|
|
Subscribe / Log in / New account

Security

More firefox trouble

May 11, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

A few weeks ago, we covered a set of vulnerabilities in Firefox that were closed with the 1.0.3 release. Once again, Firefox is in the news for security issues -- this time for two security vulnerabilities that, when combined, create a situation that could allow an attacker to install software on a user's machine without any notice to the user.

What is particularly unusual about this disclosure is that it came not from the person who discovered the vulnerability, but from a third party who became privy to discussions about the vulnerability. While one might hope that the ethics of vulnerability disclosure would preclude "outing" a security vulnerability, particularly one discovered by another party, prior to the public release of a fix when it's known the vendor or project is actively working on the issue, the cat is out of the bag now.

The first vulnerability relates to "IFRAME" JavaScript URLs, which can allow an attacker to execute arbitrary code in a user's session. Alone, it could allow malicious sites to steal information from sites previously visited. The second vulnerability is in the "IconURL" parameter in "InstallTrigger.install()", which is not properly verified. This can be exploited to run JavaScript with the escalated privileges of a "Chrome script." The combination of both vulnerabilities can actually allow whitelisted sites, or sites masquerading as a whitelisted site, to take any action of the user, including administrative actions if the user has admin privileges. (This is one of the reasons why users should not make a habit of running as root.)

By default, the Mozilla Update websites were on the Firefox whitelist. The Mozilla Foundation has applied a server-side change to prevent attackers from using those sites. However, users who have added other sites to their whitelist may be at risk on those sites -- though an attacker would need to be able to guess what site a user has whitelisted.

We talked to Chris Hofmann, Mozilla's director of engineering, about the most recent vulnerabilities and Mozilla's security record in general. According to Hofmann, the vulnerability is cross-platform and could potentially affect users of Firefox 1.0.3 on any platform. Hofmann said that the Mozilla Foundation was not aware of any exploits in the wild, and that the premature disclosure of the vulnerability was "a pretty rare exception".

The security researchers and people who are reporting the vulnerability are pretty involved in all steps of the discovery and fixing and reporting process, and that's something different from a commercial company where researchers throw the report over the wall and hope a fix comes back from the vendor. Most of the researchers like the Mozilla system better where they can watch progress and complain if it's not proceeding at the right pace... it's very unusual to see someone report something like this without giving us a shot [to fix the problem first].

We also asked Hofmann if he thought it would be possible to catch all of these vulnerabilities at some point in the future. In short, it looks like the answer is pretty much "no," given the complexity of a Web browser and the nature of the interfaces between components where it is not completely understood how they interact.

At this time, there is not a final Firefox 1.0.4 release, but there are candidate builds available with security fixes and a fix for a DHTML regression in 1.0.3. At a minimum, users should disable software installation until 1.0.4 is available.

Comments (3 posted)

New vulnerabilities

apache2 buffer overflow

Package(s):apache CVE #(s):CAN-2005-1344
Created:May 6, 2005 Updated:May 11, 2005
Description: Buffer overflow in htdigest in Apache 2.0.52 may allow attackers to execute arbitrary code via a long realm argument.
Alerts:
Ubuntu USN-120-1 apache2 2005-05-06

Comments (1 posted)

Ethereal: numerous vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-1456 CAN-2005-1457 CAN-2005-1458 CAN-2005-1459 CAN-2005-1460 CAN-2005-1461 CAN-2005-1462 CAN-2005-1463 CAN-2005-1464 CAN-2005-1465 CAN-2005-1466 CAN-2005-1467 CAN-2005-1468 CAN-2005-1469 CAN-2005-1470
Created:May 6, 2005 Updated:June 7, 2005
Description: There are numerous vulnerabilities in versions of Ethereal versions 0.8.14 to 0.10.10 according to this advisory.
Alerts:
SuSE SUSE-SR:2005:014 multi 2005-06-07
Red Hat RHSA-2005:427-01 Ethereal 2005-05-24
Mandriva MDKSA-2005:083 ethereal 2005-05-10
Gentoo 200505-03 ethereal 2005-05-06

