Lack of proper input validation leads to critical Firefox SSL flaw

Update: The flaw in Firefox has been patched. In addition, Firefox 3.5 does not have this vulnerability. See Ryan Naraine’s post on ZDNet for more details.

Due to a flaw in how one (some? all?) unnamed Certificate Authority (CA) validates the domain name in SSL certificate creation, Firefox is vulnerable to a flaw that tricks it into accepting valid SSL certificates issued to other domains. At the heart of the matter is that the CA(s) are allowing certificate requests to be processed that contain a NULL character in the domain name. So if I request a certificate for hostname.domain1.comNULLdomain2.com, the CA will allow me to do it, as long as I am the owner of domain2.com. However, when Firefox examines the certificate, it will think the certificate is actually for domain1.com because C/C++ uses NULL terminated strings, and it does not escape the NULL character in the certificate’s name. So, when used in conjunction with hijacking of DNS or maybe a nefarious proxy server (or some other way of getting requests for domain1.com to end up at domain2.com), it will look like you’re going to a properly SSL secured and authenticated site, but you’re really going to the hacker’s site.

Until this flaw is fixed, do not use Firefox to go to SSL secured sites (including the Firefox update site) from public Wi-Fi hotspots or other places that are easily hijacked. Internet Explorer does not have this issue.

Microsoft ATL has vulnerabilities; patch immediately

A remote code execution vulnerability was found in the Microsoft Active Template Library (ATL), which is used to build ActiveX controls. If you write ActiveX controls, you need to read the security bulletin, find out if the problem affects controls you have written, and if so, take immediate steps to resolve the problem.

Pointer misusage at the heart of the ActiveX flaw

CNET blogger Lance Whitney recently wrote about the latest Internet Explorer exploit; the reason why there was an exploit is exactly why I don’t like C and C++. With one missing &, the code compiled fine and ran fine (in terms of causing errors that could be detected at runtime), but the result was code that did not function to spec. In this instance, the result is a massive ActiveX flaw (see the Visual Studio patch below) that prevents Internet Explorer from properly disabling dangerous ActiveX controls.

ASP.NET MVC 2 Preview 1 released

I can’t believe it, but the ASP.NET MVC team is already previewing version 2; it has only been a few months since people were showing off the previews for version 1. It looks like ASP.NET MVC 2 will be included in Visual Studio 2010, which means that it will be on a pretty quick development cycle.

Rx (LINQ to Events) in .NET 4

.NET 4.0 will have a radical new feature called Rx (LINQ to Events). It seems to involve an inversion of the Iterator pattern to become the Observable pattern. It looks like this is the preferred way of handing events and other asynchronous programming items in .NET 4, so it’s a good time to get a basic handle on it. Luckily, the old methods will still work and will continue to be supported. But from what I’ve read, I can definitely see a lot of benefit in Rx for many scenarios. The Mechanical Bride site features another post that describes some of the ways in which Rx is useful. I like the idea of “extension events.”

Mozilla experiments with Firefox 4 screens to give more screen space

Mozilla has put out a few screenshots of possible Firefox 4 layouts. Mozilla is looking for ways to give the page more breathing room while maintaining usability.

Coverity starts program for academic environments

Coverity’s Software Integrity Academic Program has started giving academic institutions access to static analysis tools for teaching and research. The program allows qualified teaching institutions to purchase licenses of Coverity Prevent at a very low price.

IronPython 2.6 Beta 2 released

IronPython 2.6 Beta 2 has been released. It contains a large number of bug fixes and is now feature complete to CPython 2.6.

Mono 2.4.2.3 released

Mono 2.4.2.3, a small maintenance release, is out. It looks like it just fixes a few minor bugs.

STM.NET potentially eliminates the need for locking with threading

Microsoft released STM.NET, an enhanced version of the .NET 4 Beta 1. STM.NET (Software Transactional Memory) allows the programmer to pass a block of code to a delegate which invokes the code in a thread-safe manner as a transaction that can be rolled back if needed. This removes the burden of dealing with data locks and such from the developers. It also frees developers from needing to work with systems like MSMQ.

Rails BugMash makes it easy to participate in Rails development

There is a Rails BugMash event scheduled for August 8-9. This is essentially a one weekend blitz through open tickets to confirm the existence of bugs, discover what needs to be done to fix the bug, fix the bug if possible, and if the bug is not possible to fix, direct it to the Rails Core team. This is a great opportunity for people who might not be in a situation where they can contribute directly to the codebase to be able to help out.

Expression Web 3’s SuperPreview: Wow!

I downloaded Expression Web 3 from MSDN, and the first thing I tried was the SuperPreview feature. In a nutshell, SuperPreview allows the side-by-side comparison of a Web page in different rendering engines. I was blown away. It is incredibly useful and intuitive, and it is a must have addition to any developer toolbox. I really like the highlighting of the differences between browsers. You can select an element with your mouse in one browser window, and it will box (or lightbox) that section of screen on the other browser window to help you see how different the two browsers display the element.

You should definitely take a look at SuperPreview if you can. I’ll provide more details about the feature in my Product Spotlight post, which we’ll publish soon.

Clues about Android’s future features

Android’s dev branch has some potential new features in it. Garett Rogers provides more details in his ZDNet post.

Digg’s theory of browser compatibility

Digg recently posted an interesting item about why it has decided to drop support for IE 6 at a programmatic level. To summarize, Digg saw that, while IE 6 users constituted enough traffic to justify keeping HTML compatibility with them, the IE 6 users were such a small percentage of people using actual functionality that it was safe to drop them in terms of JavaScript and other items. For anyone struggling to maintain IE 6 compatibility, I recommend doing the same thing: take a look at actual feature usage, not just page views, to see what aspects of IE 6 you truly need to keep working around.

“Media engineers” to replace software engineers?

ZDNet blogger Tom Foremski thinks that “media engineers” will replace software engineers. His idea makes sense in an ideal world, but it doesn’t jive with current realities.

First, while many tools make programming easier, those tools also introduce complexities. Writing software isn’t getting easier — the difficulties are just moving up the chain. Twenty years ago, programmers struggled to work with a GUI; now, that is a snap, and we struggle with different things.

Second, Foremski seems to think that inexpensive, offshore labor makes development inexpensive. I staunchly disagree. Those of us in the trenches have discovered that there are a lot of problems with offshore labor (e.g., time zones, retention rates, communications barriers, cultural differences, travel costs, oversight, and quality control) and that is before we even discuss the issues that are always present when dealing with third-party workers. In addition, offshore labor isn’t even that cheap lately; Indian developers’ pay rates have gone way, way up in the last few years.

Finally, his analysis presupposes the idea that the only goal for the majority of development work is to spread media around the Internet.

ApacheCon headed to Oakland in November

ApacheCon will be held in Oakland, CA this year from November 2 – 6. This should be a major event, as Apache is celebrating the 10th anniversary of the Apache Software Foundation.

Aleri offers resources to simplify Complex Event Processing

Aleri, makers of CEP software, is offering materials to help developers work with their products. The resources are centered around the Aleri Implementation Methodology (AIM). Aleri has a white paper available and a series of Webcasts. The Webcasts are running from July 29-August 26, 2009, so check them out now.

J.Ja

Disclosure of Justin’s industry affiliations: Justin James has a working arrangement with Microsoft to write an article for MSDN Magazine. He also has a contract with Spiceworks to write product buying guides.

—————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!