|
|
| |
|
| |
Security
By Jake Edge
June 2, 2011
The Android permission system for applications ("apps" these days) is an all-or-nothing affair;
one can either grant all the permissions that the app asks for, or
deny them and not install it. While it is useful to know what permissions
are being granted, it would be even more useful for security and privacy
conscious users to be able to selectively deny certain
permissions—especially those that have no clear connection to the
proper functioning of the app. The CyanogenMod (CM) alternate Android
firmware has had this ability in its tree since mid-May, but a newer patch
that builds on that functionality has been met with resistance from a
somewhat surprising direction.
The original patch from Plamen
K. Kosseff to add
permission revoking was accepted after working out some difficulties with
apps that crashed when they didn't have the permissions they expected. In
addition, enabling permission revocation involves a setting in the
"Performance Settings" menu of CM configuration, which means that the project is
free to ignore any bug reports generated from the feature. Kosseff then
went on to post a patch for
review building on that earlier work, and allowing users to allow
certain permissions in a "spoofed" mode. The specific example he used was
to spoof the phone's International
Mobile Equipment Identity (IMEI) number, rather than allow an app
access to the real IMEI—that didn't sit well with some CM developers,
including CM founder Steve Kondik.
The choice to start by spoofing the IMEI was perhaps unfortunate, as
Kosseff has ideas for other, probably less-controversial privacy features.
For example, in the comments on the patch he describes other possible uses,
including restricting what information in the contacts list gets handed to
apps, or only showing a portion of the SD card contents to apps. Either of
those are obvious improvements to privacy, and ones that shouldn't cause
any problems for app developers.
The main objection to returning a bogus IMEI value (or the related idea of
returning a bogus SIM ID and phone number) is that app developers use that
information for data-gathering purposes. While that data gathering might
be used for malicious purposes, the clear sense from the comments on the
patch is that most app developers
are using it for demographic and usage information that is, at least
relatively, benign. Kondik and others are concerned that creating a
"hostile environment" for app developers will lead to problems for CM,
either from the app developers themselves or from larger organizations like
Google, handset makers, and cellular service providers.
But, as Kosseff asks, shouldn't the user be able to make the
decision about what information they share with apps? For IMEI and related
information, the answer from the CM developers seems to be "no". It seems
somewhat counter-intuitive that a phone distribution with the goal of
unlocking the full potential of the hardware would draw that particular
line. Others, perhaps the Guardian
project for example, are likely to take a different stance.
Part of the issue is that it is unclear what is "owed" to the app
developers for use of their code. For paid apps, the line is a little less
blurry, as one can expect that those developers aren't owed any more than
was paid. For gratis apps, things get a little more hazy. If one grants
permission to see the contact list to latest bouncing cow game, is it
reasonable to revoke that permission, or to provide an empty list? In
addition, many gratis apps use the network permission to grab
advertisements to show within the app. That is part of the revenue model
the developer is using to fund app development, so is it fair to turn that
off? On the flip side, should the app refuse to run if it can't call home
for ads?
There aren't necessarily any easy answers to some of those questions.
Avoiding apps that request more permissions than they really need is
certainly one way around the problem, but the permissions aren't really
fine-grained enough to prevent abuse. If one grants an ebook reading app
permission to use the SD card (presumably to store any books that are being
read), does that mean it should be able to go poke around and see what
other ebook apps are being used? It will also presumably need network
permissions to grab content from various places, can it also use them to phone
home with a copy of one's reading habits?
This is yet another area where free (as in freedom) software can help.
There are certainly plenty of users who will be happy to play an
ad-supported bouncing cows game, without disabling the network out from
under it, if they are sure that the game isn't using its permissions for
ill. Likewise, there are plenty of legitimate reasons that an app might
need to access the contact list, so long as one can be sure that it isn't
sending the contents to spammers (of the voice, SMS, IM, or email kind).
For most consumers, any of these safeguards are essentially pointless. As
we have seen in the consumer PC world, users will install almost anything,
from anywhere, even overriding security warnings from the OS, if it will
get them the latest game, mouse cursor, or video content. There's not much
hope of changing that, but for the rest of us, who might just care about
the data we store on our phones, having more control over the permissions
we grant to apps will go a long way toward solving these kinds of
problems. A rich ecosystem of free software apps would go even further.
Comments (14 posted)
Brief items
'apply jipsam algorithm'. This is a crypto module that isn't in mainline
(and apparently doesn't exist outside North Korea). I bet it's good
though. No backdoor master keys or anything similar.