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1158 CAN-2005-1160 CAN-2005-1159
Created:May 11, 2005 Updated:May 26, 2005
Description: The Firefox browser (and Mozilla as well) suffers from several vulnerabilities which can be exploited by a remote attacker to execute arbitrary code. See this advisory for a discussion of the worst two. Upgrading to version 1.0.4 will fix the problems.
Alerts:
Ubuntu USN-134-1 mozilla-firefox 2005-05-26
Mandriva MDKSA-2005:088 mozilla 2005-05-13
Ubuntu USN-124-2 USN-124-1 fixed several 2005-05-12
Ubuntu USN-124-1 mozilla-firefox, mozilla 2005-05-11

Comments (2 posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-1261 CAN-2005-1262
Created:May 11, 2005 Updated:May 12, 2005
Description: Gaim contains buffer overflows in its handling of URLs and MSN messages. By sending malicious messages, a remote attacker could exploit these overflows and execute arbitrary code.
Alerts:
Ubuntu USN-125-1 gaim 2005-05-12
Mandriva MDKSA-2005:086 gaim 2005-05-12
Gentoo 200505-09 gaim 2005-05-12
Red Hat RHSA-2005:429-01 gaim 2005-05-11
Red Hat RHSA-2005:432-01 gaim 2005-05-11
Fedora FEDORA-2005-369 gaim 2005-05-11

Comments (none posted)

GnuTLS: Denial of Service vulnerability

Package(s):gnutls CVE #(s):CAN-2005-1431
Created:May 9, 2005 Updated:June 1, 2005
Description: GnuTLS 1.2.3 and 1.0.25 have been released, fixing a denial of service problem.
Alerts:
Red Hat RHSA-2005:430-01 GnuTLS 2005-06-01
Ubuntu USN-126-1 gnutls11, gnutls10 2005-05-13
Mandriva MDKSA-2005:084 gnutls 2005-05-12
Fedora FEDORA-2005-362 gnutls 2005-05-05
Gentoo 200505-04 GnuTLS 2005-05-09

Comments (none posted)

hteditor: multiple buffer overflows

Package(s):hteditor CVE #(s):
Created:May 10, 2005 Updated:May 11, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Team discovered an integer overflow in the ELF parser, leading to a heap-based buffer overflow. The vendor has reported that an unrelated buffer overflow has been discovered in the PE parser. Successful exploitation would require the victim to open a specially crafted file using HT, potentially permitting an attacker to execute arbitrary code.
Alerts:
Gentoo 200505-08 hteditor 2005-05-10

Comments (none posted)

kernel: ELF loader core dump vulnerability

Package(s):kernel CVE #(s):CAN-2005-1263
Created:May 11, 2005 Updated:August 25, 2005
Description: Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Alerts:
Red Hat RHSA-2005:529-01 kernel 2005-08-25
Red Hat RHSA-2005:420-01 kernel 2005-06-08
Red Hat RHSA-2005:472-01 kernel 2005-05-25
Fedora FEDORA-2005-392 kernel 2005-05-23
Ubuntu USN-131-1 linux-source-2.6.8.1, linux-source-2.6.10 2005-05-23
Trustix TSLSA-2005-0022 kernel, 2005-05-13

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 libtiff 2006-02-17
Debian DSA-755-1 tiff 2005-07-13
Ubuntu USN-130-1 tiff 2005-05-19
Gentoo 200505-07 tiff 2005-05-10

Comments (1 posted)

Oops!: Remote code execution

Package(s):oops CVE #(s):CAN-2005-1121
Created:May 6, 2005 Updated:May 20, 2005
Description: A format string flaw has been detected in the my_xlog() function of the Oops! proxy (in versions prior to 1.5.23), which is called by the passwd_mysql and passwd_pgsql module's auth() functions.
Alerts:
Debian DSA-726-1 oops 2005-05-20
Gentoo 200505-02 oops 2005-05-05

Comments (none posted)

smail buffer overflow

Package(s):smail CVE #(s):CAN-2005-0892
Created:May 9, 2005 Updated:May 11, 2005
Description: A buffer overflow has been discovered in Smail 3.2.0.120, an electronic mail transport system, which allows remote attackers and local users to execute arbitrary code.
Alerts:
Debian DSA-722-1 smail 2005-05-09

Comments (none posted)

squid: errors in http_access configuration

Package(s):squid CVE #(s):CAN-2005-1345
Created:May 6, 2005 Updated:May 11, 2005
Description: Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator.
Alerts:
Trustix TSLSA-2005-0021 squid 2005-05-10
Debian DSA-721-1 squid 2005-05-06
Ubuntu USN-122-1 squid 2005-05-06

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds