Alert to All Mac OS X Users: Protect Yourself from CVE-2008-5353!

Update: TidBITS writes that Apple has released a patched version of Java that fixes this issue. It is available through Software Update.

CVE-2008-5353 is a critical Java vulnerability that was discovered back in August 2008 and patched by Sun Microsystems a few months later. However, Apple has failed to release a patched version of Java, even in the latest 10.5.7 update! CVE-2008-5353 is described as follows:

Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets and applications to gain privileges via unknown vectors related to "deserializing calendar objects."

Since Apple failed fix this vulnerability in the latest update to OS X (10.5.7), Landon Fuller, a programmer and former Apple Engineer, released a proof-of-concept demonstrating the exploit. The demonstration is done by launching a Java applet in your web browser and using the exploit to run the /usr/bin/say command on your Mac to "speak" some words through your speakers. This may not sound very dangerous, but this same exploit could be used to run malicious code on your Mac without your even knowing it!

So, how can I protect myself?

For now, all you can do is entirely disable Java in your browsers to ensure no Java applets are allowed to run. The good news is that chances are you probably don't depend on Java anyway (remember, Java is not JavaScript). And if you find yourself needing to run something that does require Java (the browser will alert you with a message saying the Java plugin isn't installed), you can always re-enable Java in your browser while you're using the applet, and then disable it again when you're done. Inconvenient, yes, but worth it. This is one nasty vulnerability, and with all the publicity it's been getting lately, there's bound to be more malicious code in the wild just waiting to hijack your system.

Disabling Java in Firefox

In Firefox, choose from the menu, Firefox -> Preferences. Then select the Content tab and un-check the Use Java option:

Firefox Content Preferences, Use Java option

Disabling Java in Safari

(applies to both Safari 3 and Safari 4 Beta)

In Safari, choose from the menu, Safari -> Preferences. Then select the Security tab and un-check the Enable Java option:

Safari 4 Beta Security Preferences, Enable Java option

Update: TidBITS writes that Apple has released a patched version of Java that fixes this issue. It is available through Software Update.

Browsing the Web with only a Keyboard

The beauty and simplicity of the keyboard has always impressed me. As a kid, my Asian gaming friends taught me the importance of utilizing as much of the keyboard as possible (and the skill improvement was so great it often resulted in being accused of cheating). Many of the applications I use on a daily basis (which used to require a GUI) have been replaced by console-based, keyboard-only alternatives (in particular, instant messaging, email, IRC, and text editing). Each time I switched to a keyboard-only alternative, my productivity (and sanity) have improved immensely.

One application I thought would always require the assistance of my tailed friend was web browsing. While text-based browsers like Elinks and Lynx have made a fantastic effort, they simply don't allow for the rich browsing experience provided by a full browser like Firefox. I had come to accept that maybe the future of keeping my hands in one place was lost to the ever-growing web-based world.

And then, randomly and entirely by chance, I discovered a way to browse the web using nothing but my keyboard: Vimperator, a Firefox plugin that turns the browser into a fully keyboard-accessible interface using vim bindings. It solves the problem of needing to click links and buttons beautifully. Simply pressing the letter f while in command-mode tags all visible links with a number. Typing that number clicks the link or button (you can also just start typing part of a word in the link and then press enter).

Firefox using the Vimperator plugin

It definitely takes some getting used to, but it is much faster than using a mouse! All the browser functionality is available through the keyboard, including tab management (I use tabs a lot). To open a new tab and type a URL, just press Esc to make sure you're in command-mode and then type t google.com. To close a tab, press d (think "delete-tab"). If you decide to try Vimperator and you freak out when your menu and address bar disappears, press Esc to get into command-mode and then type :set guioptions+=mT and press Enter. The :help section is very useful for learning more.

My purist mentality has often made me wonder if I could live entirely on the command line, or if everything I currently do in a GUI could at least be done without a mouse. I think it's more the latter than the former; it's about efficiency. Even when I'm using a mouse with the GUI, I find myself constantly searching for keyboard shortcuts. The mouse just feels so alien for anything but artistic stuff (i.e., working with shapes, graphics, etc) and gaming. It feels like a crutch; like a cane for someone with a typing disability.

