Serve your customers, not your servers, with VERIO Linux VPS.
Full-access test-drive
here.
|
Voting machine integrity through transparency
By Jake Edge March 26, 2008
It is hard to believe that governments would spend money on voting
equipment that they are not allowed to test, but that is
exactly what multiple counties in New Jersey appear
to have done. They are certainly not alone, many other places are
likely to have the same restrictions on "their" voting machines. This begs the question:
where are the free software voting systems?
Union County wanted to ask Ed Felten to look at the voting machines it
purchased from Sequoia Voting Systems because of several
anomalies—less charitably known as miscounts—observed when using
them in the primary elections. Once Sequoia got wind of the plan, they
emailed Felten a nastygram
because he might engage in "non-compliant analysis" of the machines in
violation of the Sequoia license. It seems quite likely that is exactly
what Felten and the county clerk had in mind as a third-party analysis is
the only sensible way to evaluate voting machines.
Other jurisdictions have done better of late, with Felten's Freedom to
Tinker weblog noting that California has denied
certification for two voting machines from Election Systems & Software
(ES&S). California Secretary of State Debra Bowen has been at the
forefront of trying to ensure
that voting machines work correctly. LWN's home state of Colorado also
decertified
a number of voting machines, but, like the earlier California study, it
was done after those machines were purchased. As in California, it
seems likely that Colorado will be using those machines in November.
Things are getting a little better, perhaps, but no one has, as yet, tried
to take on the four major voting machine makers with a system that is built
with security in mind. There is no reason that the source code for a
voting machine could not be made available for study. The voting machine
vendors claim all sorts of proprietary secret sauce in their code, but that
isn't the real reason they hide it. Covering up their shoddy code is much more likely.
Every independent review of voting machines has found numerous,
fundamental security flaws that should make anyone with an interest in the
integrity of the election process cringe. Many of those analyses were done
without the source code, so there is little doubt that even uglier problems
would have been found in the code itself. It just cannot be that difficult to
produce something vastly more secure than what is made available today.
One could speculate about the motives of these companies, but instead
looking at what could be built, with mostly off-the-shelf software, is more
fruitful. The place to start is by hiring a few good security-minded
developers, while lining up an independent review team. One might guess
that Felten and his associates would be a good place to start.
A stripped down Linux system could very easily be the basis for a voting
machine, but other free software choices would serve just as well. Some
user interface code for touchscreens and alternative input methods
for those with disabilities would need to be written. Some kind of
printing output device would need to be made a part of the system so that
voter-verifiable audit trails—better yet, ballots that can be put
into a locked box—can be created.
Source code availability does not, in and of itself, ensure vote security.
That code needs to be reviewed by as many experts as can be found. In
addition, there needs to be some mechanism to show that the source code
being reviewed is the same as that being run.
For that reason, the system itself might run on some kind of Trusted
Platform Module (TPM) chip so that interested parties can verify that
the
published code is the same as that running on the system. If the system
runs Linux, it might use the integrity management patches
for that. Most importantly, the outside interfaces (network, USB, PCMCIA,
etc.) to the device would either not be present or be very tightly
controlled. Any kind of removable vote recording memory would need
adequate cryptographic safeguards to eliminate tampering between vote
taking and vote tabulating machines.
Instead of an emphasis on PR, schmoozing, and bamboozling non-technical
folks, the focus of a free software
voting system would be on transparency. The number one goal would be to
give everyone, from the least technical voter to the Bruce Schneiers of
the world: confidence in the machines and the process. It is hard to
fathom how anyone could want anything less.
Comments (15 posted)
The last updated vulnerabilities section
It would seem that the majority of the readers of this page are willing to part with the updated vulnerabilities section. Based on the comments we got over the last two weeks, we decided to remove it in future editions. So, this is the last week you will find one on the security page. You can always visit http://lwn.net/Vulnerabilities/ to get a look at the most recent vulnerabilities in our database.
Comments (6 posted)
New vulnerabilities
asterisk: multiple vulnerabilities
| Package(s): | asterisk |
CVE #(s): | CVE-2007-6430
CVE-2008-1332
CVE-2008-1333
|
| Created: | March 20, 2008 |
Updated: | April 25, 2008 |
| Description: |
From the Debian alert:
CVE-2007-6430:
Tilghman Lesher discovered that database-based registrations are
insufficiently validated. This only affects setups, which are
configured to run without a password and only host-based
authentication.
