Enable Do Not Track Feature In Web Browsers

How to enable the “Do Not Track feature” in a web browser, you are using?


You may not be aware about the all the modern web browser you are using, is tracking your every single details which might not be put to a good use, good or bad, not sure, but how would it feel if someone follows your every single click, every web page you are surfing, every single details you are entering somewhere and what it could mean, even I’m not sure.


But there are some features and settings which might put a stop on all these activities, a simple setting, a user have to tweak in order to enable the Do Not Track Feature. Most of the modern web browser supports “Do Not Track” Feature, it’s just you’ve to enable for it to work.


Let’s start with Google Chrome.


Unfortunately, there’s no built-in setting which you can enable Do Not Track feature in Google Chrome, but there are so many Google Chrome Extensions which you can use to add “Do Not Track” feature to it. So, simply use this Google Chrome extension to avoid any kind of web tracking. Just make sure you are using the latest Google Chrome web browser, at-least 17 or later. Add it, enable it, and you are free from spying.


Enable Do Not Track Feature In Mozilla Firefox

We don’t need any Add-on to enable Do Not Track feature in Mozilla Firefox. Just follow this quick tweak in Mozilla Firefox privacy settings and you are done. That’s the beauty of it.

• Click on Firefox button.

• Move over to Options.

• Under the Privacy Tab, check that box beside that says “Tell websites I do not want to be tracked”. Ok, and there you are, a free bird.

Enable Do Not Track Feature In Internet Explorer

To add that feature in Internet Explorer, visit this Do Not Track Test Page, and under the heading that says “To express your preference not to be tracked in IE9”, click on that link. Make sure you are clicking that using Internet Explorer 9.

Google Sandboxes Flash Player

Chrome's 'dev' build for Windows now blocks Flash attack code from infecting PCs

Google has introduced a sandbox version of Adobe’s Flash Player in order to protect users from Flashbased attacks. According to tech news site Computer World, Google has been working with Adobe to transfer Flash Player to the sandbox that comes with Google’s Chrome web user. Users, especially those with PCs running Windows XP OS, have been facing a number of security threats through holes found in Adobe’s Flash Player. The move is set to help protect them from potential attacks exploiting those vulnerabilities by containing the platform in a sandbox and not on the system.

The Windows version of the Chrome web browser with the sandboxed Flash Player is already available for developers, with the public version in the works as well. Peleus Uhley, Adobe’s platform security strategist, said in a statement: The interfaces to open-source browsers are completely different from, say, Internet Explorer, and we had to restructure Flash Player to put it in a sandbox

Internet Explorer 9 to launch to public on 15 September

IE9 will run on Windows XP


Microsoft yesterday updated its bare-bones preview of Microsoft Internet Explorer 9 (IE9) for the last time, saying that the next release would be a beta build.

Although Microsoft hasn't named a release date for IE9's beta, the six-to-eight week stretch between each Platform Preview may provide a clue: If the company sticks to the same gap between the fourth preview and the beta, the latter should show on or after September 15 - confirming previous messages from Microsoft.


In IE9 Platform Preview 4, Microsoft has integrated its new JavaScript engine into the browser, finished its work on hardware acceleration and boosted performance in several areas, including the Acid3 test, said the IE team's leader.

"The IE9 platform is nearly complete," said Dean Hachamovitch, general manager of IE, in a detailed post on the browser's blog Wednesday.


Unlike production versions, the IE9 preview can run alongside other editions, such as IE7 on Vista or IE8 on Windows 7. However, neither the Platform Preview nor the final version of IE9 will run on Windows XP, a sticking point with some users of that nine-year-old operating system.


Refer here for details.

Inside Mozilla's Firefox 4 Security

Content Security Policy (CSP) system will help to mitigate clickjacking

Open source browser vendor Mozilla is readying an ambitious new release of its Firefox Web browser. The third beta of Firefox 4, set to debut sometime this month, is expected to include more stability, features and performance improvements over earlier versions.

Among the areas that Mozilla is focusing on with Firefox 4 are a number of new security features that it says will make the browser even more secure than earlier versions. The new Firefox 4 browser development comes as rival Microsoft pushes its Internet Explorer 9 platform forward and Google continues to accelerate its Chrome browser development.

One of the new security features in Firefox 4 is the Content Security Policy (CSP) effort.