I've been using Vimperator for two days now and I have already made several important observations regarding my web browsing usage. Without the mouse, I don't doodle. I don't scroll up and down pages randomly looking at stuff or skipping and then rereading text, all of which waste valuable time. Instead, I'm browsing more efficiently and with more purpose. Another thing I noticed (now that my mouse usage has almost dropped in half) is that when I do reach for the mouse my hand actually feels uncomfortable.

If you're a vim user, or you enjoy the command-line, give Vimperator a shot. You may find yourself very frustrated at first but try to stick with it for a few days and see how it changes your browsing habits. You may be in for a surprise.

Firefox 3 Bug: Warn me when closing multiple tabs

When I started using the beta version of Firefox 3, I quickly discovered a bug (which remains in RC1): Even though I had enabled the "Warn me when closing multiple tabs" option (Preferences -> Tabs), Firefox did not give me any warning when I accidentally pressed Cmd+Q. It would just quit without a prompting me, even if I had 15 tabs open!

In Firefox 2, enabling "Warn me when closing multiple tabs" option would cause this prompt to appear whenever I pressed Cmd+Q:

Firefox 2 Warn on Close

I searched Bugzilla@Mozilla for an open bug regarding this problem and quickly found Bug 422040 - Quit Firefox 3 beta 4 does not give "closing multiple tabs" warning. I commented about my own experience regarding this bug and further confirmed its existence in Firefox 3 RC1.

Finally, Paul O'Shannessy explained in comment #24 how the warn on close functionality works in Firefox 3:

Do you have the start up behavior to restore tabs & windows from last time?
If so, when you quit (cmd-Q) the dialog regarding save session will not show
and Firefox will quit. Session will be restored upon starting Firefox.

This used to bug me until I thought about it more. Perhaps a dialog confirming
that you intended to quit is in store for this case, but that would be a
different bug. On the plus side, if you hit cmd-Q by accident your session
should restore.

So basically, if you want to be warned when closing multiple tabs in Firefox 3, you need to make sure your "When Firefox starts" option (Preferences -> Main) is set to "Show my home page" and not "Show my windows and tabs from last time". Setting it to the latter prevents the warning dialog when using Cmd+Q (however, you will get the warning if you try to close Firefox by pressing the X icon with your mouse).

To further confuse things, the warning dialog that comes up has a "Save and Quit" button. This button saves and restores your tabs the next time Firefox starts, which overrides your "When Firefox starts" setting of "Show my home page".

Firefox 3 Warn on Close

Talk about inconsistent behavior. Even though this bug seems to be limited to Mac OS X, I really hope it gets fixed in the final release. But if it doesn't get fixed, I'm glad it's at least possible to get the warning dialog when pressing Cmd+Q and that you can choose to "Save and Quit", even if it means making silly changes to the "When Firefox starts" option.

Workaround

One of the commenters mentioned the following workaround. I tested it with Firefox 3.5.7 on OS X 10.6.2 and it works perfectly:

  1. Install the Session Manager Plugin
  2. After restarting firefox, Go to Tools > Addons > Session Manager > Preferences
  3. Under General, set “At Shutdown” to "Ask whether to back up the current session"

Do not disable browser.cache.memory.enable!

A few weeks ago I wrote about my Firefox tweaks. One of those tweaks is to disable browser.cache.memory.enable. Here is an explanation of this option from this Computer World article:

Reduce graphics caching
When the Boolean preference browser.cache.memory.enable is enabled (the default), Firefox keeps copies of all graphical elements from the current browsing session in memory for faster rendering. You can set this to false to free up more memory, but pages in your history will reload less quickly when you revisit them.

So why is this option bad? Well, I've been working on an application for work, an FAQ Manager, and for the past few weeks I've been puzzled as to why a row of images would randomly not load.

Some would load and some wouldn't, even though they're all pointing to the same place (if one image works, they should all work!). When I tried loading the page in Internet Explorer, it worked fine. I tested it on my Firefox browser at home and at work and the same issue occurred, so I thought it couldn't be a browser issue. Then I asked my co-worker, Raf, and he told me to try it in Firefox on his computer. To my surprise, it worked!

After trying to disable a couple of different tweaks, I finally discovered it was browser.cache.memory.enable that was causing the issue. So a little advice: don't tweak that setting!