CVE-2008-1332:
Jason Parker discovered that insufficient validation of From:
headers inside the SIP channel driver may lead to authentication
bypass and the potential external initiation of calls. |
| Alerts: |
|
Comments (none posted)
asterisk: multiple vulnerabilities
| Package(s): | asterisk |
CVE #(s): | CVE-2008-1289
CVE-2008-1390
|
| Created: | March 24, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the Red Hat bugzilla:
CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both
overflows can be caused by an INVITE or any other SIP packet with SDP. The
request may need to be authenticated depending on configuration of the Asterisk
installation.
The first overflow is caused by sending a payload number that surpasses the
programmed maximum payload number of 256. This causes an invalid memory write
outside of the buffer. While this does not allow the attacker to write
arbitrary data it does allow the attacker to write a 0 to other memory
locations.
The second overflow is caused by sending more than 32 RTP payloads. This causes
a buffer on the stack to overflow allowing the attacker to write values between
0 and 256 (the maximum payload number) to memory locations after the buffer.
CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely
to have a much larger than average number of 1s, which greatly reduces the
number of guesses an attacker would have to make to successfully predict the
manager ID, which is used across multiple HTTP queries to hold manager state.
|
| Alerts: |
|
Comments (none posted)
bzip2: denial of service
| Package(s): | bzip2 |
CVE #(s): | CVE-2008-1372
|
| Created: | March 24, 2008 |
Updated: | April 9, 2008 |
| Description: |
From the CVE entry:
bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite. |
| Alerts: |
|
Comments (none posted)
Firefox: multiple vulnerabilities
Comments (none posted)
JBoss: inject and execute arbitrary commands
| Package(s): | JBoss |
CVE #(s): | CVE-2007-6306
CVE-2007-6433
|
| Created: | March 25, 2008 |
Updated: | March 26, 2008 |
| Description: |
The JFreeChart component was vulnerable to multiple cross-site scripting
(XSS) vulnerabilities. An attacker could misuse the image map feature to
inject arbitrary web script or HTML via several attributes of the chart
area. The setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed
remote attackers to inject and execute arbitrary EJBQL commands via the
order parameter. |
| Alerts: |
|
Comments (none posted)
krb5: memory use after free
| Package(s): | krb5 |
CVE #(s): | CVE-2007-5901
|
| Created: | March 24, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the CVE entry:
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code. |
| Alerts: |
|
Comments (none posted)
libsilc: buffer overflow
| Package(s): | libsilc |
CVE #(s): | |
| Created: | March 24, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the Red Hat bugzilla:
SILC Toolkit contains a possible buffer overflow from PKCS#1 message decoding in
versions earlier than 1.1.7. Specially crafted digital signature can be used to
crash the program.
|
| Alerts: |
|
Comments (none posted)
namazu: cross-site scripting
| Package(s): | namazu |
CVE #(s): | CVE-2008-1468
|
| Created: | March 26, 2008 |
Updated: | March 26, 2008 |
| Description: |
The sanitizing of input to namazu does not work properly with certain encodings, allowing HTML directives and script code to be injected into content. |
| Alerts: |
|
Comments (none posted)
openssh: hijacking of forwarded X connections
| Package(s): | openssh |
CVE #(s): | CVE-2008-1483
|
| Created: | March 25, 2008 |
Updated: | April 11, 2008 |
| Description: |
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. |
| Alerts: |
|
Comments (none posted)
ruby: directory traversal
| Package(s): | ruby |
CVE #(s): | CVE-2008-1145
|
| Created: | March 25, 2008 |
Updated: | March 26, 2008 |
| Description: |
Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. |
| Alerts: |
|
Comments (none posted)
serendipity : insufficient input sanitizing
| Package(s): | serendipity |
CVE #(s): | CVE-2007-6205
CVE-2008-0124
|
| Created: | March 25, 2008 |
Updated: | March 26, 2008 |
| Description: |
Serendipity, a weblog manager, did not properly sanitize input to several scripts which allowed for cross site scripting. |
| Alerts: |
|
Comments (none posted)
ssl-cert: certificate disclosure
| Package(s): | ssl-cert |
CVE #(s): | CVE-2008-1383
|
| Created: | March 20, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the Gentoo alert:
Robin Johnson reported that the docert() function provided by
ssl-cert.eclass can be called by source building stages of an ebuild,
such as src_compile() or src_install(), which will result in the
generated SSL keys being included inside binary packages (binpkgs).
