hackademix.net

Although all the source code of Firefox is public and can be scrutinized during development at any time, a Tipping Point Security Advisory has been announced right in the middle of the Firefox 3 download day.
A unlucky coincidence, of course: only a conspiracy theorist could suspect that the timing had been chosen in order to maximize the hype effect for the Zero Day Initiative.

However Mozilla developers are working around the clock, and there’s already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don’t know the details yet.

I can add that, even in this case, NoScript users are the safest.

References:

• about:robots
• Gort! Klaatu barada nikto!

What is Database Connectivity for JavaScript?

IBM® Database Connectivity for JavaScript™ is middleware that enables Web clients to directly access server-side relational data without compromising enterprise security.

“Directly access” without compromising “enterprise security”, yeah…

On the client, IBM Database Connectivity for JavaScript consists of a JavaScript API and library that can be used by Web applications without special browser plug-ins. On the server, the IBM Database Connectivity for JavaScript gateway, written in PHP, is an adaptor layer that mediates between IBM Database Connectivity for JavaScript and relational databases and provides functions such as operation forwarding and security. Web 2.0 applications can thus use IBM Database Connectivity for JavaScript to access relational data as a first-class construct instead of through ad hoc protocols.

Before you start wondering (like I did) what “operation forwarding” and “security” mean in this context, I’ll tell you since I bothered to read the source code: it’s just a thin layer with a JDBC-like API which allows JavaScript code to compose and submit SQL statements from the client side!
Security, if any, needs to be enforced at the database level, and access credentials are sent from the client side as well.

IBM Database Connectivity for JavaScript supports the trend for Web applications to be dynamically composed in a Web browser — so-called “Web 2.0″ applications — instead of being completely composed on the server (”Web 1.0″).

First “enterprise”, now “Web 2.0″…

IBM Database Connectivity for JavaScript is specifically geared toward enabling the potential Web 2.0 benefits of increased application responsiveness and the ability to flexibly combine information from various sources on the client. Web 2.0 access to server-side data, however, is currently characterized by Representational State Transfer (REST)-like APIs, which are typically application specific.

Bah, those old-fashioned resource mappings which (try to) expose only the data subsets relevant to the application front-end…
But now we can unleash the full power of SQL: free queries to all our databases for everyone in the fantastic world of Web 2.0!

ODBC is powerful — allowing any SQL statement to be executed — and simple, in the sense that developers are required to understand only a few abstractions. IBM Database Connectivity for JavaScript can be thought of as an “ODBC for Web clients,” enabling Web developers to benefit from a general-purpose API for accessing relational data.

Great work IBM! Now please convince some of your many banking customers to deploy this fantastic technology on their Internet-facing web servers, and we’ll be happy to “benefit from a general purpose API for accessing relational data” directly from Firebug, thanks!

Looks like I’m helping Obama’s campaign in an unexpected way :)

Update

Let’s help Google doing its part too: John McCain, John McCain, John McCain, John McCain, John McCain, John McCain, John McCain, John McCain, John McCain…

If you’re a FlashBlock user, you may feel outraged by being brutally rickrolled this way, but you need to know that it could happen at any moment.

No special trick, just a Youtube movie embedding through a plain <object> HTML element. Examine the source code if you don’t believe it:

<object width="300" height="242" data="http://youtube.com/v/A3_n0B1EaOY"> </object>

Not a big deal, really, if you consider FlashBlock a “noise reducer”: it does a great job, in facts, working almost always.

A bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flash vulnerabilities. Your next surprise video star may be way more malicious than Trojan.SWF.Astley…

To be fair, you would be in good company:

• Slashdot, whose “flashblock” tag is attached to all the most recent Flash security horror stories
• US-CERT (United States Computer Emergency Readiness Team)
• F-Secure, the antivirus company
• Dancho Danchev, renowned security expert and Zero Day ZDNet blogger

If they just looked at FlashBlock’s FAQ, they would have found that the word “security” is never mentioned: a testament both to the good faith of the developers, who honestly advertise FlashBlock as an excellent annoyance blocker rather than a security enhancement, and to the superficiality of some advices.

Dancho is especially inexcusable, since he’s the only one forgetting to mention NoScript, which features similar flash-blocking capabilities but, being developed with security as its main focus, is immune from this and other possible circumventions and, more important, would regard even the most exotic unblockable edge case as a serious bug to be fixed as soon as possible.

Oops, I couldn’t block my own rant :)