My Firefox Tweaks

Ever since I started using Firefox I've been discovering new and awesome ways it can be tweaked. It started with speeding up Firefox and has progressed into everything from where my tabs are placed to how selecting text happens (see the layout.word_select options below).

Below is a list of all the options I have added/modified using the about:config function of Firefox (simply type about:config in the address bar). I have decided to save space and time by opting out of writing descriptions for each option. I've linked each option to it's respective page on MozillaZine. If you'd like a more layman explanation of each option, you can search Google or check out this article. If an option doesn't exist, create it.

Value		Preference Name
---------------------------------------------------------
0		nglayout.initialpaint.delay
1000000		content.notify.interval	
true		content.notify.ontimer
true		content.interrupt.parsing
2000000		content.max.tokenizing.time
3000000		content.switch.threshold
false		layout.word_select.eat_space_to_next_word
false		layout.word_select.stop_at_punctuation
32		network.http.max-connections
8		network.http.max-connections-per-server
8		network.http.max-persistent-connections-per-server
0		network.http.request.max-start-delay
true		network.http.pipelining
30		network.http.pipelining.maxrequests
false		browser.cache.memory.enable*
0		browser.sessionhistory.max_total_viewers
true		config.trim_on_minimize

I will add tweaks to this list as I discover them, mainly as a reference for myself. Some of the options require other options to be enabled, so if you're not going to use all of the tweaks listed here, make sure you do your research before complaining that its not working.

*UPDATE: See my post here about browser.cache.memory.enable. The short version: don't use it!

Adblock Firefox Extension (and Blocking SourceForge.net Ad's)

They finally got to me, the ad's did. I was viewing my SourceForge.net account and realized just how annoying all the ad's were. So I dug a little (didn't have to dig very far) and found an easy solution to block Google ad's, as well as other ad's, using the Adblock Firefox Extension. However, the solution explaining how to block Google text ad's didn't work for blocking SourceForge.net Google ad's. I had to add these additional sites to the Adblock list:

https://genweb.ostg.com/google/ads/*
https://google-ssl-2.ostg.com/pagead/*

Of course, I can't even see my own Google ad's now that I'm using the extension, but it's easy enough to enable/disable. While I'm talking about ad's, I might as well mention that since I added Google AdSense ad's to my blog two months ago, I've made a whopping $1.29! It's not much, but its more than I would have made if I didn't add them. 🙂 There is still an amazing amount of traffic coming in to my basement project page from people doing searches on Google for "dig out basement". My post is 10th in the search result.

Firefox Extension: Window Resizer

I found a really useful extension for Firefox: Window Resizer. If you do any kind of web development you should already be checking to make sure your content looks good in different resolutions. Nothing screams 1990's like a fixed width, "Best when viewed in 1280x1024 resolution" website. I'm rather anal when it comes to making sure my websites are as good looking on one computer as they are on another; why should I put all the time and effort into making a website look good if it only looks good on my computer?

But of course I need to set some kind of standard, so I used my StatHound visitor resolution statistics to determine what the lowest common resolution is for visitors to this blog -- it happens to be 1024x768. The Window Resizer extension is useful because it allows me to quickly resize my Firefox window to see what my website would look like in that resolution. It's a lot easier than changing the resolution on my monitor, maximizing Firefox, and then changing the resolution back to the original.

I also believe content should be readable from any web browser -- again, it's so 1990's to say "Best when viewed with Internet Explorer 6+". I actually test my websites using Firefox, Internet Explorer, Safari, and even the text-only web browser Lynx. I consider a text-only web browser to be the ultimate test for readability and that's one of the reasons why I frown upon flash-only websites, or websites that don't provide a "text version" option.

Replaced the View Source Editor for my Browsers

Up until now, on my PC, Internet Explorer and Firefox have had different "View Source" editors -- that is the editor used when you right click on a web page and click View Source. To keep things consistent, I decided to find a quick, syntax highlighting, notepad replacement which I could use to quickly view source code on both browsers.

After some quick research, I decided to go with Notepad2. I may eventually switch to gvim, as I'm an avid vi fan, however for now I'll see how things work out with Notepad2. I've already replaced my Windows Notepad with Metapad, which I think is a perfect replacement, however I wanted something with syntax highlighting for the View Source editor.

