Google threatened to withdraw from the Chinese market following the “sophisticated and targeted” attacks, which it said originated in China. Hackers used a flaw in Microsoft’s Internet Explorer (IE) browser to target the Gmail accounts of Chinese human rights activists.

Following Google’s revelations, the French and German governments advised their citizens to switch to a different browser until the hole had been closed. Microsoft reacted by quickly updating the browser, nearly three weeks ahead of its regular security update. However, Google has now said it is going to phase out support for the browser “starting with Google Docs and Google Sites”.

It said that as a result, some “key functionality” of the applications would not work when used with IE6. Google Docs is the firm’s answer to products such as Microsoft Office, whilst Google Sites allows people to create web pages.

Google’s Rajen Sheth wrote in an official blog post:

“The web has evolved in the last ten years, from simple text pages to rich, interactive applications including video and voice. Unfortunately, very old browsers cannot run many of these new features effectively.”

Threat downplayed

Around 20% of web users still use the nine-year old browser, including many UK government departments. But many developers want to see the browser phased out as soon as possible. The online campaign ie6nomore, supported by more than 70 web firms, says that because the browser does not support modern web standards it restricts what developers can do and is “holding the web back”.

Microsoft has said that it will support the browser until 2014. Microsoft has released a fix for Internet Explorer and recommended that customers install the update as soon as possible or update to the latest version of the web browser for “improved security”. Microsoft normally issues patches monthly but the high-profile nature of the attacks led it to act more quickly.

Market share

The UK government played down the threat and said there was “no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure”.

However, Microsoft took the unusual step of patching the hole nearly three weeks ahead of its regular security update. The new patch is available via the Microsoft Update site and will also be fed out to those who have their machines set to update automatically. All versions of Internet Explorer will receive the update.

Microsoft has admitted that it has known about the vulnerability “since early September” 2009 and had planned to patch it in February. The bad publicity has allowed rivals such as Firefox to gain market share.

According to web analytics company StatCounter, Firefox is now a close second to Internet Explorer (IE) in Europe, with 40% of the market compared to Microsoft’s 45% share. In some markets, including Germany and Austria, Firefox has overtaken IE, the firm said. Mozilla, the foundation behind Firefox, has just released the latest version (3.6) of the open-source browser.

Built through Mozilla’s global, open source development process, Firefox 3.5 is said to be more than two times faster than Firefox 3 and ten times faster than Firefox 2 on complex websites thanks to a new TraceMonkey JavaScript engine. The new version arrives roughly one year after the release of Firefox 3.0, which was also billed as “two to three times faster” than its predecessor.

Firefox 3.5 has undergone “extensive under-the-hood work to support new technologies” that will allow Web developers to create the next generation of Web content, Mozilla says. It also packs a handful of user-oriented features such as:

Open Video and Audio: Supports playback of video and audio content from within the browser, without the need for plugins. Web developers can use these technologies to design pages that interact with video content in new and interesting ways, offering richer interactive experiences beyond controlling playback and volume.

Privacy Controls: Like the “Private Browsing” feature of Apple’s Safari web browser, an identically-named addition to Firefox 3.5 similarly prevents the browser from storing anything related to a browser session once it’s been activated.

Unique to Firefox 3.5, however, is a new Forget this Site feature that removes every trace of a site from a user’s browser. Users who want to remove all private data or activity from the past few hours can also use a Clear Recent History function, which is another Firefox-only feature that offers users more control “over what stays and what goes.”

Location Aware Browsing: Location Aware Browsing is an optional feature that, when enabled, lets websites tap into a user’s location information to find nearby points of interest and return additional, data-like maps of their particular area.

Firefox is currently the world’s second-leading browser with a 22.5% share of the global web browser market. It trails only Microsoft’s Internet Explorer, which maintains 65.5% of the market. Apple’s Safari is distant third with just under 8.5% market share.

Version 3.0.11 squashes a javascript chrome privilege escalation bug, which Mozilla said allows attackers to execute malware on the computers of end users. Exploits would work by manipulating chrome privileged objects, such as a browser sidebar.

Mozilla said some of same bugs have been fixed in version 2.0.0.22 of Thunderbird, but at time of writing, the most current version of the email application was 2.0.0.21. We wouldn’t be surprised if an update was released soon.

As usual, the update will be pushed directly to Firefox users and requires only a simple restart of the browser to be installed.

The two “high-risk” flaws involve same-origin violation security bugs. The other six moderate or low risk flaws are detailed in Mozilla’s release notes here.

Firefox 3.0.9 also addresses a number of stability issues, including a problem where a corrupt local database might cause Firefox to “lose” its stored cookies. Another flaw that means in-line images might not be displayed when using webmail accounts was also plugged. User systems are to be automatically updated to version 3.0.9 within 48 hours. The release can also be downloaded manually beforehand. Firefox version 2.0 is no longer supported.

The update to Firefox version 3.0.9 comes days before the expected delivery of an “almost ready” fourth beta of the next version of its browser, Firefox 3.5.

Maximum PC explains the differences between the browsers, future and present, so that you can make a more informed decision about the primary tool you use to browse the web. From the rendering engines used to the features that set the different browsers apart, this is a comprehensive, blow-by-blow battle between Safari 3, Internet Explorer 7, Firefox 3, Opera 9.6, Google Chrome, Firefox 3.1, IE 8, Safari 4, and Opera 10.

Google has acknowledged the flaw and is working towards a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood. The flaw was reported on 27 January and has since posted a proof of concept on the Bugtraq vulnerability-disclosure forum.

“Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page,” Sood said within the disclosure.

Google’s security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google’s spokesperson.

Clickjacking is a relatively new type of browser attack. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim’s web browser to send an HTTP request to a website of their choosing.

Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) are not exposed to the flaw. But, like Chrome, Firefox 3.0.5 is exposed.

Microsoft’s market share in the browser dropped below 70% for the first time in eight years, while Mozilla broke the 20% barrier for the first time in its history. It’s too early to tell for sure, but if Net Applications’ numbers are correct, then Microsoft’s Internet Explorer will end 2008 with a historic market share loss in a software segment Microsoft believes is key to its business.

When you log into Gmail using Internet Explorer, you’ll see a “Get faster Gmail” link in the set of links across the top of the page. If you follow the link in IE7, you’ll find yourself at this page (pictured above), which claims that Gmail runs an average of twice as fast on Firefox 3 or Chrome than it does IE.

Strangely enough, that same link in IE6 takes you to this page, which recommends upgrading to IE7—so you’re in for a bit of a rollercoaster if you follow their suggestions. We practically never open up IE unless we have to around here, so we certainly can’t say from experience that IE runs Gmail that much more slowly, so if you’ve got more experience switching between browsers with Gmail, share your experience in the comments.

Firefox 3.0.5 is available at http://getfirefox.com/

For a list of changes and more information, please review the Firefox 3.0.5 Release Notes and the Firefox 2.0.0.19 Release Notes.

Mozilla is not planning any further security & stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible. It’s free, and your settings and bookmarks will be preserved.