-demand.jpg
Click the OneDrive icon to see whether File On Demand is enabled.

For those who use either the consumer version of OneDrive or the Office 365 OneDrive for Business feature, this is probably the single most important new feature in Windows 10.

Another unheralded feature in Windows 10 also gets some improvements in the Fall Creators Update. Storage Sense, which is designed to manage storage intelligently, has a new design and a few new settings.

You can now delete previous versions of Windows directly from Storage Sense instead of having to go to the legacy Disk Cleanup Manager utility.

In addition, you can now opt to automatically delete files that have been in your Downloads folder for 30 days without changes. This and other options are available in Settings > System > Storage > Change how we free up space.

EDGE’S INCREMENTAL EVOLUTION
Microsoft Edge, the default browser in Windows 10, is still unlikely to win over most Chrome users, but it’s steadily improving.

WINDOWS 10

With Surface Book 2, Microsoft shows off its vision of the PC’s future
New features galore, but don’t rush to install it
Five promised features that are missing (TechRepublic)
How Microsoft is thinking differently about hardware and software
How to download Fall Creators Update right now (CNET)
Setup and configuration tips: Don’t settle for default settings
Surface Book 2: Specs, pricing, availability
The biggest change in this update is a vastly improved interface for managing saved Favorites. You can now rename Favorites, edit their URLs, and work with folders directly without having to switch to a special editing mode. (The Edge design team must have been reading the comments on the Creators Update installment in this series.)

The ability to pin sites to the Windows taskbar, previously available in Windows 8, is back, but the implementation is frustratingly incomplete and will disappoint anyone who previously relied on this feature.

Microsoft is also determined to turn Edge into something more than just a web browser, as it’s beefed up PDF reading capabilities and added annotations form filling for PDF files. In addition, you can now add notes and annotations for digital books that you read in Edge.

ALTERNATIVE INPUT METHODS
One of the major selling points of Windows 10 devices (led by Microsoft’s own Surface line) is support for input from sources other than traditional keyboards and pointing devices.

Windows 10 already had some of the best handwriting input tools available on any platform, and this update adds some noteworthy improvements that are worth experimenting with if your PC includes a pen. In addition, Microsoft has improved the design of the touch keyboard to make it easier to use.

But the real news, and probably the single most important feature of this update, is the ability to enter emoji directly into a text box.

OK, I was kidding about this being the most important feature, but it certainly makes using Windows more fun. Press Windows key + period (or semicolon) to pop up an emoji box like the one shown here. Although it’s not immediately obvious, you can also begin typing a word to search for a particular emoji based on that term.

This pop-up emoji picker is available with a press of Windows key semicolon.

For those who’ve been part of the Windows Insider Program and have been following these builds, what are you looking forward to most?

PREVIOUS AND RELATED COVERAGE
Microsoft turns Windows 10 Fall Creators Update focus to ‘stabilization’ as of Build 16273

Microsoft’s latest Windows 10 Fall Creators Update Update test build, No. 16273, is almost entirely about bug fixes, as it closes in on ‘release to the world’ (RTW).

Here’s what you need to know before you repair, reinstall, or upgrade Windows 10, including details about activation and product keys.

Two years after its splashy debut, Windows 10 is now running on more than 500 million PCs worldwide. Was the upgrade worth it? Here’s my report card.

The Creators Update is heading to pretty much every PC, and many mobiles, that run Windows 10. However, the extent to which it matters depends on your priorities.”

The security issues just keep coming!

This ransomware-spreading botnet will now screengrab your desktop too

ZDNet – Danny Palmer – “Attackers behind one of the world’s most notorious botnets have added another string to their bow, allowing them to take screenshots of the desktops of victims infected with malware.

Having previously been inactive for much of the first half of the year, the Necurs botnet has recently undergone a resurgence, distributing millions of malicious emails – large swathes of which have most recently been spreading Locky ransomware.

It’s also been known to deliver the Trickbot banking trojan, indicating the attackers behind it have their fingers in many pies.

But not happy with just that, wow those behind Necurs – a zombie army of over five million hacked devices – are also attaching a downloader with the functionality to gather telemetery from infected victims.

Uncovered by researchers at Symantec, the Necurs downloader can take screengrabs of infected machines and send them back to a remote server. It also contains an error-reporting feature which sends information back to the attackers on any issues the downloader encounters when performing its activities.

This functionality suggests the attackers are actively attempting to gather operational intelligence about the performance of their campaigns in much the same way legitimate software vendors collect crash reports in order to improve their products. However, in this case, the reports are designed to help the attackers spot problems and improve the chances of the malicious payload doing its job.

‘After all, you can’t count on the victims to report back errors and issues,’ note the researchers.