A local attacker could recover the SSL keys from publicly readable
binary packages when "emerge" is called with the "--buildpkg (-b)" or
"--buildpkgonly (-B)" option. Remote attackers can recover these keys
if the packages are served to a network. |
| Alerts: |
|
Comments (none posted)
viewvc: multiple vulnerabilities
| Package(s): | viewvc |
CVE #(s): | CVE-2008-1290
CVE-2008-1291
CVE-2008-1292
|
| Created: | March 20, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the Gentoo alert:
Multiple unspecified errors were reportedly fixed by the ViewVC
development team.
A remote attacker could send a specially crafted URL to the server to
list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT
folders, and view restricted content via the revision view, the log
history, or the diff view. |
| Alerts: |
|
Comments (none posted)
xine-lib: arbitrary code execution
| Package(s): | xine-lib |
CVE #(s): | CVE-2008-0073
|
| Created: | March 24, 2008 |
Updated: | April 23, 2008 |
| Description: |
From the Red Hat bugzilla:
Secunia Research has discovered a vulnerability in xine-lib, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the
"sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to
overwrite arbitrary memory regions via an overly large "streamid" SDP parameter
included in a malicious RTSP stream.
Successful exploitation allows execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
xwine: several vulnerabilities
| Package(s): | xwine |
CVE #(s): | CVE-2008-0930
CVE-2008-0931
|
| Created: | March 21, 2008 |
Updated: | March 26, 2008 |
| Description: |
The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo |
CVE #(s): | CVE-2007-5503
|
| Created: | November 29, 2007 |
Updated: | April 10, 2008 |
| Description: |
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege escalation
| Package(s): | MySQL |
CVE #(s): | CVE-2007-3781
CVE-2007-5969
|
| Created: | December 11, 2007 |
Updated: | April 7, 2008 |
| Description: |
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) |
| Alerts: |
|
Comments (none posted)
SDL_image: buffer overflows
| Package(s): | SDL_image |
CVE #(s): | CVE-2007-6697
CVE-2008-0544
|
| Created: | February 8, 2008 |
Updated: | March 27, 2008 |
| Description: |
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE |
CVE #(s): | CVE-2007-2435
CVE-2007-2788
CVE-2007-2789
|
| Created: | June 1, 2007 |
Updated: | April 18, 2008 |
| Description: |
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files. |
| Alerts: |
|
Comments (none posted)
Xorg: multiple vulnerabilities
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache: several vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-5000
CVE-2007-6388
CVE-2008-0005
|
| Created: | January 15, 2008 |
Updated: | April 4, 2008 |
| Description: |
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005) |
| Alerts: |
|
Comments (1 posted)
asterisk: possible SQL injection
| Package(s): | asterisk |
CVE #(s): | CVE-2007-6170
|
| Created: | December 3, 2007 |
Updated: | April 15, 2008 |
| Description: |
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection. |
| Alerts: |
|
Comments (none posted)
audacity: insecure tmpfile handling
| Package(s): | audacity |
CVE #(s): | CVE-2007-6061
|
| Created: | March 3, 2008 |
Updated: | March 21, 2008 |
| Description: |
From the Gentoo advisory:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.
A local attacker could exploit this vulnerability to conduct symlink
attacks to delete arbitrary files and directories with the privileges
of the user running Audacity.
|
| Alerts: |
|
Comments (none posted)
backup-manager: password disclosure
| Package(s): | backup-manager |
CVE #(s): | CVE-2007-4656
|
| Created: | March 17, 2008 |
Updated: | March 19, 2008 |
| Description: |
From the Debian advisory:
Micha Lenk discovered that backup-manager, a command-line backup tool,
sends the password as a command line argument when calling a FTP client,
which may allow a local attacker to read this password (which provides
access to all backed-up files) from the process listing.
