Monthly Archives: July 2009

Twitter Correcting Follower and Following Counts

Posted on by
Reply

If you noticed a significant drop in your twitter followers then you are not alone. Twitter announced that it pushed out an update to fix the follower and following counts which have been inconsistent for some time. Your follower and following counts should now be consistent with the corresponding numbers from the followers and following pages. Twitter also purged a lot of spam accounts so that may also cause a drop in your followers.

Twitter wrote:

For some time, the follower and following counts we display have been incorrect for some folks. We’re soon to push a change that will address this issue. This means that the count you see in your sidebar should match what you see on your follower and following pages.

However, a consequence of this change is that follower counts will drop for some people. In particular, those with large followings may see significant changes as we correct for spam accounts and data inconsistencies. No legitimate followings should be affected—we’re just cleaning up artifacts in the system.

100,000 Google Wave Invites To Go Out September 30

Posted on by
Reply

Google Wave was announced at Google I/O 2009 in May at San Francisco. All developers attending Google I/O were given access to a developer sandbox for Google Wave and everyone left out had been campaigning for an account. Today, at the Google Wave API Hackathon in Mountain View, Google announced that 100,000 Wave Invites will be sent out on September 30th.

The new invites will not be for the developers sandbox but for wave.google.com. It is also assumed that all developers with a sandbox account will also an invite. The Wave team will be focusing on optimization, stability and usability of Google wave until the first official rollout on September 30.

WordPress 2.8.2 Fixes XSS Vulnerability

Posted on by
2

WordPress 2.8.2 was released on Monday, July 20 which patches a known XSS vulnerability. The URLs for the commenters(comment authors) were not fully sanitized before being displayed in the admin area which could be exploited to redirect from the admin area to another site. It is recommended to download and upgrade to version 2.8.2 or use the automatic upgrade function of WordPress under Tools > Upgrade from the admin area.

JIT Fixed in Firefox 3.5.1, New Vulnerability Exposed

Posted on by
Reply

Firefox 3.5.1 was released on Friday, July 17 which included a patch for the Just-in-time (JIT) JavaScript compiler exploit. However, a new stack-based buffer overflow vulnerability has been exposed with sample exploit code. An attacker can cause a buffer overflow and execute arbitrary code by sending a very long unicode string to the document.write JavaScript method.

Currently, there is no patch for this vulnerability. The NoScript Add-On will not help against this exploit because this vulnerability may be exploited if an untrusted site is loaded using XSS or a compromised white-listed site.

Mozilla has acknowledged the vulnerability, but claims that it cannot be exploited. Mike Shaver wrote the following on the Mozilla Security Blog:

“In the last few days, there have been several reports of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.”

Critical JavaScript Vulnerability Surfaces in Firefox 3.5

Posted on by
Reply

Firefox 3.5 boasts of screaming fast JavaScript performance — almost twice as fast as Firefox 3. Firefox 3.5 attributes its dramatically better JavaScript performance to the TraceMonkey Just-in-time (JIT) JavaScript compiler. However, a serious remote buffer overflow security exploit was discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler, which enables the execution of malicious code.

An attacker can trick a victim to view a webpage containing the exploit code, thereby infecting the victim’s machine. Fortunately, the JIT JavaScript compiler can be disabled. Type about:config in the location bar and jit in the filter on the config page. Double click javascript.options.jit.content to set the value to false to disable JIT. You can also disable JIT by running Firefox in Safe Mode. You will see a drastic decrease in JavaScript performance by disabling JIT but you can enable it, when this exploit is patched, by setting the javascript.options.jit.content to true.

Disable JIT in Firefox 3.5

Disable JIT in Firefox 3.5

The security exploit has already been patched in nightly build 3.6 on July 14 available here. The patch will be a part of the 3.5.x release which was initially scheduled for the end of July but has been moved up.