By Jake Edge
May 26, 2010
A new type of phishing vulnerability, which relies on users' expectations
that browser tabs don't change once loaded, was recently reported
by Aza Raskin, Mozilla's creative lead for Firefox. Dubbed "tabnabbing"
(also tabjacking and tabnapping among others), the vulnerability is one
that could potentially even catch those who are generally
security-conscious because it exploits a common trend: having many open
tabs and scanning for the "favicon" and title for a web page of interest.
If an attacker can cause a tab to appear to be Gmail, for example,
they may well be able to trick users into entering their credentials.
The technique used by tabnabbing is not particularly new, but Raskin has
combined these techniques into a plausible attack. The basic idea is that
a user navigates to an attacker-controlled site—or a site vulnerable
to some form of cross-site scripting—and then switches away from that
tab. The page has some code that detects when it loses focus and hasn't
been used in a while. When it detects that, it switches the title,
favicon, and contents of the page to something else entirely.
That "something else entirely" will be a phishing site—one
that looks and acts exactly like a real site, but captures credentials,
credit card numbers, or other sensitive information instead. Users are
likely to choose that tab if they are looking for an open tab corresponding
to the spoofed site. As Raskin puts it: "As the user scans their
many open tabs, the favicon and title act as a strong visual cue—memory is
malleable and moldable and the user will most likely simply think they left
a Gmail tab open." The user is likely to just log in without
thinking twice about it, and once that happens, the attacker's code can
send the credentials off to their site and redirect the browser tab to the
real Gmail.
One thing tabnabbing can't do is to spoof the browser address bar, so
alert users may notice that their Gmail tab has a dodgy, non-Gmail address
associated with it. But how many users actually look after switching to a
tab that they half-expect to be open anyway? While spoofing valid
addresses directly may not be possible, using
Unicode domain names may be a way for the address to look legitimate,
as Raskin notes.
Combining tabnabbing with the CSS browser history
leak could produce a list of sensitive sites the user has
visited—exactly those which might be phished successfully. It is a
fairly insidious attack and one that works in all major browsers. Those
who use the NoScript Firefox extension
are not vulnerable to the standard attack, but they aren't completely
invulnerable either.
Brian Krebs wrote
about Raskin's report on his blog and noted that NoScript stopped
tabnabbing. But in an update, he pointed to Aviv Raff's proof-of-concept
that uses:
<META HTTP-EQUIV="refresh" ...>
to change the contents of a tab after a timeout expires. That newly loaded
page can have a different favicon and title, which replicates much of the
standard attack.
NoScript author Giorgio Maone comments
on Krebs's blog that he is considering adding functionality to NoScript to
disallow tabs to refresh themselves from locations other than the current
one. He also notes that Firefox has an option:
"Advanced/[General/]Accessibility/Warn me when web sites try to redirect or
reload the page" that can be enabled to combat this behavior.
For the future, Raskin points to Firefox
Account Manager as a way to help protect users against this kind of
attack. It will take a more active role in protecting users from logging
into lookalike sites.
It is instructive to try out the demos, both at Raskin's and Raff's sites.
Neither does anything actively harmful, but certainly give a good idea of
how a phishing attack using the technique might work. Even the most wary
might be caught by this one.
Comments (11 posted)
Brief items
TSA Officer: A beloved name from the blogosphere.
Me: And I always thought that I slipped through these lines anonymously.
TSA Officer: Don't worry. No one will notice. This isn't the sort of job
that rewards competence, you know.
-- Bruce
Schneier
Typically, adware authors install their software on as many machines as
possible. But Typhoid adware comes from another person's computer and
convinces other laptops to communicate with it and not the legitimate
access point. Then the Typhoid adware automatically inserts advertisements
in videos and web pages on the other computers. Meanwhile, the carrier sips
her latté in peace — she sees no advertisements and doesn't
know she is infected — just like symptomless Typhoid Mary.
-- ScienceDaily
Comments (2 posted)
New vulnerabilities
barnowl: arbitrary code execution
| Package(s): | barnowl |
CVE #(s): | CVE-2010-0793
|
| Created: | May 24, 2010 |
Updated: | May 26, 2010 |
| Description: |
From the Debian advisory:
It has been discovered that barnowl, a curses-based tty Jabber, IRC, AIM
and Zephyr client, is prone to a buffer overflow via its "CC:" handling,
which could lead to the execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
cacti: SQL injection and cross-site scripting
Comments (none posted)
dovecot: denial of service
| Package(s): | dovecot |
CVE #(s): | CVE-2010-0745
|
| Created: | May 21, 2010 |
Updated: | May 26, 2010 |
| Description: |
From the Mandriva advisory:
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message. |
| Alerts: |
|
Comments (none posted)
ghostscript: arbitrary code execution
| Package(s): | ghostscript |
CVE #(s): | CVE-2010-1869
|
| Created: | May 20, 2010 |
Updated: | August 30, 2010 |
| Description: |
From the Mandriva advisory:
Stack-based buffer overflow in the parser function in GhostScript 8.70
and 8.64 allows context-dependent attackers to execute arbitrary code
via a crafted PostScript file (CVE-2010-1869).