To change the editor which is used for View Source in Internet Explorer, do the following:

Start -> Run -> regedit.exe

Click OK, then open the following key:


HKEY_LOCAL_MACHINE
|- Software
|-- Microsoft
|---- Internet Explorer
|----- View Source Editor
|------- Editor Name (Default) = C:Program FilesNotepad2Notepad2.exe

You can change Editor Name to the path of whatever editor you want to use.

Close the registry and now Internet Explorer's View Source editor will use the editor you specified above!

To change the View Source editor in Firefox:

Type about:config in the URL box, press enter.

You should see a whole list of different options you can change. In the filter box, start typing view_source.editor.external until you see it in the list. Double click it to change the value to true.

You should also see view_source.editor.path. Double click it and enter the path to the editor of your choice.

Click OK, restart Firefox, and you're all set!

Firefox 2.0 & The Linux Backspace Key

Firefox 2.0 was released on Tuesday and if you haven't already downloaded it, I highly recommend you do. There are several new features which I believe make it worth the upgrade:

  • A huge speed increase, in both starting the browser and loading web pages
  • A very large number of bug fixes over previous versions of Firefox
  • Built-in spell checker, which automatically checks the spelling of words you type inside text boxes, including web based email clients
  • Session-save feature, which allows you launch your browser and have it load all the web pages you were previously viewing

A number of the features which have been included with Firefox 2, such as the spell checker and session saver, were previously available as extensions for Firefox -- those two in particular were my favorite extensions and I'm happy to see them finally built-in.

The disadvantage to upgrading right now is the small number of extensions that have been updated to work with Firefox 2. About 80% of my extensions no longer work after upgrading, however the ones that are most important to me -- the session saver and spell checker -- are already built-in. If there are some extensions you are currently using that you absolutely cannot live without, then make sure they support Firefox 2 before you upgrade!

For those Linux users who have upgraded to Firefox 2, you may have noticed that your backspace key no longer works as a back button to go back one page. The Firefox developers decided to change the backspace action to scroll up one page instead of back one page, as explained here:

The backspace key was mapped to the browser “Back” function in Mozilla for consistency with Internet Explorer. However, to improve consistency with other applications running on Linux, it was decided that this mapping should be optional—and set based on which platform the browser was running on. As a compromise, this preference was created to allow the backspace key to either go back/forward, scroll up/down a page, or do nothing.

You can easily change the backspace action by using about:config (in your address bar) and then changing browser.backspace_action to 0 instead of 1. Restart Firefox, and backspace will have the same action as it did in previous versions.

There are lots of little bells and whistles in Firefox 2 and I'm still discovering them every day. Today for example, while I had about 15 tabs open, I noticed a little arrow on the right edge of Firefox next to all the tabs. Clicking that arrow brings down a list of all the tabs, with each of their titles fully visible. That is an extremely useful feature if you regularly have several tabs open (as I usually have 20+ tabs open at a time).

Great work on Firefox 2 Mozilla and Firefox developers! Don't worry, I won't send you a poisoned cake like Microsoft. 😉

Bookmark Sync and Sort

I often bookmark websites when I come across something I think I might want to come back to later. Usually I'm searching for something and I'll come across another, unrelated, page that I also find interesting. Then there are common pages, such as banking sites, credit card login pages, domain control panel login pages, and others, that I bookmark just to have a quick way to access them. As you can imagine, my bookmark list has grown quite large. I found it very inconvenient when I use one of my other computers, or my laptop, and I don't have access to all my bookmarks.

This is where Bookmark Sync and Sort comes in. It's a Firefox extension that allows you to upload your bookmarks to an FTP server, and then download the bookmarks from another computer that also has the extension installed. This way you can keep your bookmarks synced. It has lots of options, including a very useful one that allows you to merge bookmarks, so your existing bookmarks don't get overwritten. I setup a free shell account (thanks to freeshells.ch) which also includes FTP access, and I simply configured the Bookmark Sync extension to use that FTP server. Now whenever I add a bookmark, or several bookmarks, I choose "Synchronize Bookmarks" from the Bookmarks menu and the data is uploaded to the FTP server!

When I realized how many bookmarks I have, I thought it would be nice to share all those links with everyone. I'm going to setup an area where you can view my bookmarks, but first, I need to figure out a way to hide the bookmarks I don't want to make public, such as certain login pages.