Pavlov Scope

Winamp has more vulnerabilities. Upgrade to version 5.2 to resolve those issues.

If it doesn’t automatically prompt you to update, please visit WinAmp’s site for the latest version (at the time of this writing, 5.2) which will resolve all known exploited issues.

Exploit code has been released to take advantage of the recent flaws, mostly by spyware writers to install popups and adverts onto your machine, so prevent that by upgrading ;-)

Here is a quick perspective of “big three” browsers – Opera vs. Firefox vs. IE

Security
Firefox (especially with the NoScript and AdBlock extensions) is more secure than IE.
Opera (especially by tweaking some config settings) is more secure than IE.
IE has been shown to be the least secure of the three… by FAR.

Opera is (arguably) the fastest browser out there, which is what initially drew me to it in the first place (back in 1999). There are several speedy features built-in to Opera, but the one I use the most is its ability to easily “toggle” images off and on on demand (it is an icon on the main bar). So, I surf the web with images turned off by default which makes the pages load much, much faster. Then, if I need images to view the site properly, I simply toggle them ON on-the-fly.
Additionally, there are network-level settings that make it pull pages down faster, and you can tweak just about every setting you want to squeeze performance to the max (like cached pages, etc.).

Tabbed Browsing – Both Opera and Firefox have had tabbed browsing for years. I believe Opera was the first to support it, but that doesn’t matter for this discussion. Tabbed browsing simply refers to the ability to have multiple webpages open within a single “program window.” When you use IE and you open multiple websites, you have a string of IE windows open on your task bar. With tabbed browsing, instead of these multiple windows, you have a single Firefox or Opera window and within it, you have additional windows of websites. It is a convenience thing and sounds rudimentary, but it makes a big difference one you get used to it.
With Opera and Firefox, you can run with or without tabbed browsing… or both at the same time!
In IE7 (the upcoming version of the browser), it finally has tabbed browsing. Additionally, there are other browser “wrappers” that use IE (a popular one is Avant) as an engine and force it to support tabbed browsing, but that might be cumbersome for the standard “I just want it to work” user.

Session History – Also, unique to Opera is that you can configure it to save all the open windows (webpages) you had open at the time that you close it – so that when you open it next it opens all the same websites you had open previously, in the same order and place as where you left off – it is an awesome productivity feature that I have come to rely upon. It will even save where you were if you crash.
A cool thing in favor of Firefox is that you can Bookmark all open tabs into a new or existing Bookmark folder – all at once. This effectively allows you to come back to the same set of pages in the future, but not quite as seamless as the Opera (start from last time) feature. Opera can open all the bookmarks in a folder as well.

Searching – Opera and Firefox both have a built-in Search field for direct searching of the web (without the use of addins). Opera has a quick search for Google, Amazon, Price Comparison, Ebay, Download.com, etc. Firefox has built-in search capability for Google, Amazon, Ebay, Yahoo, Answers.com, and CreativeCommons, and also allows you to Add your own which is a really cool feature.

Customizability – Both Opera and Firefox can have their appearances changed using “skins” in Opera or “themes” with Firefox. These alter the way that buttons and windows appear. I like a really clean looking browser window (none of this fancy whiz-bang stuff for me), so I change the default Opera skin to a clean, simple view which gives me maximum viewing area for webpages.

Mouse Gestures – Opera has another unique feature to which I have become accustomed – Mouse Gestures. This interesting feature allows you to control common surfing commands using a combination of mouse buttons and flicks of the wrist. For example, to go “Back” I simply hold the right mouse button and “flick” my wrist to the left quickly. To go forward, flick to the right quickly. New Page, Flick down. Etc. You can also enable Voice commands in Opera, but I haven’t tinkered with that one yet since I talk to my computer enough as it is ;-)
A mouse gesture extension has been developed for Firefox – here.