|
| Alerts: |
|
Comments (none posted)
glibc: integer overflow
| Package(s): | glibc, eglibc |
CVE #(s): | CVE-2008-1391
|
| Created: | May 26, 2010 |
Updated: | October 28, 2010 |
| Description: |
The GNU C library suffers from an integer overflow vulnerability, which, it is said, can be exploited to crash applications. |
| Alerts: |
|
Comments (none posted)
glibc: privilege escalation
| Package(s): | glibc, eglibc |
CVE #(s): | CVE-2010-0296
CVE-2010-0830
|
| Created: | May 26, 2010 |
Updated: | April 15, 2011 |
| Description: |
The GNU C library suffers from two privilege escalation vulnerabilities: newline injection in the "mntent" function family, and an input validation problem related to ELF headers. |
| Alerts: |
|
Comments (none posted)
gnustep-base: multiple vulnerabilities
| Package(s): | gnustep-base |
CVE #(s): | CVE-2010-1457
CVE-2010-1620
|
| Created: | May 21, 2010 |
Updated: | May 26, 2010 |
| Description: |
From the CVE entries:
Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local users to read arbitrary files via a (1) -c or (2) -a option, which prints file contents in an error message. (CVE-2010-1457)
Integer overflow in the load_iface function in Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 might allow context-dependent attackers to execute arbitrary code via a (1) file or (2) socket that provides configuration data with many entries, leading to a heap-based buffer overflow. (CVE-2010-1620) |
| Alerts: |
|
Comments (none posted)
html2ps: directory traversal
| Package(s): | html2ps |
CVE #(s): | |
| Created: | May 26, 2010 |
Updated: | May 26, 2010 |
| Description: |
The html2ps package suffers from a directory traversal vulnerability which could lead to arbitrary file content disclosure. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2010-1162
CVE-2010-1173
CVE-2010-1187
CVE-2010-1437
CVE-2010-1446
CVE-2010-1451
|
| Created: | May 25, 2010 |
Updated: | April 18, 2011 |
| Description: |
From the Debian advisory:
CVE-2010-1162: Catalin Marinas reported an issue in the tty subsystem that allows local attackers to cause a kernel memory leak, possibly resulting in a denial of service.
CVE-2010-1173:
Chris Guo from Nokia China and Jukka Taimisto and Olli Jarva from
Codenomicon Ltd reported an issue in the SCTP subsystem that allows
a remote attacker to cause a denial of service using a malformed init
package.
CVE-2010-1187:
Neil Hormon reported an issue in the TIPC subsystem. Local users can
cause a denial of service by way of a NULL pointer dereference by
sending datagrams through AF_TIPC before entering network mode.
CVE-2010-1437:
Toshiyuki Okajima reported a race condition in the keyring subsystem.
Local users can cause memory corruption via keyctl commands that
access a keyring in the process of being deleted, resulting in a
denial of service.
CVE-2010-1446:
Wufei reported an issue with kgdb on the PowerPC architecture,
allowing local users to write to kernel memory. Note: this issue
does not affect binary kernels provided by Debian. The fix is
provided for the benefit of users who build their own kernels
from Debian source.
CVE-2010-1451:
Brad Spengler reported an issue on the SPARC architecture that allows
local users to execute non-executable pages.
|
| Alerts: |
|
Comments (none posted)
kolab-horde-framework: unspecified vulnerability
| Package(s): | kolab-horde-framework |
CVE #(s): | CVE-2009-4824
|
| Created: | May 26, 2010 |
Updated: | May 26, 2010 |
| Description: |
From the singularly unhelpful CVE entry: Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab Server before 2.2.3 allows attackers to have an unspecified impact via vectors related to an "image upload form." |
| Alerts: |
|
Comments (none posted)
moin: access control bypass
| Package(s): | moin |
CVE #(s): | CVE-2009-4762
|
| Created: | May 20, 2010 |
Updated: | May 26, 2010 |
| Description: |
From the Ubuntu advisory:
It was discovered that MoinMoin incorrectly handled hierarchical access
control lists. Users could bypass intended access controls under certain
circumstances.
|
| Alerts: |
|
Comments (none posted)
mysql: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | CVE-2010-1848
CVE-2010-1849
CVE-2010-1850
|
| Created: | May 26, 2010 |
Updated: | November 16, 2010 |
| Description: |
MySQL suffers from an authentication bypass vulnerability (CVE-2010-1848), a denial of service problem (CVE-2010-1849), and a vulnerability to code injection by an authenticated user (CVE-2010-1850). |
| Alerts: |
|
Comments (none posted)
openssl: information disclosure
| Package(s): | openssl |
CVE #(s): | |
| Created: | May 24, 2010 |
Updated: | May 26, 2010 |
| Description: |
From the rPath advisory:
A flaw in previous versions of OpenSSL could allow a malicious client to
force a ciphersuite not supported by the server to be used for a session
between the client and the server, which can result in disclosure of
sensitive information. |
| Alerts: |
|
Comments (none posted)
postgresql: denial of service
| Package(s): | postgresql |
CVE #(s): | CVE-2010-0733
|
| Created: | May 24, 2010 |
Updated: | August 2, 2010 |
| Description: |
From the Red Hat advisory:
An integer overflow flaw was found in the way PostgreSQL used to calculate
the size of the hash table for joined relations. An authenticated database
user could create a specially-crafted SQL query which could cause a
temporary denial of service (postgres daemon crash) or, potentially,
execute arbitrary code with the privileges of the database server. |
| Alerts: |
|
Comments (none posted)
postgresql: privilege escalation
| Package(s): | postgresql |
CVE #(s): | CVE-2010-1975
|
| Created: | May 21, 2010 |
Updated: | August 2, 2010 |
| Description: |
From the CVE entry:
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