"Content security policy is focused on Cross Site Scripting (XSS) mitigation so it prevents injected scripts from actually running," Brandon Sterne, security program manager at Mozilla, toldInternetNews.com. "The site gets to declare a policy that the Firefox browser will then apply to the page and then any content that hasn't been blessed by the site won't be loaded or executed."

Refer here to read more details.

Web browser keeps track of which web addresses you have visited

History of Social Network Use Reveals Your Identity

Web browsing history can be used to identify individuals in a membership group on a social networking site, according to researchers at the Vienna University of Technology. The researchers built a Web site to read the Web addresses visited by people who use Xing, a business-oriented social network based in Hamburg, Germany.

They collected data on 6,500 groups containing 1.8 million users, and analyzed the overlap between the lists of names of group members that were publicly available. The researchers estimate that 42 percent of Xing users could be uniquely identified by the membership groups they visited. Xing has begun to add random numbers to mask addresses, but the response might not be enough to foil a similar snooping site, says Stanford University computer scientist Arvind Narayanan.

The next round of Firefox, Chrome, and Safari browsers could have fixes to prevent browsing history from being relayed to Web site owners.

Please refer here to read an interesting research.

Attack Unmasks User Behind the Browser

Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

Vienna University of Technology researchers have developed the "deanonymization" attack as a way to reveal the identity of Internet users based on their interactions in social networks. The attack uses social networking groups as well as traditional browser history-stealing tactics to single out specific users.

The researchers focused on Germany's Xing business social network and Facebook and matched stolen browsing histories with social network group members to identify users. "It is the combination of history stealing and group information that is novel," says Vienna University post-doctoral researcher Gilbert Wondracek. Criminals could use the deanonymization method for targeted attacks, which only requires that the victim visit a malicious Web site that contains the attack code.

There is no fix for the attack, but users can turn off their browsing history or use a private-browsing mode to minimize the risk.

Refer here for more details.

Firefox Tops Vulnerability List

New study places Firefox at the top of vulnerability list for for the first half of 2009

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

Refer here to read more details.

Control malicious apps with DEP in IE

DEP helps block malware in Internet Explorer

Internet Explorer 8 includes a security feature that shuts down misbehaving applications before they can harm your system. This capability, known as Data Execution Prevention (DEP), runs by default when IE 8 is installed on XP SP3 and Vista SP1 or later, but it may not always be clear to you why DEP has put the brakes on one of your PC's applications.

DEP is the best reason I know for updating to Internet Explorer 8 and Vista SP1. For many years, Microsoft has included DEP — which is also called No-Execute (NX) — only in parts of Windows. For example, DEP is available in IE 7 but is off by default to avoid conflicts with old, incompatible programs.DEP is now a key part of Vista and Internet Explorer 8. When I try to install older software on newer machines, I must configure Data Execution Prevention to allow the software installer to run with DEP disabled.

To open the Data Execution Prevention dialog in XP, open Control Panel, choose System, and then select the Advanced tab. Click the Settings button in the Performance section and select the Data Execution Prevention tab. In Vista, choose Performance Information and Tools, click Advanced Tools in the left pane, select Adjust the appearance and performance of Windows, and click the Data Execution Prevention tab.

For instance, when I install QuickBooks 2007 on Windows Server 2008, I have to exclude under the DEP tab the QuickBooks updating tool in order to install it on the server. Keep in mind that the only reason I'm doing so is because I trust Intuit, the publisher of QuickBooks. If I didn't change the settings, DEP would prevent me from installing an older version of this software on the newer system.
If I didn't already trust the vendor, I'd look for valid reasons why DEP was blocking the installation before I took the step of changing any DEP settings. In most instances, good, up-to-date software shouldn't need to be excluded from DEP.

Since IE 7, Microsoft has used DEP to help thwart online attacks in the browser itself. What the company didn't do until IE 8, though, was to enable DEP by default. Prior to IE 8, DEP was disabled by default for compatibility reasons, as documented on the IE blog. Many older IE add-ons were built using earlier versions of the Active Template Libraries (ATL). They aren't compatible with DEP, therefore, and crash when IE loads them.

When DEP is enabled and combined with Address Space Layout Randomization (ASLR), IE's ability to protect against Web-based attacks improves considerably. In a nutshell, ASLR is designed to make it harder for automatic attacks to occur. You can read more about ASLR in the MSDN blog.

