Lacisoft's » security

New TYPO3 Security Guide

lacisoft — Tue, 06 Dec 2011 11:23:25 +0000

The TYPO3 community released an new TYPO3 Security Guide! This is the most comprehensive security guide on TYPO3 ever released and its a must read for anyone working with TYPO3. And to quote something from the announcement which caught my attention:

Security is not a state that you can reach and stop worrying about. It is an ongoing process of constant improvement

So its not enough to read this guide and forget it. It must be in your mind all the time.

Back in business

lacisoft — Thu, 08 Apr 2010 15:59:45 +0000

I didn’t post on this blog since the middle of february. You may wonder why is that.

First of all i had lots and lots of work. One would ask : What global crisis ? I didn’t experienced it yet. I hope not to do that in the future.

Second: i was on vacation in March. We went to Austria (Zell am See – Kaprun) and had some real quality time on the ski slopes of these wonderful austrian ski resorts. I will certainly go back there everytime i will have an occasion!

I hope now i will be able to post regularly because things happen. Just now has been announced that TYPO3 will receive tomorrow a critical security patch. So as they say: “all hands to battle stations“. Tomorrow we upgrade and patch TYPO3 installations.

Critical security issue in Typo3 core – all versions

lacisoft — Tue, 10 Feb 2009 12:27:05 +0000

A very serious security issue has been discovered in Typo3 core, all versions including 4.2.5 are affected. According to some this is the most critical security breach in Typo3 ever discovered. The vulnerability allows attackers to “download the contents of any file on the server, i.e. typo3conf/localconf.php, which holds both install tool password alongside database username and password“.

There is a fix, Typo3 version 4.2.6. which is available as of today. And there are also other solutions and patches, read carefully the security bulletin and fix your Typo3 installation if you care for your files, passwords and other data on your webserver.

Upgrade your browser!

lacisoft — Thu, 05 Feb 2009 07:05:29 +0000

Often i found myself wondering about why people use some antique and insecure software. For example Internet Explorer 6. This browser was launched back in 2001 and many many people still use it. Now when Internet Explorer 8 is about to be launched. In fact if you look in the statistics of any high trafic website you can see that Internet Explorer 6 is the most used browser. After that comes other variants of Internet Explorer or Firefox.

Also there is a high number of people still using Firefox 2. If in IE6 case we can understand to some point that people found it difficult to upgrade, in Firefox’s case we cannot. Because Firefox has built in updating mechanisms which deliver users a new version right as it is available. I must assume that people deliberately opt not to upgrade. And i cannot understand why!

Why is wrong to use old and in most cases unsupported software ?

1. Because these software products (IE6 and/or Firefox 2) have some serious security vulnerabilities which are very much known to hackers. If you wondering why you are full of viruses and trojans, why your personal information is being stolen, you can blame those old and insecure browser you are using.

2. Because some of the sites you’re visiting won’t display properly in them. Many of the newer sites were designed for modern browsers and probably use features that you’re browser isn’t capable to understand.

3. Because older browser in some cases tend to use more computing resources (memory and processor). For example Firefox 3 has been optimized to consume less memory then Firefox 2.

4. Because it lacks many features that could increase your browsing experience. Modern browsers have tabbed browsing, included phishing filter, private navigation and much more.

Yeah but i heard one must pay for Internet Explorer 7 ?

Wrong!

At first people had to validate their Windows to be able to install Internet Explorer 7, but later Microsoft realized that doing this will just help hackers to exploit Internet Explorer’s vulnerabilities. So they removed the need for validation. You can check out news about this here, here and here.

You can just download and install Internet Explorer 7 even if you have a pirated Windows. In fact if you turn on your Automatic Updates feature you will be upgraded for free and you also receive some security patches in order to secure your computer.

Why you shouldn’t disable Automatic Updates

Microsoft Windows has a built in feature called Automatic Updates. What this does ? When certain bugs or security vulnerabilities are discovered in Windows or other Microsoft products like Internet Explorer, Microsoft issues a patch to fix these problems. With Automatic Updates enabled these fixes are downloaded to your computer and applied to your operating system and affected programs.

So what is your problem with Firefox 2, i have been told its safe!

It was safe a year ago. Now it isn’t. The Mozilla foundation stopped supporting Firefox 2. You can read about this here. It states clearly:

“Please note: If you’re still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Firefox 3 by downloading Firefox 3.0.6 from getfirefox.com.”

Ok, you convinced me. What options i have ?

If you like Internet Explorer you can stick to it. Just upgrade to a newer version like Internet Explorer 7 or Internet Explorer 8.

Download Internet Explorer

If you like Firefox you should use the latest version and if not you should still use some variant of Firefox 3.

Download Firefox 3

You can try some other browsers like:

Google Chrome

Opera

Safari

No matter which of these you use, upgrade to the latest version if you want a safer web and a better browsing experience.

Google’s browser security handbook

lacisoft — Thu, 11 Dec 2008 17:12:46 +0000

I’ve received today a link to this Browser security handbook written by Michal Zalewski from Google. It is an excellent document worth reading by every webdeveloper. The author does a very thorough comparation of security features of modern browsers, so this document can be handy to check it up when you design/develop a web application and you need to have a clear picture of the security considerations you need to take into account.