-- Dave
Jones roots through the Red
Star Linux kernel changelog
I'm talking about instances where the government is relying on secret
interpretations of what the law says without telling the public what those
interpretations are, and the reliance on secret interpretations of the law
is growing.
-- US Senator Ron
Wyden in Wired on the "secret" Patriot Act
Comments (4 posted)
New vulnerabilities
bind9: denial of service
| Package(s): | bind9 |
CVE #(s): | CVE-2011-1910
|
| Created: | May 31, 2011 |
Updated: | November 18, 2011 |
| Description: |
From the Debian advisory:
It was discovered that BIND, an implementation of the DNS protocol,
does not correctly process certain large RRSIG record sets in DNSSEC
responses. The resulting assertion failure causes the name server
process to crash, making name resolution unavailable. |
| Alerts: |
|
Comments (none posted)
chromium-browser: multiple vulnerabilities
| Package(s): | chromium-browser |
CVE #(s): | CVE-2011-1292
CVE-2011-1293
CVE-2011-1440
CVE-2011-1444
CVE-2011-1797
CVE-2011-1799
|
| Created: | May 31, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Debian advisory:
CVE-2011-1292: Use-after-free vulnerability in the frame-loader implementation in Google Chrome allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
CVE-2011-1293: Use-after-free vulnerability in the HTMLCollection implementation in Google Chrome allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
CVE-2011-1440: Use-after-free vulnerability in Google Chrome allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the ruby element and Cascading Style Sheets (CSS) token sequences.
CVE-2011-1444: Race condition in the sandbox launcher implementation in Google Chrome on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
CVE-2011-1797: Google Chrome does not properly render tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer."
CVE-2011-1799: Google Chrome does not properly perform casts of variables during interaction with the WebKit engine, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
| Alerts: |
|
Comments (none posted)
citadel: denial of service
| Package(s): | citadel |
CVE #(s): | CVE-2011-1756
|
| Created: | June 1, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Debian advisory:
Wouter Coekaerts discovered that the jabber server component of citadel,
a complete and feature-rich groupware server, is vulnerable to the so-called
"billion laughs" attack because it does not prevent entity expansion on
received data. This allows an attacker to perform denial of service
attacks against the service by sending specially crafted XML data to it.
|
| Alerts: |
|
Comments (none posted)
dovecot: denial of service, possible mailbox corruption
| Package(s): | dovecot |
CVE #(s): | CVE-2011-1929
|
| Created: | May 26, 2011 |
Updated: | September 23, 2011 |
| Description: |
From the Mandriva advisory:
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and
2.0.x before 2.0.13 does not properly handle '\0' (NUL) characters
in header names, which allows remote attackers to cause a denial of
service (daemon crash or mailbox corruption) via a crafted e-mail
message (CVE-2011-1929).
|
| Alerts: |
|
Comments (none posted)
ejabberd: denial of service
| Package(s): | ejabberd |
CVE #(s): | CVE-2011-1753
|
| Created: | June 1, 2011 |
Updated: | June 30, 2011 |
| Description: |
From the Debian advisory:
Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server
written in Erlang, is vulnerable to the so-called "billion laughs" attack
because it does not prevent entity expansion on received data.
This allows an attacker to perform denial of service attacks against the
service by sending specially crafted XML data to it.
|
| Alerts: |
|
Comments (none posted)
eucalyptus, rampart: code execution
| Package(s): | eucalyptus, rampart |
CVE #(s): | CVE-2011-0730
|
| Created: | May 26, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Ubuntu advisory:
Juraj Somorovsky, Jorg Schwenk, Meiko Jensen and Xiaofeng Lou discovered
that Eucalyptus did not properly validate SOAP requests. An unauthenticated
remote attacker could exploit this to submit arbitrary commands to the
Eucalyptus SOAP interface in the context of an authenticated user.
|
| Alerts: |
|
Comments (none posted)
gdm: uncontrolled access to local filesystem
| Package(s): | gdm |
CVE #(s): | CVE-2011-1709
|
| Created: | June 1, 2011 |
Updated: | June 7, 2011 |
| Description: |
From the Red Hat Bugzilla entry:
Henne Vogelsang discovered that, as of glib 2.28, it was possible to run the
default web browser (usually Firefox) in the GDM session, as the gdm user.
