Security
Mail filtering in Thunderbird 1.5
Your editor recently had a chance to try out the second beta Thunderbird 1.5 release. There are a number of nice additions in this release of Mozilla's mail client - and a few not-so-nice subtractions, in the form of broken extensions. This article will concentrate on a couple of security-related features.Thunderbird has had spam filtering for some time. Your editor has never given it a full test, however. Happily, an ideal resource exists for this purpose: your editor's 4000-spam-per-day mail stream. A quick config file tweak directed a copy of this stream, unfiltered, into Thunderbird to see how it would react.
The bayesian filter built into Thunderbird turns out to be a quick learner. After 100 messages or so, it was busily marking most messages itself. The speed with which it learns tempts the user to turn on automatic spam-canning of marked mail early in the process; it is such a delight to see that stuff simply disappear. Training a SpamAssassin filter takes quite a bit longer.
Unfortunately, the Thunderbird filter appears to learn too quickly, with the result that false positives become a problem. As long as Thunderbird is not configured to automatically refile spam, the false positives can be corrected with, one assumes, an appropriate tweaking of the filter. Once spams have been diverted, however, there appears to be no way to tell Thunderbird that it made a mistake. So new Thunderbird users would be well advised to look over its spam classification decisions for some time before empowering it to refile mail automatically.
SpamAssassin's more conservative approach may well turn out to be better for people who cannot afford to lose mail. Happily, Thunderbird 1.5 includes an option which causes it to defer to SpamAssassin on filtering. Thus, the system administrator can use SpamAssassin to add headers to mail, and individual users can have Thunderbird act on those headers if desired.
A truly new feature in 1.5 is phishing detection. A few simple rules have been added to detect phishy links; essentially, a message will be flagged if a URL contains a numeric IP address or the link text contains an address which fails to match the link destination. In these cases, clicking on a suspect link will result in a dialog explaining the situation and asking if the user wishes to proceed. Thunderbird will also mark such messages with a line saying "Mail/News thinks this message might be an email scam."
This capability is a step in the right direction, but it has some obvious shortcomings. It failed to detect a number of random phishes found in your editor's mailbox. The "this might be junk" message also overrides the phishing warning; arguably the scam warning should take priority. The real risk, though, is that users might think that, if Thunderbird does not flag a message, it must be legitimate. Remember, these are people who fall for phishing scams in the first place.
The best way to avoid that possibility would be to improve the detection of phishing messages. One wonders if the bayesian filter could be trained to this purpose as well as detecting spam. There is also ample opportunity for cooperation with anti-phishing groups which maintain lists of known phishing sites - though one would have to be careful to preserve a user's privacy when checking links.
Quibbles aside, Thunderbird 1.5 is a step in the right direction toward a more secure email environment. More work clearly remains to be done - but that is likely to always be the case. Meanwhile, tools which help to reduce the spam and phishing problems can only be a good thing.
New vulnerabilities
graphviz: insecure temporary file
| Package(s): | graphviz | CVE #(s): | CAN-2005-2965 | ||||||||||||
| Created: | October 10, 2005 | Updated: | October 21, 2005 | ||||||||||||
| Description: | Javier Fernández-Sanguino Peña discovered insecure temporary file creation in graphviz, a rich set of graph drawing tools, that can be exploited to overwrite arbitrary files by a local attacker. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | linux-source-2.6.10, linux-source-2.6.8.1 | CVE #(s): | CAN-2005-3053 CAN-2005-3106 CAN-2005-3107 CAN-2005-3108 CAN-2005-3109 CAN-2005-3110 | ||||||||||||
| Created: | October 10, 2005 | Updated: | October 27, 2005 | ||||||||||||
| Description: | A Denial of Service vulnerability was discovered in the
sys_set_mempolicy() function. By calling the function with a negative
first argument, a local attacker could cause a kernel crash.
