By Jake Edge
June 9, 2010
Browser plugins are a constant source of security vulnerabilities and,
because the browser is one of the most commonly used network applications,
those vulnerabilities tend to affect a lot of users. But users are often
oblivious to the fact that their plugins are not up-to-date. In order to
help combat that problem, Mozilla has
created a Plugin
Check that will test the installed browser plugins and report on those
that are out of date.
The site was originally launched
last October, but was only set up for Firefox at that time. In May,
Mozilla's director of Firefox development, Johnathan Nightingale, announced
that Plugin Check had added support for the Safari, Chrome, and Opera
browsers. There is also support for Internet Explorer, but only for the
most popular plugins, as each plugin requires custom code due to a lack of
a JavaScript plugin object in IE.
The basic
idea is that the page gathers up information about the installed
plugins, including metadata like version numbers, and then checks with a
plugin directory to get the status of each. Mozilla is working with plugin
vendors to keep an updated list of plugins and versions so that it can
report outdated and, importantly, security vulnerable plugins. Mozilla
plans to incorporate this technique into Firefox 3.6, so that users will
get information on updated plugins without having to visit a special page.
While one could easily claim that it isn't Mozilla's—or any other
browser developer's—responsibility to help ensure that these
third-party plugins are current, it is a very nice public service. As
Nightingale points out, "plugin safety is an issue for the web as a
whole". One need only consider the security track record of the
most common plugin—Adobe's Flash—to recognize that there have
been some fairly nasty, and exploitable, plugin holes over the years.
Undoubtedly there will be more in Flash, as well as other plugins, down the
road.
For Firefox users, the Plugin Check will eventually be moot. One would
hope that other browser developers would also consider adding this
feature—they
should be able to use the same plugin database that Mozilla has, as the
project is open.
Until that time, though, users need to find out about, and visit, the
Plugin Check page.
There are a variety of
Plugin Check web badges available to help inform users about the
service. In addition, the page has useful
information about plugins and why it is important to keep them updated.
That text is, as it should be, geared toward those who may not even realize
their browser has any plugins installed, or even that there is some
difference between a browser and a plugin. After all, those are the folks
who are most likely to be browsing with outdated plugins—perhaps as
many as 80%
of web users.
User education is an important part of keeping systems secure. While Linux
users have, in general, not been targeted by most of the
malware—plugin-based or not—out there, that's no good reason to
be cavalier about keeping one's software updated. In addition, most Linux
users know, perhaps live with, one or more users of other operating systems and
browsers. Regularly visiting the Plugin Check page (at least until browsers
automatically do that checking), as well as recommending it to others,
could go a long way toward reducing the threat from plugin vulnerabilities.
Comments (9 posted)
Brief items
Even more worrisome is how rapidly these threats are hitting smartphones in
comparison to the desktop: What took 15 years to evolve with the desktop
machine is happening practically overnight in mobile handsets, security
experts say. "We call this the 1999 factor: It feels like about 10 years
ago in terms of prevalence of threats. There was a tipping point between
2000 and 2002 [for PC threats] that was driven by broadband" and more
consumers going online, according to John Hering, CEO and founder of
Lookout, formerly Flexilis. "The same trends are going to hold true here
[with smartphones]."
-- Dark Reading
Comments (none posted)
Adobe has
reported
a vulnerability in Flash Player 10.0.45.2 (and earlier), including the
Linux version. "
This vulnerability could cause a crash and
potentially allow an attacker to take control of the affected
system." There is a Flash Player 10.1 Release Candidate that does
not appear to be vulnerable.
Comments (19 posted)
New vulnerabilities
bind9: DNS cache poisoning
| Package(s): | bind9 |
CVE #(s): | CVE-2010-0382
|
| Created: | June 7, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the Debian advisory:
When processing certain responses containing out-of-bailiwick data,
BIND is subject to a DNS cache poisoning vulnerability, provided that
DNSSEC validation is enabled and trust anchors have been installed.
|
| Alerts: |
|
Comments (none posted)
exim: privilege escalation
| Package(s): | exim |
CVE #(s): | CVE-2010-2023
CVE-2010-2024
|
| Created: | June 9, 2010 |
Updated: | April 13, 2011 |
| Description: |
From the CVE entries:
transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. (CVE-2010-2023)
transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/. (CVE-2010-2024) |
| Alerts: |
|
Comments (7 posted)
gnutls: denial of service
| Package(s): | gnutls12 |
CVE #(s): | CVE-2006-7239
|
| Created: | June 4, 2010 |
Updated: | June 10, 2010 |
| Description: |
From the Ubuntu advisory:
It was discovered that GnuTLS did not always properly verify the hash
algorithm of X.509 certificates. If an application linked against GnuTLS
processed a crafted certificate, an attacker could make GnuTLS dereference
a NULL pointer and cause a DoS via application crash.