This resulted in uncontrolled access to the local file system and possibly
other resources as the gdm user. This is because glib 2.28 has changed the way
URI handlers are registered; while it used to be controlled via gconf settings,
it now is controlled via x-scheme-handler/<scheme> mime types (e.g.
x-scheme-handler/http).
|
| Alerts: |
|
Comments (none posted)
gimp: arbitrary code execution
| Package(s): | gimp |
CVE #(s): | CVE-2011-1178
|
| Created: | May 31, 2011 |
Updated: | September 28, 2012 |
| Description: |
From the Red Hat advisory:
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's Microsoft Windows Bitmap (BMP) and Personal Computer
eXchange (PCX) image file plug-ins. An attacker could create a
specially-crafted BMP or PCX image file that, when opened, could cause the
relevant plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP. |
| Alerts: |
|
Comments (none posted)
gimp: arbitrary code execution
| Package(s): | gimp |
CVE #(s): | CVE-2011-1782
|
| Created: | May 31, 2011 |
Updated: | August 22, 2011 |
| Description: |
From the Mandriva advisory:
Heap-based buffer overflow in the read_channel_data function in
file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows
remote attackers to cause a denial of service (application crash)
or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE
compression) image file that begins a long run count at the end of
the image.
|
| Alerts: |
|
Comments (none posted)
jabberd14: denial of service
| Package(s): | jabberd14 |
CVE #(s): | CVE-2011-1754
|
| Created: | June 1, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Debian advisory:
Wouter Coekaerts discovered that jabberd14, an instant messaging server
using the Jabber/XMPP protocol, is vulnerable to the so-called
"billion laughs" attack because it does not prevent entity expansion on
received data. This allows an attacker to perform denial of service
attacks against the service by sending specially crafted XML data to it.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2011-1166
CVE-2011-1763
|
| Created: | May 31, 2011 |
Updated: | November 7, 2011 |
| Description: |
From the Red Hat advisory:
* Missing error checking in the way page tables were handled in the Xen
hypervisor implementation could allow a privileged guest user to cause the
host, and the guests, to lock up. (CVE-2011-1166, Moderate)
* A flaw was found in the way the Xen hypervisor implementation checked for
the upper boundary when getting a new event channel port. A privileged
guest user could use this flaw to cause a denial of service or escalate
their privileges. (CVE-2011-1763, Moderate)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux, linux-ec2 |
CVE #(s): | CVE-2011-0463
CVE-2011-1083
|
| Created: | June 1, 2011 |
Updated: | November 5, 2012 |
| Description: |
From the Ubuntu advisory:
Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly
clear memory when writing certain file holes. A local attacker could
exploit this to read uninitialized data from the disk, leading to a loss
of privacy. (CVE-2011-0463)
Nelson Elhage discovered that the epoll subsystem did not correctly handle
certain structures. A local attacker could create malicious requests that
would consume large amounts of CPU, leading to a denial of service.
(CVE-2011-1083)
|
| Alerts: |
|
Comments (none posted)
libmodplug: stack overflow
| Package(s): | libmodplug |
CVE #(s): | CVE-2011-1761
|
| Created: | May 31, 2011 |
Updated: | August 25, 2011 |
| Description: |
From the openSUSE advisory:
specially crafted files could cause a stack overflow in
libmodplug (CVE-2011-1761). libmodplug version 0.8.8.3
fixes the problem.
|
| Alerts: |
|
Comments (none posted)
mahara: multiple vulnerabilities
| Package(s): | mahara |
CVE #(s): | CVE-2011-1402
CVE-2011-1403
CVE-2011-1404
CVE-2011-1405
CVE-2011-1406
|
| Created: | May 31, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Debian advisory:
CVE-2011-1402: It was discovered that previous versions of Mahara did not check user credentials before adding a secret URL to a view or suspending a user.
CVE-2011-1403: Due to a misconfiguration of the Pieform package in Mahara, the cross-site request forgery protection mechanism that Mahara relies on to harden its form was not working and was essentially disabled. This is a critical vulnerability which could allow attackers to trick other users (for example administrators) into performing malicious actions on behalf of the attacker. Most Mahara forms are vulnerable.
CVE-2011-1404: Many of the JSON structures returned by Mahara for its AJAX interactions included more information than what ought to be disclosed to the logged in user. New versions of Mahara limit this information to what is necessary for each page.
CVE-2011-1405: Previous versions of Mahara did not escape the contents of HTML emails sent to users. Depending on the filters enabled in one's mail reader, it could lead to cross-site scripting attacks.
CVE-2011-1406: It has been pointed out to us that if Mahara is configured (through its wwwroot variable) to use HTTPS, it will happily let users login via the HTTP version of the site if the web server is configured to serve content over both protocol. The new version of Mahara will, when the wwwroot points to an HTTPS URL, automatically redirect to HTTPS if it detects that it is being run over HTTP. |
| Alerts: |
|
Comments (none posted)
mumble: denial of service
| Package(s): | mumble |
CVE #(s): | |
| Created: | May 26, 2011 |
Updated: | June 7, 2011 |
| Description: |
From the Red Hat Bugzilla entry:
Luigi Auriemma
reported
a deficiency in the way Mumble server processed malformed SQL query data.
