By Jake Edge
May 6, 2009
By now, the escalating battle
between the NoScript and Adblock Plus Firefox extensions is fairly
well-publicized. In fact, the LWN comment thread on the topic
has attracted an enormous number of comments—though many are rather
tangential to the actual issue. While the original dispute has been
settled, there are still a few issues to ponder from that incident.
For those who didn't follow the dispute, a review is probably in
order. Both NoScript and Adblock Plus are meant to assist
users in controlling the content that their browsers display. As their
names imply, NoScript is focused on blocking things like Javascript, Flash,
and the like, whereas Adblock Plus blocks advertisements. There is some
overlap between the two, of course, because much of the advertising on the
web is served via Javascript and/or contains Flash content.
NoScript's author, Giorgio Maone, uses advertising on the NoScript web
pages to help fund development of the extension, which is part of why the
frequently-updated extension opens a tab on the release notes page after an
update. This particular feature—which can be disabled fairly
easily—is quite annoying to some. Part of that annoyance may be
because of the ads on that page. In late April, Adblock Plus added the
NoScript site to its filter list so that its users would no longer see the
ads. That led to an arms race.
The NoScript and Adblock Plus developers went back and forth, with NoScript
circumventing the filters and Adblock Plus adding new filters to block the
ads. This continued until the Adblock Plus filter fundamentally broke the
NoScript site so that users could no longer even see the links to download
NoScript. This sent Maone around the bend, evidently, as his next step was
to add obfuscated code—though the extent of the obfuscation is
disputed—to NoScript that disabled the Adblock Plus filter for his site.
At that point, Adblock Plus author Wladimir Palant wrote a blistering blog
post about the dispute, which brought it to the attention of many.
Maone quickly backed down, offering a detailed and seemingly heartfelt apology.
In the meantime, though, the folks at addons.mozilla.org (AMO) noticed the
problem and are considering
changes to their policy on legitimate extension
behavior.
It should be noted that AMO did not review the NoScript changes (or,
presumably, the Adblock Plus filter changes) before the updates were made
available to users. As Maone explains, once an extension reaches a certain
level of trust, the AMO reviewers do not check updates—they are
approved automatically. It is unclear how that process works exactly, but
given the number of escalating changes both extensions were making over a
short period of time, some kind of minimal oversight might have noticed
that something was amiss.
For someone of malicious intent, as opposed to someone just exhibiting some
incredibly bad judgment, a Firefox extension makes a pretty tempting
target. Much of what goes on inside the browser involves sensitive information
which users do not wish to have exposed (passwords, browsing history,
etc.). If an extension can get to the point where it can push out
"trusted" updates, without any review, that seems rather troubling.
Some distributions—Debian at least—package Firefox extensions
for their users. Though it isn't a foolproof solution, it does add a level
of review to the code before it gets installed. It probably makes sense
for other distributions to consider doing that as well. Changing the AMO
policy is certainly a good idea, but it will hardly protect against
attackers of various sorts.
While there is nothing wrong with supporting development via advertising,
clearly Maone crossed the line. Adblock Plus users specifically want ad
blocking, so turning that functionality off, even "just" for one site, is
plain wrong. Maone seems to recognize that now and this dispute will
hopefully serve as a warning to other extension authors before they allow
their anger to get in the way of their good sense. For the rest of us,
though, it serves as a reminder that we are sometimes, perhaps even
frequently, installing software in our browsers that has had little or no
oversight.
Comments (3 posted)
New vulnerabilities
apache: information leak
| Package(s): | apache |
CVE #(s): | CVE-2009-1191
|
| Created: | May 1, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Mandriva advisory: mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request. |
| Alerts: |
|
Comments (none posted)
Apport: arbitrary file removal
| Package(s): | Apport |
CVE #(s): | CVE-2009-1295
|
| Created: | April 30, 2009 |
Updated: | May 13, 2009 |
| Description: |
From the Ubuntu alert:
Stephane Chazelas discovered that Apport did not safely remove files from
its crash report directory. If Apport had been enabled at some point, a
local attacker could remove arbitrary files from the system. |
| Alerts: |
|
Comments (none posted)
bash-completion: incorrect metacharacter quoting
| Package(s): | bash-completion |
CVE #(s): | |
| Created: | May 4, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the Red Hat bugzilla:
An old Debian bug report
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some
bash completions fail to properly quote or escape special characters like ' and
&. Most bash completions are escaped fine, but certain ones (such as aspell)
do not. |
| Alerts: |
|
Comments (none posted)
clamav: incorrect ownership
| Package(s): | clamav |
CVE #(s): | |
| Created: | May 5, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the Ubuntu advisory: A flaw was discovered in the clamav-milter
initscript which caused the ownership of the current working directory to
be changed to the 'clamav' user. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2008-3661
|
| Created: | May 4, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the Drupal advisory:
Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.
