By Jake Edge
November 5, 2008
A company's response to security vulnerabilities is always interesting to
watch. Google has the reputation of being fairly cavalier regarding flaws
reported in its code;
the first security vulnerability reported
for the Android mobile phone software appears to follow that pattern.
Unfortunately for users of Android phones, though, Google's attitude and
relatively slow response might some day lead to an "in the wild" exploit
targeting the phones.
The flaw was first reported to Google on October 20 by Independent Security
Evaluators (ISE), but was not patched for the G1 phone—the only
shipping Android phone—until November 3. Details on the
vulnerability are thin, but it affects the web browser and is caused by
Google shipping an out-of-date component. Presumably a library or content
handler was shipped with a known security flaw that could lead to code
execution as the user id which runs the browser.
It should be noted that compromising the browser does not affect the rest
of the phone due to Android's security architecture. Unlike the iPhone,
separate applications are run as different users, so that phone
functionality is isolated from the browser, instant messaging, and other
tools. An iPhone compromise in any application can lead to the attacker
being able to make phone calls and get access to private data associated
with any application; clearly Google made a better choice than Apple.
One interesting recent development, though, is the availability of an
application that provides a root-owned
telnet daemon. With that running, a simple telnet gets full access to
the phone's filesystem. From there, jailbreaking—circumventing the
restrictions placed by a carrier on applications—as well as unlocking
the phone from a specific carrier are possible. While it is easy to see
how that might be useful for the owner of Android, though it opens the
phone to rather intrusive attacks, it probably is not what T-Mobile (and
other carriers down the road) had in mind.
Google's first
response to the vulnerability report was to whine that Charlie
Miller, who discovered the flaw, was not being "responsible" by talking
about it before a fix was ready. Miller did not disclose details, but did
report the existence of—along with some general information
about—the flaw. Google's previous reputation regarding vulnerability
reporting, as well as how it treated Miller, undoubtedly played a role in
his decision.
Perhaps the most galling thing is that the flaw was in a free software
component that had been updated prior to the Android release to, at least
in part, close that hole. It would seem that the Android team was not
paying attention to security flaws reported in the free software components
that make up the phone software stack. Hopefully, this particular
occurrence will serve as a wake-up call on that front.
Given that the fix was already known, it is a bit puzzling that it
would take two weeks for updates to become available. It was the first
update made for Android phones in the field, but one hopes the bugs in that
process were worked out long ago. Overall, Google's response leaves rather
a lot to be desired.
If Google wants security researchers to be more "responsible" in their
disclosure, it would be well served by looking at its own behavior. Taking
too much time to patch a vulnerability—especially one with a known
and presumably already tested fix—is not the way to show the security
community that it takes such bugs seriously. Whining about disclosure
rarely, if ever, goes anywhere; working in a partnership with folks who
find security flaws is much more likely to bear fruit.
Comments (11 posted)
New vulnerabilities
apache tomcat: restriction bypass
| Package(s): | tomcat5, apache-jakarta-tomcat-connectors |
CVE #(s): | CVE-2008-3271
|
| Created: | October 31, 2008 |
Updated: | November 5, 2008 |
| Description: |
From the CVE entry: Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. |
| Alerts: |
|
Comments (none posted)
dovecot: negative rights in ACL plugin
| Package(s): | dovecot |
CVE #(s): | CVE-2008-4577
|
| Created: | October 30, 2008 |
Updated: | September 28, 2009 |
| Description: |
dovecot has a restriction bypass vulnerability. From the
vulnerability database entry:
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions. |
| Alerts: |
|
Comments (none posted)
enscript: stack overflows
| Package(s): | enscript |
CVE #(s): | CVE-2008-3863
CVE-2008-4306
|
| Created: | November 4, 2008 |
Updated: | December 16, 2008 |
| Description: |
From the Ubuntu alert:
Ulf Härnhammar discovered multiple stack overflows in enscript's handling of
special escape arguments. If a user or automated system were tricked into
processing a malicious file with the "-e" option enabled, a remote attacker
could execute arbitrary code or cause enscript to crash, possibly leading
to a denial of service. |
| Alerts: |
|
Comments (none posted)
graphviz: stack-based buffer overflow
| Package(s): | graphviz |
CVE #(s): | CVE-2008-4555
|
| Created: | October 31, 2008 |
Updated: | December 7, 2009 |
| Description: |
From the CVE entry: Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements. |
| Alerts: |
|
Comments (none posted)
kernel: buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2008-3496
|
| Created: | November 3, 2008 |
Updated: | November 5, 2008 |
| Description: |
From the Mandriva advisory:
Buffer overflow in format descriptor parsing in the uvc_parse_format
function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the
video4linux (V4L) implementation in the Linux kernel before 2.6.26.1
has unknown impact and attack vectors. (CVE-2008-3496)
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5755
|
| Created: | November 4, 2008 |
Updated: | November 5, 2008 |
| Description: |
From the Red Hat alert:
a flaw was found in the Linux kernel when running on AMD64 systems.
During a context switch, EFLAGS were being neither saved nor restored. This
could allow a local unprivileged user to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2008-3527
|
| Created: | November 4, 2008 |
Updated: | December 16, 2008 |
| Description: |
From the Red Hat alert:
Tavis Ormandy reported missing boundary checks in the Virtual Dynamic
Shared Objects (vDSO) implementation. This could allow a local unprivileged
user to cause a denial of service or escalate privileges. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-5907
|
| Created: | November 4, 2008 |
Updated: | November 5, 2008 |
| Description: |
From the Red Hat alert:
the Xen implementation did not prevent applications running in a
para-virtualized guest from modifying CR4 TSC. This could cause a local
denial of service. |
| Alerts: |
|
Comments (none posted)
libgadu: denial of service
| Package(s): | libgadu |
CVE #(s): | CVE-2008-4776
|
| Created: | October 31, 2008 |
Updated: | December 21, 2010 |
| Description: |
From the CVE entry: libgadu before 1.8.2 allows remote servers to cause a denial of service (crash) via a contact description with a large length, which triggers a buffer over-read. |
| Alerts: |
|
Comments (none posted)
libtirpc: denial of service
| Package(s): | libtirpc |
CVE #(s): | CVE-2008-4619
|
| Created: | October 30, 2008 |
Updated: | November 5, 2008 |
| Description: |
libtirpc performs incorrect handling of negative rights in the ACL
plugin. From the
Red Hat Bug description:
The ACL plugin in Dovecot before 1.1.4 treats negative access rights
as if they are positive access rights, which allows attackers to
bypass intended access restrictions. |
| Alerts: |
|
Comments (none posted)
ndiswrapper: buffer overflow
| Package(s): | ndiswrapper |
CVE #(s): | CVE-2008-4395
|
| Created: | November 5, 2008 |
Updated: | March 3, 2009 |
| Description: |
The out-of-tree ndiswrapper kernel module does not properly handle long ESSIDs, enabling remote code-execution attacks. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service
| Package(s): | net-snmp |
CVE #(s): | CVE-2008-4309
|
| Created: | November 3, 2008 |
Updated: | July 20, 2009 |
| Description: |
From the Red Hat advisory:
A denial-of-service flaw was found in the way Net-SNMP processes SNMP
GETBULK requests. A remote attacker who issued a specially-crafted request
could cause the snmpd server to crash. (CVE-2008-4309)
|
| Alerts: |
|
Comments (none posted)
nfs-client: access restriction bypass
| Package(s): | nfs-client |
CVE #(s): | CVE-2008-4552
|
| Created: | October 30, 2008 |
Updated: | September 16, 2009 |
| Description: |
nfs-client has an access restriction bypass vulnerability.
