|
|
Log in / Subscribe / Register

Security

How to kill a web browser

Michal Zalewski recently decided to look for exploitable vulnerabilities in web browsers. So he write a little CGI script which generates random HTML and feeds it to the browser; a refresh tag is used so that the browser will repeatedly request new pages - until things come to a crashing halt. Mr. Zalewski reported his results on Bugtraq as "a mini-farce." It seems that most of the browsers he tested fared rather poorly.

The key word here is "most." One browser was able to absorb noisy input indefinitely without crashing; that browser was Internet Explorer.

There has been quite a bit of talk recently about Internet Explorer's security problems, and how the alternatives - both free and proprietary - are more secure. So this kind of result is somewhat embarrassing. As Mr. Zalewski put it:

It appears that the overall quality of code, and more importantly, the amount of QA, on various browsers touted as "secure", is not up to par with MSIE; the type of a test I performed requires no human interaction and involves nearly no effort. Only MSIE appears to be able to consistently handle malformed input well, suggesting this is the only program that underwent rudimentary security QA testing with a similar fuzz utility.

So what sort of HTML turned out to be problematic? A few examples have been posted - but all you smug, free-software-using folks might want to think twice before clicking on them. Use of a tool like wget is probably more appropriate. One of the examples, which, as your smug, free-software-using editor can attest, kills Firefox is, in its entirety: 

    <HTML><INPUT

The post notes that this bug is probably exploitable, and that many others certainly exist. The tester also does nothing involving either cascading style sheets or JavaScript - one suspect that those areas might, just maybe, be the source of a bug or two themselves.

The Mozilla project has been quick to capitalize on the recent bout of Internet Explorer security problems. This incident demonstrates, however, that the free software community can, at times, be a little too quick to claim better security. Testing against malformed input has been a standard quality assurance technique for decades; the fact that Mozilla, seemingly, has not done this testing is a little discouraging. Security can be a winning point for free software, but it doesn't happen automatically. If we're going to claim to have a more secure product, we should be sure we've done the homework first. Meanwhile, expect a new set of Mozilla patches sometime soon.

Comments (37 posted)

Brief items

Security fixes in 2.6.9

Alan Cox has sent out an announcement regarding a couple of tty-related security fixes which were included in the 2.6.9 kernel release. One of them is, conceivably, remotely exploitable, though it appears to be impossible to exploit in most cases. 2.4 and 2.2 kernels are also vulnerable; expect distributor updates shortly. Click below for the details.

Full Story (comments: none)

New vulnerabilities

apache: mod_ssl cipher negotiation problem

Package(s):apache CVE #(s):CAN-2004-0885
Created:October 15, 2004 Updated:November 4, 2004
Description: Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite.
Alerts:
Conectiva CLA-2004:885 apache 2004-11-04
Mandrake MDKSA-2004:122 mod_ssl/apache2-mod_ssl 2004-11-01
Gentoo 200410-21 apache 2004-10-21
OpenPKG OpenPKG-SA-2004.044 apache (option "with_mod_ssl yes" only) 2004-10-15

Comments (none posted)

BNC: input validation flaw

Package(s):bnc CVE #(s):
Created:October 15, 2004 Updated:October 19, 2004
Description: The BNC IRC proxying server contains an input validation flaw which can be remotely exploited for the purpose of running IRC commands.
Alerts:
Gentoo 200410-13 bnc 2004-10-15

Comments (none posted)

cvs: information disclosure

Package(s):cvs CVE #(s):CAN-2004-0778
Created:October 20, 2004 Updated:October 20, 2004
Description: CVS (prior to version 1.1.17) contains an undocumented switch which may be used by an attacker to verify the existence of files and whether the CVS process can access them.
Alerts:
Mandrake MDKSA-2004:108 cvs 2004-10-19

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 ghostscript 2005-09-28
Ubuntu USN-3-1 ghostscript 2004-10-27
Gentoo 200410-18 ghostscript 2004-10-20

Comments (none posted)

libpng: integer overflows

Package(s):libpng CVE #(s):CAN-2004-0955
Created:October 20, 2004 Updated:October 25, 2004
Description: A new set of integer overflows has been found in the libpng library; these overflows could perhaps be exploited (by way of a malicious image file) to execute arbitrary code.
Alerts:
Ubuntu USN-1-1 PNG library 2004-10-22
Debian DSA-571-1 libpng3 2004-10-20
Debian DSA-570-1 libpng 2004-10-20

Comments (1 posted)

phpMyAdmin: Vulnerability in MIME-based transformation

Package(s):phpMyAdmin CVE #(s):
Created:October 18, 2004 Updated:October 19, 2004
Description: A defect was found in phpMyAdmin's MIME-based transformation system, when used with "external" transformations. A remote attacker could exploit this vulnerability to execute arbitrary commands on the server with the rights of the HTTP server user.
Alerts:
Gentoo 200410-14 phpmyadmin 2004-10-18

Comments (none posted)

PostgreSQL: Insecure temporary file use in make_oidjoins_check

Package(s):PostgreSQL CVE #(s):CAN-2004-0977
Created:October 18, 2004 Updated:December 20, 2004
Description: The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user.
Alerts:
Red Hat RHSA-2004:489-01 rh-postgresql 2004-12-20
Mandrake MDKSA-2004:149 postgresql 2004-12-13
OpenPKG OpenPKG-SA-2004.046 postgresql 2004-10-29
Debian DSA-577-1 postgresql 2004-10-29
Ubuntu USN-6-1 postgresql 2004-10-27
Gentoo 200410-16 postgresql 2004-10-18

Comments (none posted)

WordPress: HTTP response splitting and XSS vulnerabilities

Package(s):wordpress CVE #(s):
Created:October 14, 2004 Updated:December 20, 2004
Description: WordPress is vulnerable to HTTP response splitting and cross-site scripting attacks, due to the lack of input validation in the administration panel scripts. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks. This could result in compromising the victim's data or browser.
Alerts:
Gentoo 200410-12:02 wordpress 2004-10-14
Gentoo 200410-12 wordpress 2004-10-14

Comments (none posted)

Resources

October CRYPTO-GRAM newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for October is out, with articles on disclosing network outage information, license plate scanners, academic freedom, and RFID passports. "Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the government putting its own interests above the security and privacy of its citizens, and then lying about it."

Full Story (comments: 19)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds