By Jake Edge
November 28, 2012
Free software users are not generally known for their quiet acceptance of
user interface changes. Many changes to the UI of desktop environments or
popular applications lead to long and loud threads from users—with some
percentage of those users claiming they will move to an alternative rather
than "put up" with the change. But what happens if the alternative is to
stick with an earlier, unsupported version of the application? That's the
question that came up in a short, but interesting, thread on the Mozilla
security mailing list.
Plans for Firefox to remove the "tabs on bottom" feature have so incensed a
vocal subset of users (see this bug report
or this lengthy thread
on the mozilla.dev.apps.firefox group) that they don't plan to upgrade the browser
once this change is implemented.
For many releases now, Firefox has had its tabs
below the controls and "awesome bar", which is the behavior
called "tabs on
bottom". More recent versions have had a "Tabs on top" toggle in the
toolbar configuration, which moves the tabs to just below the menu (and
above the controls and awesome bar). The
toggle is slated for removal, with tabs on top becoming the default. The
old behavior will still be available by setting browser.tabs.onTop to
false in about:config, but users are concerned that will
eventually disappear as well.
The ferocity of the arguments against moving the tabs (and removing the
toggle) led Zack Weinberg to suggest
keeping the toggle and feature:
Obviously, refusing to upgrade Firefox opens up these users to serious
security risks. I would like to suggest that we put that toggle back in,
and commit to preserving tabs-on-bottom mode for the foreseeable future,
*just because* it will encourage this upset minority of users to continue
upgrading. Remember that the actual size of the upset minority here is
probably at least 100x larger than the number of people who have gone to
the trouble of complaining about it in the newsgroups and/or the bug
report.
Web browsers, by their nature, need frequent updates.
Because browsers face the often hostile internet and can provide a portal to
users' documents, photos, passwords, and so forth, it is critically
important for users to keep up with browser updates. Anything that gets in
the way of that process is (and should be) worrisome. That is the main
reason that Chrome and Firefox have moved to automatic updates, for example.
But there is a tradeoff to be made here. Mozilla's VP of Firefox
Engineering Johnathan Nightingale argues
that, over the years, too much attention has been paid to the most
vocal user contingent. There is code that is "in desperate need of
clean up", he said, so Firefox developers cannot necessarily afford
to heed the negative feedback:
[...] but on balance I believe we bias far too much towards letting vocal, conservative complaint chill the evolution of our products.
Every community has conservative elements. They are helpful; they remind us
who we are when we forget. But conservative forces prevent change (by
definition!) and we have important aspects of our code that need changing.
Weinberg is not convinced that cleaning up the code base overrides the
security issue, however. He is concerned
that the "tabs on bottom" issue is really just the straw that broke the
camel's back for some segment of users. Even a small percentage of the Firefox
install base can make for a rather large problem:
But with my security hat on, even a small minority of our users is still
tens or hundreds of thousands of people, and if their computers are 0wned
because they refused security updates because they didn't like our UI
changes, that potentially has cascading fallout upon a much larger
population (as the 0wned machines become malware sources
themselves). That's not something I think is justifiable by code
cleanliness concerns on our end.
Drawing a clear line is difficult, though. If any change to the UI can be seen
as a "security problem" because users might decide not to upgrade, it will
be difficult for Firefox to make any changes. Users have to take some
responsibility for their choices. As Curtis Koenig put it:
While it is
concerning when users choose to resist change in hazardous manners we
cannot and should not halt forward movement due to the real or perceived
threat that some portion of the user base will make ill conceived
choices. This would allow anyone to hold up anything with the cry of "I
won't update" and then we get nowhere.
Users will make poor choices at times, and it is certainly possible that
some change will drive some of them to make those choices. Is there a
"moral responsibility", as Weinberg claimed, for Firefox (and, by implication, other
applications, desktops, etc.) to continue to deliver a user experience that
its users have become accustomed to? Are UI changes always potential
security problems? There are obviously some kinds of UI changes that are
security flaws, but simply changing the way the user interacts with the
program likely doesn't really reach that level.