Extras – Pop-up blockers built-in to Firefox and Opera are superior to the IE capability and by far predate its support.
Opera has a built-in spell checker for Edit boxes on the web (for things like posting to blog or feedback forms, etc. via a right click in the field.
In Opera, the Refresh and Stop buttons are interchangable based on state, which is a simple, but cool little feature. Additionally, you can modify the settings so that the status of the page loading is in the same field as the location/address (so that there is only one place to check for page status).
Opera’s Zoom feature is better than IE and Firefox in that it zooms proportionally all parts of the page, including images – as if you are bringing your face closer to the page.

6 of one, Half dozen of the other – Many features first introduced by Opera have been ported over to Firefox through the open source community’s use of extensions, but development of those extensions is up to the support of that community which sometimes lags behind the release schedule of Firefox in general (but they usually keep up fairly well). This means that if you prefer Firefox but would like some functionality associated “out of the box” with Opera, it is likely available in some form through a Firefox extension or method.

Downloads – Both Opera and Firefox blow the doors off of IE when using it for downloading files (like PDFs, ZIP files, MP3s, etc.). As soon as you click a download link, you are presented with a dialog box on what to do with it (like, where to save it, etc.). But, in the meantime, it is already downloading the file in the background while you decide on where you are going to save the file, etc. IE waits until you have made that choice, which adds sometimes significant waiting time for the download to finish.

Extensibility / Customization – The customization you can do to the browser is extraordinary in Opera, and extensive in Firefox. Firefox benefits in this area by being Open Source and many programmers and hackers have developed extensions to Firefox that make it even more feature rich.

Cross Platform – Both Opera and Firefox support multiple “platforms” which means they run on Windows, Linux, Mac, etc. Opera supports a huge number of platforms, including additional Unix variants (like FreeBSD and Solaris) as well as mobile phones and PDAs.

Compatibility – I use Opera as my primary browser, but it does still have some compatibility problems with sites designed specifically for IE. The problem here is that Opera was developed in strict adherence to worldwide adopted W3C (web) standards. Microsoft (with IE), doesn’t care about what the rest of the world does, and has developed competing, incompatible “standards” of its own, and often the extensions/changes that they have made make it easier for website developers on the front end when designing webpages. However, the downfall is that standards-based browsers like Opera fail to properly render some elements of those pages, making it problematic to use.
Firefox, OTOH, is also standards-based, but has made a much stronger effort to render IE-designed pages more accurately. As a result, it allows the rules to be bent better than Opera and often yields better results when viewing proprietary pages than Opera.

Choices – There are so many “that’s cool” little things in both Firefox and Opera that are hard to completely document, and I find new ones in Opera all the time. The main thing is to explore your choices and then choose one that works for you.

I use Opera – and if I run into a site that doesn’t work right, I use Firefox. If all else fails, I open up IE (which, sometimes I do have to do). Most of the time I don’t have any trouble and to be honest I am almost always running a Firefox window, an Opera window, and an IE window at the same time with different sites in each… but then again, I am a bit of a geek.

But, everyone has their own preferences and computer programs are no different. The easiest and funnest thing (especially on a snowy Sunday afternoon like this) is to download them and try em out.

http://www.opera.com/
http://www.mozilla.com/firefox/

Additionally, here are some other reviews that might be helpful:
Zhooibaal review
NewsForge review by Kris Shaffer

I am in a conundrum: From a technology perspective, how do we prevent confidential company data from being disclosed over the web?

Information leakage, in this sense, is a very difficult problem to solve with certainty. Almost everything is merely a mitigation and nothing is seems to be foolproof or without a way around it. If an organization has decided to provide fairly liberal access to the Web by company employees using company computers, either internal or remote, then preventing the use of “certain” kinds of sites (such as webmail, webstorage, etc.) becomes very difficult.

For example: How to lock down the use of webmail and those free (or cheap) webstorage sites like FreeWebSpace.com, BigVault.com, xdrive.com, ibackup.com, filelodge.com, etc. etc. etc. (I’ve counted more than 20 and that is with a simple, quick Google search)?