From the rPath alert:
Previous versions of the nfs-utils package contain a bug that causes
NIS netgroup restrictions to be ignored by TCP Wrappers, which may
allow remote attackers to bypass intended access restrictions. |
| Alerts: |
|
Comments (none posted)
openoffice.org: multiple vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2008-2237
CVE-2008-2238
|
| Created: | October 30, 2008 |
Updated: | January 13, 2009 |
| Description: |
openoffice.org has two file parser vulnerabilities. From the
Debian alert:
CVE-2008-2237
The SureRun Security team discovered a bug in the WMF file parser
that can be triggered by manipulated WMF files and can lead to
heap overflows and arbitrary code execution.
CVE-2008-2238
An anonymous researcher working with the iDefense discovered a bug
in the EMF file parser that can be triggered by manipulated EMF
files and can lead to heap overflows and arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | CVE-2008-4195
CVE-2008-4196
CVE-2008-4197
CVE-2008-4198
CVE-2008-4199
CVE-2008-4200
CVE-2008-4292
CVE-2008-4694
CVE-2008-4695
CVE-2008-4696
CVE-2008-4697
CVE-2008-4698
CVE-2008-4794
CVE-2008-4795
|
| Created: | November 4, 2008 |
Updated: | November 5, 2008 |
| Description: |
The Opera browser has multiple vulnerabilities. From the Gentoo alert:
Opera does not restrict the ability of a framed web page to change
the address associated with a different frame (CVE-2008-4195).
Chris Weber (Casaba Security) discovered a Cross-site scripting
vulnerability (CVE-2008-4196).
Michael A. Puls II discovered that Opera can produce argument
strings that contain uninitialized memory, when processing custom
shortcut and menu commands (CVE-2008-4197).
Lars Kleinschmidt discovered that Opera, when rendering an HTTP
page that has loaded an HTTPS page into a frame, displays a padlock
icon and offers a security information dialog reporting a secure
connection (CVE-2008-4198).
Opera does not prevent use of links from web pages to feed source
files on the local disk (CVE-2008-4199).
Opera does not ensure that the address field of a news feed
represents the feed's actual URL (CVE-2008-4200).
Opera does not check the CRL override upon encountering a
certificate that lacks a CRL (CVE-2008-4292).
Chris (Matasano Security) reported that Opera may crash if it is
redirected by a malicious page to a specially crafted address
(CVE-2008-4694).
Nate McFeters reported that Opera runs Java applets in the context
of the local machine, if that applet has been cached and a page can
predict the cache path for that applet and load it from the cache
(CVE-2008-4695).
Roberto Suggi Liverani (Security-Assessment.com) reported that
Opera's History Search results does not escape certain constructs
correctly, allowing for the injection of scripts into the page
(CVE-2008-4696).
David Bloom reported that Opera's Fast Forward feature incorrectly
executes scripts from a page held in a frame in the outermost page
instead of the page the JavaScript URL was located (CVE-2008-4697).
David Bloom reported that Opera does not block some scripts when
previewing a news feed (CVE-2008-4698).
Opera does not correctly sanitize content when certain parameters
are passed to Opera's History Search, allowing scripts to be injected
into the History Search results page (CVE-2008-4794).
Opera's links panel incorrectly causes scripts from a page held in
a frame to be executed in the outermost page instead of the page
where the URL was located (CVE-2008-4795). |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2008-4775
|
| Created: | October 31, 2008 |
Updated: | March 19, 2009 |
| Description: |
From the CVE entry: Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977. |
| Alerts: |
|
Comments (none posted)
samba: denial of service
| Package(s): | samba |
CVE #(s): | |
| Created: | November 5, 2008 |
Updated: | November 5, 2008 |
| Description: |
From the rPath advisory:
Previous versions of the samba package contain a race condition which
may lead to a crash of the winbindd daemon (Denial of Service).
|
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page: Kernel development>>
