Firefox 3.5 RC 1 now available

Mozilla has just released Firefox 3.5 Release Candidate 1. Note that this isn’t quite the final product yet but beta testers are welcome to test it out.

Firefox 3.0.11 released late last week

Mozilla has posted Firefox 3.0.11 late last week. This version fixes 11 security vulnerabilities as mentioned in this ZDNet blog.

For those using Firefox, start updating to the latest release immediately.

eWeek Hit by Ad Hack

Emily Steel at the Wall Street Journal reports that, last February, eWeek.com had one of its ads hacked. Stephen Wellman at Ziff Davis (which owns eWeek) is reported as saying,

eWeek… displayed an ad on its homepage masquerading as a promotion for LaCoste, the shirt maker. The retailer hadn’t placed the ad — a hacker had, to direct users to a Web site where harmful programs would be downloaded to their computers

Scary stuff. Be careful what you click.

Conficker: the Inside Story

Jim Giles at New Scientist has just posted a fascinating look at the beginnings of the fight against the Conficker worm.

Despite an unprecedented collaboration against them, Conficker’s accomplished creators have been able to bluff and dodge to gain control of machines inside homes, universities, government offices and the armed forces of at least three nations, establishing a powerful and lucrative network of “zombie” computers.

Good read. Accurate, too.

No Internet Explorer in Europe?

This story’s changing rapidly.

Ina Fried at CNN reported that she had seen a memo from Microsoft saying that the versions of Windows 7 sold in Europe will not have any browser pre-installed: if you want IE8, you have to get it and install it independently (presumably from a free CD).

For starters, there’s a huge chicken-and-egg problem: how do you download a browser (much less all of the Windows Live Essentials) when you don’t have  a browser?

But of course there are many other ramifications.

The EU has jumped into the fray. International political theater – and I have to admit that MS has taken the first round. Fur is flying. Let’s see how it shakes out.

Make Way for Morro

Reuters broke the news.

Thurrott confirmed it, without actually confirming it, if you know what I mean.

Morro is imminent. The beta could hit any day now.

As you may recall, Morro is Microsoft’s free antivirus product that’s supposed to be the replacement for the ill-fated AV portion of Windows Live OneCare.

What surprises me is the stock market reaction: Microsoft is up more than 2% and the AV manufacturers are down quite a bit. The market should’ve taken Morro into account months ago, when it was first announced. Some investors were clearly asleep at the wheel.

Ten bulletins, 31 patches, a million potential problems

There’s a huge crop of patches waiting for you, covering 31 separate vulnerabilities, and I dunno-how-many different downloads.

As usual, the best overview is at the SANS Internet Storm Center.

Bottom line (tell me if you’ve heard this one before): don’t use Internet Explorer. Apparently none of the bad problems (except the ones in IE) have exploits that you need to worry about. Don’t apply any patches until the screams have subsided.

We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Oh. Don’t forget to patch Acrobat Reader, if you have it. Adobe just fixed 13 security holes in Reader. You could take advantage of the unease you’re feeling right now and install Foxit reader, which works just fine most of the time and has a significantly better track record for fixing security holes.

An interesting note: several of you have asked how Microsoft and industry pundits count the number of bugs: Gregg Keizer at ComputerWorld reports, for example, that this monster set of patches fixes 31 security holes – a record, by his estimation. Brian Krebs at the Washington Post echoes the statement. Brian credits Symantec.

All of these people are counting the number of CVEs that Microsoft claims to fix in the security bulletins. CVEs are “Common Vulnerabilities and Exposures” listed and maintained by the MITRE organization, which is an independent non-profit originally associated with MIT. Each CVE number corresponds to one or more identified security holes. While the CVE count is a better indicator of how many holes have been patched than the number of security bulletins, it frequently doesn’t differentiate between different versions of programs, and other subtleties.

MS-DEFCON 2: Lock your machines down

With June’s Black Tuesday crop of patches imminent, now’s the time to make sure all of your computers are set to “Notify but don’t download” updates. Instructions are in any of my books, or click Start | Control Panel | Security Center and take it from there.

There’s  a big crop of patches coming. I suggest you sit back and let the pioneers get the arrows in their backs.

We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.