In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form. |
| Alerts: |
|
Comments (none posted)
gpdf: buffer overflows
| Package(s): | gpdf |
CVE #(s): | CVE-2009-0195
|
| Created: | May 1, 2009 |
Updated: | August 18, 2010 |
| Description: |
From the Red Hat advisory: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg). |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2008-5701
|
| Created: | May 4, 2009 |
Updated: | May 7, 2009 |
| Description: |
From the Debian advisory:
Vlad Malov reported an issue on 64-bit MIPS systems where a local
user could cause a system crash by crafing a malicious binary
which makes o32 syscalls with a number less than 4000.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2009-1192
CVE-2009-1242
CVE-2009-1265
CVE-2009-1337
CVE-2009-1338
CVE-2009-1439
|
| Created: | May 4, 2009 |
Updated: | November 16, 2009 |
| Description: |
From the Debian advisory:
CVE-2009-1192:
Shaohua Li reported an issue in the AGP subsystem they may allow
local users to read sensitive kernel memory due to a leak of
uninitialized memory.
CVE-2009-1242:
Benjamin Gilbert reported a local denial of service vulnerability
in the KVM VMX implementation that allows local users to trigger
an oops.
CVE-2009-1265:
Thomas Pollet reported an overflow in the af_rose implementation
that allows remote attackers to retrieve uninitialized kernel
memory that may contain sensitive data.
CVE-2009-1337:
Oleg Nesterov discovered an issue in the exit_notify function that
allows local users to send an arbitrary signal to a process by
running a program that modifies the exit_signal field and then
uses an exec system call to launch a setuid application.
CVE-2009-1338:
Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to
reach processes outside of the current process namespace.
CVE-2009-1439:
Pavan Naregundi reported an issue in the CIFS filesystem code that
allows remote users to overwrite memory via a long
nativeFileSystem field in a Tree Connect response during mount.
|
| Alerts: |
|
Comments (none posted)
libwmf: pointer use-after-free flaw
| Package(s): | libwmf |
CVE #(s): | CVE-2009-1364
|
| Created: | May 1, 2009 |
Updated: | December 3, 2009 |
| Description: |
From the Red Hat advisory: A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim.
|
| Alerts: |
|
Comments (none posted)
memcached: information leak
| Package(s): | memcached |
CVE #(s): | CVE-2009-1255
CVE-2009-1494
|
| Created: | May 4, 2009 |
Updated: | August 11, 2009 |
| Description: |
From the Mandriva advisory:
The process_stat function in Memcached prior 1.2.8 discloses
memory-allocation statistics in response to a stats malloc command,
which allows remote attackers to obtain potentially sensitive
information by sending this command to the daemon's TCP port
(CVE-2009-1255, CVE-2009-1494).
|
| Alerts: |
|
Comments (none posted)
moin: cross-site scripting
| Package(s): | moin |
CVE #(s): | CVE-2009-1482
|
| Created: | May 6, 2009 |
Updated: | May 11, 2009 |
| Description: |
From the Debian advisory:
It was discovered that the AttachFile action in moin, a python clone of
WikiWiki, is prone to cross-site scripting attacks when renaming
attachements or performing other sub-actions.
|
| Alerts: |
|
Comments (none posted)
pam_ssh: information (user account existence) leak
| Package(s): | pam_ssh |
CVE #(s): | CVE-2009-1273
|
| Created: | May 4, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in PAM module, providing user authentication based
on SSH keys. A remote attacker could use this flaw to recognize, if some
username/login belongs to set of user accounts, existing on the system,
and subsequently perform dictionary based password guess attack. |
| Alerts: |
|
Comments (none posted)
prelude-manager: database password in world-readable configuration
| Package(s): | prelude-manager |
CVE #(s): | |
| Created: | May 4, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the Fedora advisory:
The configuration file of prelude-manager contains a database password and is
world readable. This update restricts permissions to the root account.
|
| Alerts: |
|
Comments (none posted)
quagga: improper assertion
| Package(s): | quagga |
CVE #(s): | |
| Created: | May 5, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the Debian advisory: It was discovered that Quagga, an IP routing
daemon, could no longer process the Internet routing table due to broken
handling of multiple 4-byte AS numbers in an AS path. If such a prefix is
received, the BGP daemon crashes with an assert failure, leading to a
denial of service. |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby |
CVE #(s): | |
| Created: | May 1, 2009 |
Updated: | May 6, 2009 |
| Description: |
From the ruby
advisory: There is a DoS vulnerability in the REXML library included
in the Ruby Standard Library. A so-called "XML entity explosion" attack
technique can be used for remotely bringing down (disabling) any
application which parses user-provided XML using REXML. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