Both Koenig and Nightingale do not see the "tabs on bottom" change as a
security issue. There may be design or development issues that need to be
resolved—though Nightingale seems confident that those have largely been dealt
with—but changing some UI elements around is not cause for a security red
flag. In fact, Nightingale called the security concern "a red
herring (or a slippery slope, take your pick)".
There is only so much that a project can do to protect its users. Part of
the problem with this particular case is that the other "major" free
alternative, Chrome/Chromium, also has its tabs at the top. One
guesses that the uproar would be good deal more subdued if there were an
"easy" alternative that behaved the way the "vocal conservatives" want.
There may be good reasons to consider leaving the "tabs on bottom" feature
alone; security isn't really one of them. But it is
always good to see projects thinking about and debating where these lines
are.
Comments (57 posted)
Brief items
New York City say they found shredded police documents mixed in with confetti at the Macy's Thanksgiving Day Parade.
The documents contained confidential information, including detectives' Social Security numbers, bank information and unveiled undercover officers' identities, WPIX-TV, New York, reported.
--
UPI
Letting the Internet be rewired by bureaucrats would be like handing a
Stradivarius to a gorilla.
--
L. Gordon Crovitz in
The Wall Street Journal
Comments (2 posted)
The
Piwik web server analytics package was
given an undesirable feature — a backdoor — as the result of
a
compromise of the piwik.org server. "
You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than
Nov 26th 15:40 UTC or from Nov 27th, you should be safe." The
announcement has details on the backdoor and how to detect it.
Comments (2 posted)
New vulnerabilities
awstats: unspecified vulnerability
| Package(s): | awstats |
CVE #(s): | CVE-2012-4547
|
| Created: | November 28, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the CVE entry:
Unspecified vulnerability in awredir.pl in AWStats before 7.1 has unknown impact and attack vectors. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | November 26, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Fedora advisory:
Update to 4.0.9
- Confidential product and component names can be disclosed to unauthorized users if they are used
to control the visibility of a custom field.
- When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check
if the given group names exist or not.
- Due to incorrectly filtered field values in tabular reports, it is possible to inject code which
can lead to XSS.
- When trying to mark an attachment in a bug you cannot see as obsolete, the description of the
attachment is disclosed in the error message.
- A vulnerability in swfstore.swf from YUI2 can lead to XSS.
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2012-5843
CVE-2012-5836
CVE-2012-4203
CVE-2012-4204
CVE-2012-4205
CVE-2012-4208
CVE-2012-4212
CVE-2012-4213
CVE-2012-4217
CVE-2012-4218
CVE-2012-5838
|
| Created: | November 22, 2012 |
Updated: | January 8, 2013 |
| Description: |
From the Ubuntu advisory:
Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed
Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and
Andrew McCreight discovered multiple memory safety issues affecting
Firefox. If the user were tricked into opening a specially crafted page, an
attacker could possibly exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of the
user invoking Firefox. (CVE-2012-5842, CVE-2012-5843)
Jonathan Stephens discovered that combining vectors involving the setting
of Cascading Style Sheets (CSS) properties in conjunction with SVG text
could cause Firefox to crash. If a user were tricked into opening a
malicious web page, an attacker could cause a denial of service via
application crash or execute arbitrary code with the privliges of the user
invoking the program. (CVE-2012-5836)
It was discovered that if a javascript: URL is selected from the list of
Firefox "new tab" page, the script will inherit the privileges of the
privileged "new tab" page. This allows for the execution of locally
installed programs if a user can be convinced to save a bookmark of a
malicious javascript: URL. (CVE-2012-4203)
Scott Bell discovered a memory corruption issue in the JavaScript engine.
If a user were tricked into opening a malicious website, an attacker could
exploit this to execute arbitrary JavaScript code within the context of
another website or arbitrary code as the user invoking the program.