Add to the problem, remote users. Other than installing software firewalls with according policy configurations (which is daunting in itself), how does one prevent remote PC users (i.e. users outside of the company network) from utilizing webmail and webstorage services? And, even with software firewalls, if the remote users have Admin rights on their computers, they can delete, disable, or cripple the firewall software (and arguably, need to for interop with the heterogeny of networks and configurations in hotels, hotspots, etc.).

Additionally, dropping access to each and every Internet proxy (used for anonymizing, etc.) which might be used to circumvent company site restrictions is like trying to stop lava flows with a garden hose – akin to putting each spam domain name one encounters in a blocklist individually! Hell, anyone can setup a private proxy and use that to browse the web and it would go undetected for a while before the log pattern of a single site being accessed would emerge.

Another REMOTE user problem:

If one mandates that all users, including remote VPN-attached clients, use the proxy server for Web access. This is to prevent access to webmail, webstorage, anonymizers, etc. type sites to prevent information leakage or outright unlawful and intentional disclosure.

However, this introduces a bit of a problem: Users will be required to connect to the VPN to get access to the proxy server in their web browsers. However, to connect to the VPN from most hotels/hotspots/etc., one must authenticate with the provider’s infrastructure (either to accept charges and/or to accept terms and conditions) via the same web browser. This writes out a session cookie from the provider, which then allows the PC out to the Internet (which then allows VPN, etc.).

The problem is that browsers configured to use a proxy server will not “trigger” the mechanisms generally used by hotels/hotspots/airports/etc. So, we are stuck with a chicken-and-egg problem.

I see two primary ways around this:

1) Determine the URLs / addresses used by a majority of providers, and place those into the “exceptions” list in each of these remote clients to bypass the proxy for those sites (allowing authentication with the local provider’s infrastructure to get a VPN connection, thereby allowing the rest of the Internet sites to route properly through the proxy server).

2) Put the proxy server into a publicly available (non-NAT) DMZ, so that the Proxy server’s IP address is available to both internal and Internet-based clients (this seems less secure).

I ask these questions to determine what technology can be used to construct a policy enforcement system to contain intentional attempts to utilize non-company mechanisms to transfer, share, or store company information assets.

Am I missing something or is this just hard? To me, without spending gobs of money on technology and implementation, this is a question of the classic security vs. usability problem. Is there an enterprise solution for preventing PCs from sending data (preferably policy-based) either via blocking HTTP PUT commands or other methods? Please only consider IP network methods specifically – USB, CDRom, etc. should be excluded from the discussion.

Krugle looks like it could be very useful for you code warriors out there… I wonder how long it is before Krugle is acquired by Google?

Lotus Notes has recently had some security issues disclosed in a variety of areas. One of them is a stack overflow bug that can allow arbitrary code execution (people can run a program on your computer without you having to click on it) – one of the worst kinds of bugs. Other vulns exist that have the same effect. These kinds of programming errors often create new “vectors” of attack for spyware, spammers, and viruses to exploit. The above are clients bugs.

I am an avid user of WinAmp, as are millions of other people. But, one thing I don’t make a habit of is downloading other people’s playlists, mainly because I have too many of my own to handle. However, if you have WinAmp installed on your machine (even if you are not an avid user or don’t DL playlists) watch out for a new nasty bug in versions of WinAmp 5.12 and prior. This buffer overflow vulnerability allows maliciosly coded playlists to run other programs on your machine (known as arbitrary execution) without your control. A good example might be a link to a playlist on a malicious website disguised to be a normal webpage link.

An exploit is out in the wild for this bug, making it exceedingly easy to exploit and some spyware is already using this flaw to install itself. Lately, spyware installers have been on the leading edge of exploits (over virus writers) – probably because there is money in spyware and not so much in viruses.

Since WinAmp automatically associates playlist files (naturally) to itself, you could accidentally trigger a malicious file without realizing it.

Bottom line – If you have WinAmp installed, update ASAP to 5.13 or higher: Here is a link to the WinAmp DL page

Questions or comments, please let me know.