Hackers focus efforts on Firefox, Safari

The Internet Explorer team should be proud of themselves this week:

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

However, if you’re feeling ten feet tall and bulletproof because you’re using FireFox, you might want to reexamine that idea and make sure you get the auto-updates installed:

In a somewhat dubious recognition of Firefox’s growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes. The folks at Mozilla recently released two Firefox updates in less than six weeks, fixing a total of five critical security vulnerabilities. All five can be exploited by planting a poisoned JavaScript file in a Web site and waiting for you to stumble across it.

The scary thing here is that you don’t have to do anything to engage this exploit, and JavaScript is all but invisible to any user not really looking for it.

Likewise, Apple cultivates the image of security to every fanboy’s peril:

Safari 3.1 patches 13 holes affecting Mac OS X, Windows XP, and Windows Vista.

Think you’re safe because you don’t have Safari? You may have it without realizing it. Apple now distributes its browser with iTunes updates. Forget to uncheck a box in one of these updates, and it’s there.

The Safari holes could allow an attacker to trick you into thinking that a fake site is really your bank site, or to take over your PC via a poisoned page.

Remember it was Safari that led to the hacking of a MacBook Air in a recent contest.  Add in the insult of sneaking Safari onto machines via iTunes updates and Safari in most corporate environments would be defined as malicious.  The distribution policy has recently been changed to be more clear about what is being installed, but some damage has been done, and you still have to refuse the automatic installation.

There is a reason corporate IT departments prefer software we can control via Group Policy, and why we have policies against anyone installing anything.