(CVE-2012-4204)
Gabor Krizsanits discovered that XMLHttpRequest objects created within
sandboxes have the system principal instead of the sandbox principal. This
can lead to cross-site request forgery (CSRF) or information theft via an
add-on running untrusted code in a sandbox. (CVE-2012-4205)
Peter Van der Beken discovered XrayWrapper implementation in Firefox does
not consider the compartment during property filtering. An attacker could
use this to bypass intended chrome-only restrictions on reading DOM object
properties via a crafted web site. (CVE-2012-4208)
Abhishek Arya discovered multiple use-after-free and buffer overflow issues
in Firefox. If a user were tricked into opening a malicious page, an
attacker could exploit these to execute arbitrary code as the user invoking
the program. (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829,
CVE-2012-5839, CVE-2012-5840, CVE-2012-4212, CVE-2012-4213, CVE-2012-4217,
CVE-2012-4218)
Several memory corruption flaws were discovered in Firefox. If a user were
tricked into opening a malicious page, an attacker could exploit these to
execute arbitrary code as the user invoking the program. (CVE-2012-5830,
CVE-2012-5833, CVE-2012-5835, CVE-2012-5838) |
| Alerts: |
|
Comments (none posted)
hyper-v: denial of service
| Package(s): | Hyper-V |
CVE #(s): | CVE-2012-2669
|
| Created: | November 22, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the openSUSE advisory:
The
source code without this patch caused hv_kvp_daemon to exit
when it processed a spoofed Netlink packet which has been
sent from an untrusted local user. Now Netlink messages
with a non-zero nl_pid source address are ignored and a
warning is printed into the syslog.
This fixes the previous change from CVE-2012-2669.
|
| Alerts: |
|
Comments (none posted)
insight: remote denial of service
| Package(s): | insight |
CVE #(s): | CVE-2012-3509
|
| Created: | November 26, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the CVE entry:
Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the "addition of CHUNK_HEADER_SIZE to the length," which triggers a heap-based buffer overflow. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2012-4461
|
| Created: | November 22, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Red Hat Bugzilla entry:
A flaw has been found in the way Linux kernel's KVM subsystem handled vcpu->arch.cr4 X86_CR4_OSXSAVE bit set upon guest enter. On hosts without the XSAVE feature an unprivileged local user could use this flaw to crash the system.
|
| Alerts: |
|
Comments (none posted)
libsocialweb: untrusted connection to flickr
| Package(s): | libsocialweb |
CVE #(s): | CVE-2012-4511
|
| Created: | November 23, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Fedora advisory:
The libsocialweb library is prone to a security vulnerability that allows attackers to perform man-in-the-middle attacks.
Remote attackers can exploit this issue to gain access to sensitive information or modify the integrity of user accounts. Other attacks are also possible.
|
| Alerts: |
|
Comments (none posted)
libssh: code execution
| Package(s): | libssh |
CVE #(s): | CVE-2012-4559
CVE-2012-4560
CVE-2012-4561
CVE-2012-4562
|
| Created: | November 27, 2012 |
Updated: | December 6, 2012 |
| Description: |
From the Ubuntu advisory:
Xi Wang and Florian Weimer discovered that libssh incorrectly handled
memory. A remote attacker could use this to cause libssh to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2012-4559, CVE-2012-4560, CVE-2012-4561, CVE-2012-4562) |
| Alerts: |
|
Comments (none posted)
libssh2: multiple integer overflows
| Package(s): | libssh2 |
CVE #(s): | CVE-2012-4562
|
| Created: | November 22, 2012 |
Updated: | November 29, 2012 |
| Description: |
From the SUSE advisory:
This update of libssh fixes multiple integer overflows.