|
| Alerts: |
|
Comments (none posted)
cacti: multiple vulnerabilities
| Package(s): | cacti |
CVE #(s): | CVE-2008-0783
CVE-2008-0784
CVE-2008-0785
CVE-2008-0786
|
| Created: | February 28, 2008 |
Updated: | May 6, 2008 |
| Description: |
From the Mandriva alert:
A number of vulnerabilities were found in the Cacti program, including
XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection
vulnerabilities, and information disclosure vulnerabilities. |
| Alerts: |
|
Comments (none posted)
clamav: arbitrary code execution
| Package(s): | clamav |
CVE #(s): | CVE-2008-0318
|
| Created: | February 13, 2008 |
Updated: | April 18, 2008 |
| Description: |
From the CVE:
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. |
| Alerts: |
|
Comments (1 posted)
clamav: arbitrary file overwrite
| Package(s): | clamav |
CVE #(s): | CVE-2007-6595
|
| Created: | February 18, 2008 |
Updated: | April 24, 2008 |
| Description: |
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. |
| Alerts: |
|
Comments (4 posted)
clamav: heap corruption
| Package(s): | clamav |
CVE #(s): | CVE-2008-0728
|
| Created: | February 22, 2008 |
Updated: | April 18, 2008 |
| Description: |
From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." |
| Alerts: |
|
Comments (none posted)
cups: heap overflow
| Package(s): | cups |
CVE #(s): | CVE-2008-0047
|
| Created: | March 19, 2008 |
Updated: | April 9, 2008 |
| Description: |
The cups package suffers from a heap overflow vulnerability in the cgiCompileSearch() function. This vulnerability could be exploited remotely if the print server shares printers over the network. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2008-0882
|
| Created: | February 22, 2008 |
Updated: | April 3, 2008 |
| Description: |
From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
Comments (none posted)
debian-goodies: privilege escalation
| Package(s): | debian-goodies |
CVE #(s): | CVE-2007-3912
|
| Created: | October 5, 2007 |
Updated: | March 24, 2008 |
| Description: |
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart. |
| Alerts: |
|
Comments (none posted)
dovecot: multiple vulnerabilities
| Package(s): | dovecot |
CVE #(s): | CVE-2008-1199
CVE-2008-1218
|
| Created: | March 13, 2008 |
Updated: | March 27, 2008 |
| Description: |
From the Fedora alert:
CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users
having shell access to IMAP server could use this flaw to read, modify or delete
mails of other users stored in inbox files in /var/mail. /var/mail directory is
mail-group writable and user inbox files are by default created by useradd with
permission 660, <user>:mail. No mail_extra_groups is set by default, hence
default Fedora configuration was not affected by this problem. If your
configuration sets mail_extra_groups, see new options mail_privileged_group and
mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still
accepted, but is deprecated now)
CVE-2008-1218 On Dovecot versions 1.0.11
and newer, it was possible to gain password-less login via passwords with tab
characters, which were not filtered properly. Dovecot versions in Fedora were
not affected by this unauthorized login flaw, but only by a related minor memory
leak in dovecot-auth worker process. |
| Alerts: |
|
Comments (none posted)
emacs: buffer overflow
| Package(s): | emacs |
CVE #(s): | CVE-2007-6109
|
| Created: | December 10, 2007 |
Updated: | May 6, 2008 |
| Description: |
From the National Vulnerability Database:
Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. |
| Alerts: |
|
Comments (none posted)
exiftags: multiple vulnerabilities
| Package(s): | exiftags |
CVE #(s): | CVE-2007-6354
CVE-2007-6355
CVE-2007-6356
|
| Created: | December 31, 2007 |
Updated: | April 1, 2008 |
| Description: |
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356). |
| Alerts: |
|
Comments (none posted)
firebird: multiple vulnerabilities
| Package(s): | firebird |
CVE #(s): | CVE-2008-0387
CVE-2008-0467
|
| Created: | March 3, 2008 |
Updated: | March 27, 2008 |
| Description: |
From the Gentoo advisory:
Firebird does not properly handle certain types of XDR requests,
resulting in an integer overflow (CVE-2008-0387). Furthermore, it is
vulnerable to a buffer overflow when processing usernames
(CVE-2008-0467).
A remote attacker could send specially crafted XDR requests or an
overly long username to the vulnerable server, possibly resulting in
the remote execution of arbitrary code with the privileges of the user
running the application.
|
| Alerts: |
|
Comments (none posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2008-0414
CVE-2008-0416
CVE-2008-0420
CVE-2008-0594
|
| Created: | February 8, 2008 |
Updated: | March 26, 2008 |
| Description: |
From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird |
CVE #(s): | CVE-2008-0412
CVE-2008-0413
CVE-2008-0415
CVE-2008-0417
CVE-2008-0418
CVE-2008-0419
CVE-2008-0591
CVE-2008-0592
CVE-2008-0593
|
| Created: | February 8, 2008 |
Updated: | April 2, 2008 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
|
| Alerts: |
|
Comments (2 posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | April 25, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
| |