(CAN-2005-3053)
A race condition was discovered in the handling of shared memory mappings with CLONE_VM. A local attacker could exploit this to cause a deadlock (Denial of Service) by triggering a core dump while waiting for a thread which had just performed an exec() system call. (CAN-2005-3106) A race condition was found in the handling of traced processes. When one thread was tracing another thread that shared the same memory map, a local attacker could trigger a deadlock (Denial of Service) by forcing a core dump when the traced thread was in the TASK_TRACED state. (CAN-2005-3107) A vulnerability has been found in the "ioremap" module. By performing certain IO mapping operations, a local attacker could either read memory pages he has not normally access to (information leak) or cause a kernel crash (Denial of Service). This only affects the amd64 platform. (CAN-2005-3108) The HFS and HFS+ file system drivers did not properly verify that the file system that was attempted to be mounted really was HFS/HFS+. On machines which allow users to mount arbitrary removable devices as HFS or HFS+ with an /etc/fstab entry, this could be exploited to trigger a kernel crash. (CAN-2005-3109) Steve Herrel discovered a race condition in the "ebtables" netfilter module. A remote attacker could exploit this by sending specially crafted packets that caused a value to be modified after it had been read but before it had been locked. This eventually lead to a kernel crash. This only affects multiprocessor machines (SMP). (CAN-2005-3110)
| ||||||||||||||
| Alerts: |
| ||||||||||||||
koffice: KWord RTF import buffer overflow
| Package(s): | koffice | CVE #(s): | CAN-2005-2971 | ||||||||||||||||||||||||
| Created: | October 12, 2005 | Updated: | November 7, 2005 | ||||||||||||||||||||||||
| Description: | The KOffice RTF import module suffers from a buffer overflow vulnerability which could be exploited via a malicious RTF file. See the KDE advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libuser: denial of service
| Package(s): | libuser | CVE #(s): | CAN-2004-2392 | ||||
| Created: | October 11, 2005 | Updated: | October 12, 2005 | ||||
| Description: | Several denial of service bugs were discovered in libuser. Under certain conditions it is possible for an application linked against libuser to crash or operate irregularly. | ||||||
| Alerts: |
| ||||||
mason: open firewall vulnerability
| Package(s): | mason | CVE #(s): | CAN-2005-3118 | ||||
| Created: | October 6, 2005 | Updated: | October 10, 2005 | ||||
| Description: | The mason firewall creating utility fails to install the init script, leaving the machine without a firewall after the next reboot. | ||||||
| Alerts: |
| ||||||
mozilla: symlink attack
| Package(s): | mozilla | CVE #(s): | CAN-2005-2353 | ||||||||
| Created: | October 7, 2005 | Updated: | October 10, 2005 | ||||||||
| Description: | The run-mozilla.sh script, with debugging enabled, would allow local users to create or overwrite arbitrary files via a symlink attack on temporary files. | ||||||||||
| Alerts: |
| ||||||||||
openssl: protocol rollback
| Package(s): | openssl | CVE #(s): | CAN-2005-2969 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 12, 2005 | Updated: | December 19, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ruby: bypass object flags
| Package(s): | ruby1.8 | CVE #(s): | CAN-2005-2337 | ||||||||||||||||||||||||
| Created: | October 10, 2005 | Updated: | October 21, 2005 | ||||||||||||||||||||||||
| Description: | The object oriented scripting language Ruby supports safely executing untrusted code with two mechanisms: safe level and taint flag on objects. Dr. Yutaka Oiwa discovered a vulnerability that allows Ruby methods to bypass these mechanisms. In systems which use this feature, this could be exploited to execute Ruby code beyond the restrictions specified in each safe level. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
squirrelmail: cross-site scripting
| Package(s): | squirrelmail | CVE #(s): | CAN-2005-3128 | ||||
| Created: | October 12, 2005 | Updated: | October 12, 2005 | ||||
| Description: | Yet another cross-site scripting vulnerability has been found in squirrelmail; this one affects the "Address Add" plugin. | ||||||
| Alerts: |
| ||||||
up-imapproxy: format string vulnerabilities
| Package(s): | up-imapproxy | CVE #(s): | CAN-2005-2661 | ||||||||
| Created: | October 10, 2005 | Updated: | March 7, 2006 | ||||||||
| Description: | up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
uw-imap: buffer overflow
| Package(s): | uw-imap | CVE #(s): | CAN-2005-2933 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 11, 2005 | Updated: | April 10, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | "infamous41md" discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
weex: format string vulnerability
| Package(s): | weex | CVE #(s): | CAN-2005-3150 | ||||||||
| Created: | October 10, 2005 | Updated: | October 10, 2005 | ||||||||
| Description: | Ulf Härnhammar from the Debian Security Audit Project discovered a format string vulnerability in the Log_Flush function in Weex 2.6.1.5, 2.6.1, and possibly other versions. This could be exploited to execute arbitrary code on the clients machine. | ||||||||||
| Alerts: |
| ||||||||||
xine-lib: arbitrary code execution
| Package(s): | xine-lib | CVE #(s): | CAN-2005-2967 | ||||||||||||||||||||
| Created: | October 10, 2005 | Updated: | October 12, 2005 | ||||||||||||||||||||
| Description: | Ulf Harnhammar discovered a format string vulnerability in the CDDB module's cache file handling in the Xine library, which is used by packages such as xine-ui, totem-xine, and gxine. By tricking an user into playing a particular audio CD which has a specially-crafted CDDB entry, a remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running the application. Since CDDB servers usually allow anybody to add and modify information, this exploit does not even require a particular CDDB server to be selected. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
xloadimage: buffer overflows
| Package(s): | xloadimage | CVE #(s): | CAN-2005-3178 | ||||||||||||||||||||||||||||
| Created: | October 10, 2005 | Updated: | May 15, 2006 | ||||||||||||||||||||||||||||
| Description: | Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>