Security
Blocking popups in FireFox
One of the most compelling features of Firefox, for many users, is its built-in pop-up blocking. However, the advertising networks and webmasters looking to inflict pop-up ads on users weren't content to allow Firefox users (or anyone else, for that matter) to browse in peace. It's not surprising that, as Firefox gains in popularity, the Mozilla team would be faced with an "arms race" with advertisers determined to spawn pop-ups on all visitors to sponsored sites.
This writer has recently noticed that some sites had begun spawning pop-ups, despite the fact that Firefox's preferences had been configured to block them. After so long without having to cope with pop-ups, it was doubly annoying to see the nuisance starting all over again.
For the most part, before Firefox and other pop-up blockers appeared on the scene, pop-ups and pop-unders were spawned by JavaScript as soon as a site loads. The Firefox pop-up blocking settings were very successful in blocking almost all pop-up ads. The notable exception, at least for this user, was the New York Times website, which was one of the first sites to find a workaround for Firefox's pop-up blocking.
JavaScript, however, is not the only method that can be used to spawn pop-ups. Notably, Flash, Java and other plugins are capable of spawning pop-ups and bypass the restrictions used to stop pop-ups spawned by JavaScript. To start blocking pop-ups on sites that take advantage of features in Flash or Java to spawn pop-ups, users can install the Pop-ups Must Die! extension.
Alternately, users can get the same effect by manually fine-tuning
Firefox's settings. The first change, adding
"privacy.popups.disable_from_plugins" is described here.
The extension also changes the value of
"dom.popup_allowed_events" to block all allowed pop-up
events. This can be done by entering "about:config" in the Firefox address
bar, and finding "dom.popup_allowed_events," and removing all
of the options. These are the only two changes made by the extension.
The changes seem to have been very effective -- perhaps a little too
effective. Several users have complained that the extension blocks
requested pop-ups as well. This is true, but Firefox still allows users to
whitelist sites after a pop-up has been blocked by the new settings. This
writer considers it a small price to pay to avoid unrequested pop-ups. For
those who would rather deal with the occasional unrequested pop-up, one may
change "privacy.popups.disable_from_plugins" to "1" to allow
pop-ups to be opened when a link is clicked. This will limit the number of
windows opened by a link, so nefarious webmasters cannot open an unlimited
number of windows.
Determined webmasters, however, can find ways to inflict advertising on
users in other ways. Consider this site which was pointed out
in the discussion
about the "Pop-ups Must Die!" extension. Rather than spawning a pop-up, it
creates a frame within the window that blocks the content of the site until
the frame "window" is closed. Without disabling frames, which would cause a
great deal of problems for sites that use them legitimately, it's difficult
to imagine how one could avoid this kind of "pop-up." (Note, disabling
frames by changing the value of "browser.frames.enabled" to
false appears to break Firefox entirely.)
Ultimately, the best solution may not rest with Firefox. Users who are offended by pop-ups, and other intrusive advertising, have an infallible weapon at their disposal -- stop visiting sites that insist on using pop-ups. While it would require a great number of users to be effective, even the most persistent webmasters and advertisers would have to reconsider their methods if they have no audience for their ads.
New vulnerabilities
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq | CVE #(s): | |||||||||
| Created: | April 4, 2005 | Updated: | July 21, 2005 | ||||||||
| Description: | Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing. | ||||||||||
| Alerts: |
| ||||||||||
gaim: buffer overflow, DoS
| Package(s): | gaim | CVE #(s): | CAN-2005-0965 CAN-2005-0966 | ||||||||||||||||||||||||||||||||||||
| Created: | April 5, 2005 | Updated: | May 15, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | Jean-Yves Lefort discovered a buffer overflow in the
gaim_markup_strip_html() function. This caused Gaim to crash when
receiving certain malformed HTML messages. (CAN-2005-0965)
Jean-Yves Lefort also noticed that many functions that handle IRC commands do not escape received HTML metacharacters; this allowed remote attackers to cause a Denial of Service by injecting arbitrary HTML code into the conversation window, popping up arbitrarily many empty dialog boxes, or even causing Gaim to crash. (CAN-2005-0966) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0400 CAN-2005-0749 CAN-2005-0750 CAN-2005-0815 CAN-2005-0839 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 1, 2005 | Updated: | July 1, 2005 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | More kernel vulnerabilities have been discovered including:
| ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
limewire: input validation errors
| Package(s): | limewire | CVE #(s): | CAN-2005-0788 CAN-2005-0789 | ||||
| Created: | March 31, 2005 | Updated: | April 6, 2005 | ||||
| Description: | LimeWire, a Java-based peer-to-peer client that works with the Gnutella file-sharing protocol, has two input validation errors that can allow a remote attacker to read arbitrary files with the permissions that LimeWire is running under. | ||||||
| Alerts: |
| ||||||
remstats: tempfile, missing input sanitizing
| Package(s): | remstats | CVE #(s): | CAN-2005-0387 CAN-2005-0388 | ||||
| Created: | April 4, 2005 | Updated: | April 6, 2005 | ||||
| Description: | Jens Steube discovered several vulnerabilities in remstats, the remote statistics system. When processing uptime data on the unix-server a temporary file is opened in an insecure fashion which could be used for a symlink attack to create or overwrite arbitrary files with the permissions of the remstats user. (CAN-2005-0387) The remoteping service can be exploited to execute arbitrary commands due to missing input sanitizing. (CAN-2005-0388) | ||||||
| Alerts: |
| ||||||
php4: denial of service vulnerabilities
| Package(s): | php4 | CVE #(s): | CAN-2005-0524 CAN-2005-0525 | ||||||||||||||||||||||||||||
| Created: | April 5, 2005 | Updated: | May 26, 2005 | ||||||||||||||||||||||||||||
| Description: | Two DoS vulnerabilities exist in PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3. One in the php_handle_iff function in image.c allows remote attackers to cause a denial of service (infinite loop) via a -8 size value. The php_next_marker function in image.c allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek. This later vulnerability also exists in PHP 3. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
sharutils: insecure temporary files
| Package(s): | sharutils | CVE #(s): | |||||||||||||||||
| Created: | April 4, 2005 | Updated: | April 14, 2005 | ||||||||||||||||
| Description: | Joey Hess discovered that "unshar" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
sylpheed: buffer overflow on message
| Package(s): | sylpheed sylpheed-claws | CVE #(s): | |||||
| Created: | April 4, 2005 | Updated: | April 6, 2005 | ||||
| Description: | Sylpheed and Sylpheed-claws fail to properly handle messages containing attachments with MIME-encoded filenames. | ||||||
| Alerts: |
| ||||||
wu-ftpd: missing input sanitizing
| Package(s): | wu-ftpd | CVE #(s): | CAN-2005-0256 | ||||
| Created: | April 4, 2005 | Updated: | April 6, 2005 | ||||
| Description: | The wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>