Specifically, ASLR helps prevent exploits both in IE and in any add-ons that are loaded. Even with the new security protections in IE 7 and 8, the browser is still targeted more often by malware authors than other browsers. This has caused security pundits to state, as Wired's Brian X. Chen does on the Gadget Lab blog, that Apple's new Snow Leopard operating system is "less secure than Windows, but safer."

(If you use Snow Leopard, I encourage you to update your system to OS X version 10.6.1. This includes a patch for the insecure Adobe Flash Player that Snow Leopard shipped with, as documented in an Apple security update.)

There are many protections built into Internet Explorer 8 that may be considered just another annoying browser crash when seen in action.

New Web-based attacks target Windows Media holes

Browsing without new patch could be hazardous

Three separate browser vulnerabilities make you susceptible to drive-by exploits from otherwise-trustworthy Web sites. These threats affect you even if you never use Windows Media Player or Internet Explorer, so you should definitely apply this week's Windows patches. This month's security patches for Windows are a reminder that even the sites we trust can be sources of malware infections.

Microsoft security bulletin MS09-047 (973812) patches a hole that allows infected, downloaded media files to gain complete control of your system.More and more sites — even popular ones such as Facebook — have unknowingly hosted malicious banner ads, which is one way these media files can infect you.

Microsoft's Security Research & Defense blog predicts that this vulnerability will likely be targeted by such exploits within the next 30 days.Vista and Windows 7 have some protection against these attacks, but you should download and install MS09-047 immediately to stymie them completely, especially if you use XP.If, for some reason, you can't install this patch, remember that even sites you think of as trustworthy might serve a malicious banner ad from a third-party ad host.

The safest course of action is for you to apply this patch and use a browser other than IE, such as Firefox, Chrome, or Opera.

Microsoft issues rare security warning

Hackers are launching attacks against an unpatched vulnerability in the Microsoft Video ActiveX Control

Microsoft has released an out-of-band, emergency security advisory and also investigating attacks targeting a vulnerability in Microsoft Video ActiveX Control that could allow a hacker to gain complete control of a system. This news is already making headlines in Information Security world.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. At this stage, no security patch has been made available by Microsoft.

In this security advisory, Microsoft workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Microsoft Video ActiveX Control from running in Internet Explorer - See Microsoft Knowledge Base Article 972890 for information on how to implement this workaround automatically.

Popular IT news website, eWeek has already confirmed that:

"Hackers are launching attacks against an unpatched vulnerability in the Microsoft Video ActiveX Control that could allow an attacker to take full control over the system. When using Internet Explorer, code execution is remote and requires no user interaction, Microsoft says."

Please refer here to read the news on eWeek and refer here to read article on ComputerWorld, who claims Microsoft may have known about critical I.E bug for months.

The unpatched vulnerability in the Video ActiveX control that Microsoft has warned about was reported to the company in 2008, but one of the security researchers who found it refused to criticize Microsoft's response to the threat.

The bug was uncovered by researchers Alex Wheeler and Ryan Smith, who at the time both worked at IBM's ISS-X-Force. A Microsoft spokesperson said the company first learned of the vulnerability in 2008 and immediately began an investigation.

Criminals are looking for ways to turn browser vulnerabilities into money.

Security vs. Usability

Usability and security have been long been at odds with each other in software design. The web browser is no exception to that rule. When browsing the Web or downloading files the user constantly needs to make choices about whether to trust a site or the content accessed from that site. Browser approaches to this have evolved over time - for example, browsers used to give a slight warnings if you accessed a site with an invalid HTTPS certificate; now most browsers block sites with invalid certificates and make the user figure out how to unblock them.

Similar approaches are taken with file downloads. Internet Explorer tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting the user for actions that are legitimate most of the time often creates user fatigue, which makes the user careless in walking the tightrope between software with a "reasonable but not excessive" security posture and a package that is either too open for safety or too closed to be useful. Most browsers today have evolved from the "make the user make the choice" model to the "block and require explicit override action" model.

In some cases the security of the browser has had a major impact on Web site design and usability. Browsers present a clear target for identity theft malware, since a lot of personal information flows through the browser at one time or another. This type of malware uses various techniques to steal users' credentials. One of these techniques is form grabbing - basically hooking the browser's internal code for sending form data to capture login information before it is encrypted by the SSL layer.

Another technique is to log keyboard strokes to steal credentials when the user is typing information into a browser. These techniques have spawned various attempts by Web site designers to provide more advanced authentication with a hardware token and use of various click-based keyboards to avoid key loggers.