A remote, authenticated user could use this flaw to cause denial of service
(mumble server termination) via specially-crafted QueryUsers Qt SQLite SQL
query.
|
| Alerts: |
|
Comments (none posted)
pam: denial of service
| Package(s): | pam |
CVE #(s): | CVE-2010-4707
|
| Created: | May 31, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Ubuntu advisory:
It was discovered that the PAM pam_xauth module incorrectly verified
certain file properties. A local attacker could use this flaw to cause a
denial of service. |
| Alerts: |
|
Comments (none posted)
perl-libwww-perl: man-in-the-middle attack
| Package(s): | perl-libwww-perl |
CVE #(s): | CVE-2011-0633
|
| Created: | May 31, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the CVE entry:
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
|
| Alerts: |
|
Comments (none posted)
php-zendframework: SQL injection
| Package(s): | php-ZendFramework |
CVE #(s): | |
| Created: | May 31, 2011 |
Updated: | June 3, 2011 |
| Description: |
From the Fedora advisory:
Potential SQL Injection Vector When Using PDO_MySql
|
| Alerts: |
|
Comments (none posted)
rssh: privilege escalation
| Package(s): | rssh |
CVE #(s): | |
| Created: | May 31, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the rssh advisory:
John Barber reported a problem where, if the system administrator misconfigures rssh by providing two few access bits in the configuration file, the user will be given default permissions (scp) to the entire system, potentially circumventing any configured chroot. Fixing this required a behavior change: In the past, using rssh without a config file would give all users default access to use scp on an unchrooted system. In order to correct the reported bug, this feature has been eliminated, and you must now have a valid configuration file. If no config file exists, all users will be locked out. |
| Alerts: |
|
Comments (none posted)
subversion: multiple vulnerabilities
| Package(s): | subversion |
CVE #(s): | CVE-2011-1752
CVE-2011-1783
CVE-2011-1921
|
| Created: | June 2, 2011 |
Updated: | September 5, 2011 |
| Description: |
From the Debian advisory:
CVE-2011-1752: The mod_dav_svn Apache HTTPD server module can be crashed though when asked to deliver baselined WebDAV resources.
CVE-2011-1783: The mod_dav_svn Apache HTTPD server module can trigger a loop which consumes all available memory on the system.
CVE-2011-1921: The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users.
|
| Alerts: |
|
Comments (none posted)
systemtap: denial of service
| Package(s): | systemtap |
CVE #(s): | CVE-2011-1781
CVE-2011-1769
|
| Created: | May 27, 2011 |
Updated: | October 17, 2011 |
| Description: |
From the Fedora advisory:
Two divide-by-zero flaws were found in the way systemtap interpreted certain corrupted DWARF expressions. A privileged user able to execute arbitrary systemtap scripts could be
tricked into triggering this flaw to crash the target machine. An unprivileged user (in the
stapusr group) may be able to trigger this flaw to crash the target machine, only if unprivileged
mode was enabled by the system administrator.
|
| Alerts: |
|
Comments (none posted)
unbound: design flaw
| Package(s): | unbound |
CVE #(s): | CVE-2009-4008
|
| Created: | May 31, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Debian advisory:
It was discovered that Unbound, a caching DNS resolver, ceases to
provide answers for zones signed using DNSSEC after it has processed a
crafted query. |
| Alerts: |
|
Comments (none posted)
unbound: denial of service
| Package(s): | unbound |
CVE #(s): | CVE-2011-1922
|
| Created: | May 31, 2011 |
Updated: | October 17, 2011 |
| Description: |
From the Fedora advisory:
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
Denial of Service fix. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | |
| Created: | June 1, 2011 |
Updated: | June 2, 2011 |
| Description: |
From the Mandriva advisory:
This advisory updates wireshark to the latest version (1.2.17),
fixing several security issues:
* Large/infinite loop in the DICOM dissector. (Bug 5876) Versions
affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
* Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that a corrupted Diameter dictionary file could crash
Wireshark. Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
* Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered
that a corrupted snoop file could crash Wireshark. (Bug 5912) Versions
affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
* David Maciejak of Fortinet's FortiGuard Labs discovered that
malformed compressed capture data could crash Wireshark. (Bug 5908)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
* Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered
that a corrupted Visual Networks file could crash Wireshark. (Bug 5934)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|