|
| Alerts: |
|
Comments (1 posted)
java: unspecified vulnerability
| Package(s): | sun-jre-bin |
CVE #(s): | CVE-2010-0850
|
| Created: | June 4, 2010 |
Updated: | June 9, 2010 |
| Description: |
From the CVE entry:
Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux, linux-source-2.6.15 |
CVE #(s): | CVE-2010-1148
CVE-2010-1488
|
| Created: | June 3, 2010 |
Updated: | September 23, 2010 |
| Description: |
From the Ubuntu advisory:
Eugene Teo discovered that CIFS did not correctly validate arguments when
creating new files. A local attacker could exploit this to crash the
system, leading to a denial of service, or possibly gain root privileges
if mmap_min_addr was not set. (CVE-2010-1148)
Oleg Nesterov discovered that the Out-Of-Memory handler did not correctly
handle certain arrangements of processes. A local attacker could exploit
this to crash the system, leading to a denial of service. (CVE-2010-1488)
|
| Alerts: |
|
Comments (none posted)
openoffice.org: arbitrary code execution
| Package(s): | openoffice.org |
CVE #(s): | CVE-2010-0395
|
| Created: | June 7, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the Debian advisory:
It was discovered that OpenOffice.org, a full-featured office productivity
suite that provides a near drop-in replacement for Microsoft(R) Office, is
not properly handling python macros embedded in an office document. This
allows an attacker to perform user-assisted execution of arbitrary code in
certain use cases of the python macro viewer component.
|
| Alerts: |
|
Comments (none posted)
perl: restriction bypass
| Package(s): | perl |
CVE #(s): | CVE-2010-1168
|
| Created: | June 8, 2010 |
Updated: | November 21, 2011 |
| Description: |
From the Red Hat advisory:
The Safe module did not properly restrict the code of implicitly called
methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects
returned as a result of unsafe code evaluation. These methods could have
been executed unrestricted by Safe when such objects were accessed or
destroyed. A specially-crafted Perl script executed inside of a Safe
compartment could use this flaw to bypass intended Safe module
restrictions. |
| Alerts: |
|
Comments (none posted)
postgresql: arbitrary code execution
| Package(s): | postgresql-server |
CVE #(s): | CVE-2010-1447
|
| Created: | June 4, 2010 |
Updated: | July 5, 2011 |
| Description: |
From the CVE entry:
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2
before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before
9.0 Beta 2 does not properly restrict PL/perl procedures, which might
allow remote attackers to execute arbitrary Perl code via a crafted
script, related to the Safe module (aka Safe.pm) for Perl. |
| Alerts: |
|
Comments (none posted)
vlc: arbitrary code execution
| Package(s): | vlc |
CVE #(s): | |
| Created: | June 4, 2010 |
Updated: | June 9, 2010 |
| Description: |
From the Pardus advisory:
VLC media player suffers from various vulnerabilities when attempting to
parse malformatted or overly long byte streams. If successful, a
malicious third party could crash the player instance or perhaps execute
arbitrary code within the context of VLC media player. |
| Alerts: |
|
Comments (none posted)
xinha: restriction bypass
| Package(s): | xinha |
CVE #(s): | CVE-2010-1916
|
| Created: | June 9, 2010 |
Updated: | June 17, 2010 |
| Description: |
From the CVE entry:
The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin. |
| Alerts: |
|
Comments (none posted)
zikula: multiple vulnerabilities
| Package(s): | zikula |
CVE #(s): | CVE-2010-1724
CVE-2010-1732
|
| Created: | June 8, 2010 |
Updated: | June 9, 2010 |
| Description: |
From the CVE entries:
Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php. (CVE-2010-1724)
Cross-site request forgery (CSRF) vulnerability in the users module in Zikula Application Framework before 1.2.3 allows remote attackers to hijack the authentication of administrators for requests that change the administrator email address (updateemail action). (CVE-2010-1732) |
| Alerts: |
|
Comments (none posted)
zonecheck: cross-site scripting
| Package(s): | zonecheck |
CVE #(s): | CVE-2010-2052
CVE-2010-2155
CVE-2009-4882
|
| Created: | June 7, 2010 |
Updated: | June 9, 2010 |
| Description: |
From the Debian advisory:
It was discovered that in zonecheck, a tool to check DNS configurations,
the CGI does not perform sufficient sanitation of user input; an
attacker can take advantage of this and pass script code in order to
perform cross-site scripting attacks.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