Another usability feature of the Web browser that has been attacked by malware is the auto-complete functionality. Auto-complete saves the form information in a safe location and presents the user with options for what he typed before into a similar form. Several families of malware,such as the Goldun/Trojan Hearse, used this technique very effectively. The malware cracked the encrypted auto complete data from the browser and send it back to the central server location without even having to wait for the user to log in to the site.

Giving all the vulnerabilities out there and the willingness of attackers to exploit them, you might think that users would be clamoring for more security from their browsers. And some of them do as long as it doesn't prevent any of their desired features from working.

There are a number of documents available that list steps one can take to lock down a Web browser. For example, one of those steps often is something like "Disable JavaScript." But few people actually ever do that - at least not permanently, because using a browser with JavaScript turned off is annoying, and in many cases prevents you from visiting sites you have legitimate reasons to visit.

"Attack and defense strategies are evolving, as the use and threat models. As always, anybody can break into anything if they have sufficient skills, motivation and opportunity. The job of browser developers, network administrators, and browser users is to modulate those three quantities to minimize the number of successful attacks."

IE7 exploit is already in circulation

There’s a Zero-Day Exploit for Internet Explorer Out There

They are several reports of exploits circulating in the wild targeting a 0-day vulnerability in Microsoft Internet Explorer 7. These exploits are being used to install malware on Windows systems when unsuspecting users visit websites that have been compromised to host the exploit code.

This vulnerability was first made public in Chinese language discussion forums on or about December 7th, 2008 by a group calling itself the Knownsec team.

Microsoft Security Bulletin MS08-073 (Cumulative Security Update for Internet Explorer, KB958215) released on December 9th, 2008 as part of Microsoft's normally scheduled December security updates does not contain a fix for this vulnerability.

Initial reports by other security vendors mentioned a malformed XML tag as the possible cause of the vulnerability; however, from a deeper analysis it seems that the problem affects the XML parsing engine of IE7 and the library MSHTML.DLL. The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser. This means that attackers may start using different attack vectors in the future to exploit this vulnerability, but at the moment it seems that this recent exploit, which has been publicly released on several Chinese forums, only uses the XML elements and tags.

Because of the nature of this attack, it does not depend by any specific ActiveX control, so this time I can’t tell you to disable or set the KillBit for a specific CLSID. However, the attack still requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for un-trusted websites could help to somewhat mitigate the risk.

At the moment, Many attacks are traced back to Chinese domains and websites, which are used by the exploit to install and download additional malicious code components. The downloaded malicious code is a variety of Downloader, Infostealer, and W32.SillyDC variants. We also recommend blocking the following hosts at network boundaries:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
• oiuytr.net
• laoyang4.cn
• cc4y7.cn

My advice for Windows users is as follows:

• Update your AV and IPS software with the latest signatures
• Run Internet Explorer with limited privileges
• Enable DEP protection for browsers
• Disable JavaScript in Internet Explorer
• Avoid following links to un-trusted sites

IE8 Beta 2 users still have to use Compatibility View a lot

Microsoft Plans Compatibility View Fix For Internet Explorer 8

One of the major changes in Internet Explorer 8 is that it adheres much more strictly to web standards than past IE releases. That's a welcome and sensible move, but it has resulted in many sites not rendering well, since they have been built to work with the slightly skewed design principles of earlier IE releases. The second beta of IE8 handled this with a 'Compatibility View' button, but Microsoft's internal research suggested that this wasn't quite enough, as a post on its IEBlog explains:

"We saw from the telemetry data that IE8 Beta 2 users still have to use Compatibility View a lot. Looking at our instrumentation, there were high-volume sites like facebook.com, myspace.com, bbc.co.uk, and cnn.com with pages that weren't working for end-users with IE's new standards compliant default. We could also see from our instrumentation that not all IE8 visitors to those sites were clicking the Compatibility View button. So, large groups of people were having a less than great experience because they weren't aware of the manual steps required to make certain sites work."

Microsoft's latest solution is to allow users to opt-in to an automatically updated list of popular sites that need compatibility view and have those sites rendered using the older IE7 approach without requiring manual intervention. That feature will be added to the next beta of IE8, due early in 2009 (there's a similar feature already in Opera). This seems like a pretty good interim solution to me; share your take in the comments.

Refer here for more details on Compatibility View Improvements to come in IE8.