CVE-2012-4562 has been assigned to this issue. |
| Alerts: |
|
Comments (1 posted)
libvoikko: denial of service
| Package(s): | libvoikko |
CVE #(s): | |
| Created: | November 26, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Mageia advisory:
Version 3.2.1 fixes the handling of embedded null characters in input strings entered through
the Python interface. The bug could be used to cause denial of service
conditions and possibly other problems. Users of these interfaces are
recommended to upgrade to this release. Applications that use the native
C++ library directly (this includes all well known desktop applications)
are not affected by this bug and no changes to the native library have
been made in this release. |
| Alerts: |
|
Comments (none posted)
lighttpd: denial of service
| Package(s): | lighttpd |
CVE #(s): | CVE-2012-5533
|
| Created: | November 23, 2012 |
Updated: | November 30, 2012 |
| Description: |
From the Novell advisory:
Specially-crafted HTTP header can cause a Denial of Service (infinite loop) in lighttpd. |
| Alerts: |
|
Comments (none posted)
mantis: multiple vulnerabilities
| Package(s): | mantis |
CVE #(s): | CVE-2012-5522
CVE-2012-5523
|
| Created: | November 26, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the CVE entries:
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. (CVE-2012-5522)
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. (CVE-2012-5523) |
| Alerts: |
|
Comments (none posted)
moodle: unintended Dropbox access
| Package(s): | moodle |
CVE #(s): | CVE-2012-5471
|
| Created: | November 28, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the CVE entry:
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout. |
| Alerts: |
|
Comments (none posted)
pcp: insecure temporary file use
| Package(s): | pcp |
CVE #(s): | CVE-2012-5530
|
| Created: | November 23, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Fedora advisory:
A security flaw was found in the way Performance Co-Pilot (PCP), a framework and services to support system-level performance monitoring and performance management, performed management of its temporary files used by various services from the suite. A local attacker could use this flaw to conduct symbolic link attacks (alter or remove different system files, accessible with the privileges of the user running the PCP suite, than it was originally intended). |
| Alerts: |
|
Comments (none posted)
perl-CGI: header injection
| Package(s): | perl-CGI |
CVE #(s): | CVE-2012-5526
|
| Created: | November 28, 2012 |
Updated: | December 19, 2012 |
| Description: |
From the CVE entry:
CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. |
| Alerts: |
|
Comments (none posted)
rssh: command execution
| Package(s): | rssh |
CVE #(s): | CVE-2012-2251
CVE-2012-2252
|
| Created: | November 28, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Debian advisory:
James Clawson discovered that rssh, a restricted shell for OpenSSH to be used
with scp/sftp, rdist and cvs, was not correctly filtering command line options.
This could be used to force the execution of a remote script and thus allow
arbitrary command execution. |
| Alerts: |
|
Comments (none posted)
tomcat: multiple vulnerabilities
| Package(s): | tomcat6 |
CVE #(s): | CVE-2012-2733
CVE-2012-5885
CVE-2012-5886
CVE-2012-5887
CVE-2012-3439
|
| Created: | November 22, 2012 |
Updated: | January 10, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that the Apache Tomcat HTTP NIO connector incorrectly
handled header data. A remote attacker could cause a denial of service by
sending requests with a large amount of header data. (CVE-2012-2733)
It was discovered that Apache Tomcat incorrectly handled DIGEST
authentication. A remote attacker could possibly use these flaws to perform
a replay attack and bypass authentication. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887) |
| Alerts: |
|
Comments (none posted)
unity-firefox-extension: code execution
| Package(s): | unity-firefox-extension |
CVE #(s): | CVE-2012-0960
|
| Created: | November 22, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that unity-firefox-extension incorrectly handled certain
callbacks. A remote attacker could use this issue to cause
unity-firefox-extension to crash, resulting in a denial of service, or
possibly execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
vlc: denial of service
| Package(s): | vlc |
CVE #(s): | CVE-2012-5470
|
| Created: | November 22, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the Mageia advisory:
libpng_plugin in VideoLAN VLC media player 2.0.3 allows remote attackers
to cause a denial of service (application crash) via a crafted PNG file
(CVE-2012-5470).
|
| Alerts: |
|
Comments (none posted)
weechat: shell injection
| Package(s): | weechat |
CVE #(s): | CVE-2012-5534
|
| Created: | November 28, 2012 |
Updated: | December 3, 2012 |
| Description: |
From the openSUSE advisory:
added weechat-fix-hook_process-shell-injection.patch
which fixes a shell injection vulnerability in the
hook_process function (bnc#790217, CVE-2012-5534) |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