See also: What is phishing? How to protect yourself from scam emails and more

Like other Necurs campaigns, these attacks begin with a phishing email – this time using the lure of a phony invoice. If this attachment is opened, it’ll download a JavaScript which will in turn download a Locky or Trickbot payload, depending on the particular campaign.

Once loaded onto the system, the downloader also runs a PowerShell script that takes a screen grab and saves it to a file named ‘generalpd.jpg’ which is saved and uploaded to a remote server for further analysis by the attackers.

The last month or so has seen Necurs more active than at any point this year, with a high focus on distributing Locky, to such an extent that it’s almost reclaimed its crown as the king of ransomware.

In order to remain as protected as possible against threats distributed by the Necurs botnet, Symantec recommends security software, operating systems and other applications are always kept up to date and to be extremely suspicious of unsolicited emails – especially if they contain links or attachments.”

Man! I use Securi on my sites too! Ack!

This bug let a researcher bypass GoDaddy’s site security tool

ZDNet – By: Zack Whittaker – “A widely used security tool owned by web hosting provider GoDaddy, designed to prevent websites from being hacked, was easily bypassed, putting websites at risk of data theft.

The company’s website application firewall (WAF), provided by Sucuri and acquired by GoDaddy earlier this year, protects websites against a range of attacks by adding an extra layer of security to a website to protect against cross-site scripting and SQL injection techniques.

But a security researcher told ZDNet that the firewall would let through some commands, allowing him to gain access to vulnerable databases behind the scenes. That, he said, put sites at risk of data theft.

Touseef Gul was able to bypass the firewall with a relatively simple SQL injection string, which he showed to ZDNet but we’re not publishing. SQL injection attacks can be launched from the web browser’s address bar. If the attack is successful it will display a list of database tables on the website itself. Where he was expecting to receive an ‘access denied’ message, the firewall let the command through and returned a list of tables from the target website’s database. He was also able to obtain the database’s admin account and MD5 hashed password, which nowadays is easily crackable.

What surprised the researcher, he said, was how easy the firewall was to bypass.

He gave an example of part of the code he used. He said that while the firewall would block a common command used in SQL injections, such as ‘UNION SELECT,’ a modified, encoded version of the same command — such as ‘UNION SELE%63T’ (where %63 is an encoded ‘C’) — was not blocked by the filter.

For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.

‘In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,’ said Daniel Cid, GoDaddy’s vice-president of engineering.

‘Within less than a day, our systems were able to pick up this attempt and put a stop to it,’ he said.

Cid said the company is ‘not aware of other customers’ impacted by the bypass, but wouldn’t say how many websites were at risk of the bypass technique.

Lesley Carhart, a digital forensics and incident response specialist, explained that web application firewalls mimic the behavior of antivirus products rather than a traditional firewall.

‘In a lot of ways web attacks are way harder to firewall than traffic in and out of a network,’ said Carhart. ‘You can deny almost everything at a network firewall or host firewall.’

‘Web traffic filtering relies more on blacklisting bad stuff using signatures than whitelisting slews of unneeded ports and protocols like traditional firewalls,’ she added.

Web application firewalls block attacks on sites running web applications that are already vulnerable to attacks, like out-of-date content management systems, like WordPress or Joomla, she explained.”

‘In principle, it’s a great move to add another layer of defense to sites, but it should never be mistaken for or implied to be a replacement for secure coding,’ she said.”

This is GREAT NEWS!

Google just added these antivirus features to Chrome for Windows

ZDNet – By: Liam Tung – “Google has introduced three changes to Chrome for Windows to improve the browser’s malware detection and removal capabilities.

The company is targeting malware and malicious extensions that modify search results to redirect users to unintended pages, inject ads, and lock users on ad-filled sites.

The new security features for Chrome on Windows are an addition to existing defenses, such as Safe Browsing warnings for pages known to deliver malware.

Google is now clamping down on Chrome extensions that change user settings, such as the default search engine. The browser will automatically detect when an unauthorized change is made and offers to restore the original settings.

It has also redesigned Chrome’s Cleanup feature which offers a shortcut to restoring the browser’s default settings after an infection. It shows an alert when the browser detects unwanted software and offers a way to remove it. Chrome users have previously been able to use the standalone Chrome Cleanup Tool to remove harmful software. Google says it redesigned the alerts to make it easier to see what software will be removed.

Chrome Cleanup has also gained a malware detection engine from antivirus firm ESET, which works in tandem with Chrome’s sandbox technology.

This integration of the new ‘sandboxed engine’ doesn’t replace antivirus on Windows as it only targets and removes software that violates Google’s unwanted software policy. However the policy covers a variety of bad behaviors, from deceptive installs to spyware. It also mean that Chrome can detect and remove more unwanted software than previously.

Google estimates the new security features will help ‘tens of millions’ of Chrome users clear up security problems in the next few days.”