User: Password:
Subscribe / Log in / New account


Firefox security status

A major security flaw in various third-party extensions has given Firefox a bit of a black eye even though the browser is not vulnerable. A number of other issues in the browser itself caused a security release which kept Firefox in the news. Unfortunately, after the release, even more vulnerabilities were reported. One would have to guess that it has not been the best week or so for the Firefox security team.

A large number of extensions - including toolbars for Google, Yahoo, Facebook and others - are susceptible to a man-in-the-middle attack that allows arbitrary code execution within the browser. The vulnerability exploits the update mechanism built into the extensions by providing malicious code as an update. An attacker that can control the DNS answers received by a victim can redirect the update queries from the extensions to a server under the attacker's control. The code provided gets installed, silently in many cases; it will then run as part of the browser with all of the capabilities of an extension.

Situations where one may not be able to trust the DNS answers received are far more common than people realize. Using a public or unencrypted wireless network is probably the most common vulnerable situation, but home routers that have been subverted either through a vulnerability or because the owner never changed the default password can also leave an opening for an attack. Because the extensions typically check for updates frequently, there are lots of opportunities to provide them with bad code.

There are any number of nasty things that a browser extension can do: keystroke logging, email reading, spamming, bank transfers, subscribing to, etc. This is truly a situation that one wants to avoid. Vendors of these extensions have in many cases (with Google being specifically called out in the vulnerability announcement) bypassed the default Firefox prompt that would at least alert users that new code was being installed. Users running those extensions have no defense and need to delete them from the browser while awaiting a fix from the vendor.

The open source extensions that are available at are not vulnerable because of the use of SSL to prevent an attacker's host masquerading as the update server. The SSL certificate presented by the attacker's server will not pass muster with the browser so the malicious update will not be installed. This is the fix that the vulnerable extensions will have to implement. It is not particularly technically difficult, more of a logistics headache to roll out new code to millions of users. It may also require some infrastructure improvements to be able to support encrypted connections for that many users.

Millions of users at risk for all manner of browser mayhem may make the fixes in the most recent security update pale by comparison but there are some serious issues there as well. The most important fix, rated as critical by Mozilla, fixes potentially exploitable crashes in the layout and Javascript engines. There is also a flaw that allows cross-site scripting using the addEventListener Javascript call which Mozilla rates as having a high impact.

A few days after the release, Michal Zalewski was up to his usual tricks by reporting two vulnerabilities in Firefox, one that he rates as a major vulnerability, the other as medium. In both cases, various Javascript tricks can be used to make the browser behave badly which is yet another reason to look into the NoScript extension.

Thor Larholm also had some bad news for the Firefox team shortly after the release when he reported that a patch that went into the release only partially fixed the problem for Windows platforms while doing nothing to prevent the problem for Linux and other UNIX versions. The directory traversal vulnerability allows any local files accessible to the browser user with the name known by the attacker to be read via the resource:// URL handler. The information in the file could then be transmitted to any site visited. We can probably expect an update from the Firefox team for this particular problem relatively soon.

Comments (19 posted)

Brief items

Google: Web Server Software and Malware

Google has published the results of some research on web servers and malware. "It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache. We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy, and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems." So the problem may not be that the software is inherently less secure, but that its proprietary licensing cuts off many deployments from security updates.

Comments (7 posted)

New vulnerabilities

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-2650
Created:June 5, 2007 Updated:July 20, 2007
Description: A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file.
Fedora FEDORA-2007-1154 clamav 2007-07-19
Debian DSA-1320-1 clamav 2007-06-23
Gentoo 200706-05 clamav 2007-06-15
Trustix TSLSA-2007-0020 clamav 2007-06-08
SuSE SUSE-SA:2007:033 clamav 2007-06-06
Mandriva MDKSA-2007:115 clamav 2007-06-04

Comments (none posted)

file: integer overflow

Package(s):file CVE #(s):CVE-2007-2799
Created:June 1, 2007 Updated:October 19, 2007
Description: Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file.
Gentoo 200710-19 sleuthkit 2007-10-18
Debian DSA-1343-2 file 2007-09-25
Debian DSA-1343-1 file 2007-07-31
SuSE SUSE-SA:2007:040 file 2007-07-04
Fedora FEDORA-2007-0836 file 2007-07-03
Fedora FEDORA-2007-538 file 2007-06-11
Fedora FEDORA-2007-541 file 2007-06-11
Ubuntu USN-439-2 file 2007-06-11
Mandriva MDKSA-2007:114 file 2007-06-05
Gentoo 200705-25 file 2007-05-31

Comments (3 posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla seamonkey thunderbird CVE #(s):CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871
Created:June 4, 2007 Updated:August 29, 2007
Description: Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-2867, CVE-2007-2868)

A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869)

Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362)

A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871)

Ubuntu USN-469-2 thunderbird 2007-08-29
SuSE SUSE-SA:2007:036 firefox, thunderbird, seamonkey 2007-06-27
Mandriva MDKSA-2007:131 mozilla-thunderbird 2007-06-20
Gentoo 200706-06 mozilla-firefox 2007-06-19
Foresight FLEA-2007-0027-1 thunderbird 2007-06-20
Fedora FEDORA-2007-0544 thunderbird 2007-06-18
Mandriva MDKSA-2007:126-1 mozilla-firefox 2007-06-16
Mandriva MDKSA-2007:126 mozilla-firefox 2007-06-15
Slackware SSA:2007-165-01 thunderbird 2007-06-15
Debian DSA-1308-1 iceweasel 2007-06-14
Mandriva MDKSA-2007:120 mozilla-firefox 2007-06-12
Mandriva MDKSA-2007:119 mozilla-thunderbird 2007-06-12
Debian DSA-1305-1 icedove 2007-06-13
Debian DSA-1306-1 xulrunner 2007-06-12
Debian DSA-1300-1 iceape 2007-06-07
Ubuntu USN-469-1 mozilla-thunderbird 2007-06-05
Slackware SSA:2007-152-02 mozilla 2007-06-04
Ubuntu USN-468-1 firefox 2007-06-01

Comments (3 posted)

jasper: denial of service

Package(s):jasper CVE #(s):CVE-2007-2721
Created:June 1, 2007 Updated:April 19, 2010
Description: The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files.
Debian DSA-2036-1 jasper 2010-04-17
Mandriva MDVSA-2009:142-1 jasper 2009-12-03
Mandriva MDVSA-2009:164 jasper 2009-07-28
Mandriva MDVSA-2009:142 jasper 2009-06-26
CentOS CESA-2009:0012 netpbm 2009-02-11
Red Hat RHSA-2009:0012-01 netpbm 2009-02-11
Mandriva MDKSA-2007:209 netpbm 2007-11-05
Mandriva MDKSA-2007:208 ghostscript 2007-11-05
Ubuntu USN-501-2 ghostscript, gs-gpl 2007-10-22
Ubuntu USN-501-1 jasper 2007-08-20
Mandriva MDKSA-2007:129 jasper 2007-06-19
Fedora FEDORA-2007-0001 jasper 2007-06-01

Comments (none posted)

lha: temporary file vulnerability

Package(s):lha CVE #(s):CVE-2007-2030
Created:June 6, 2007 Updated:June 6, 2007
Description: The lha utility creates temporary files in an insecure manner, enabling symlink race attacks.
Mandriva MDKSA-2007:117 lha 2007-06-05

Comments (1 posted)

libexif: integer overflow

Package(s):libexif CVE #(s):CVE-2007-2645
Created:June 1, 2007 Updated:February 11, 2008
Description: Integer overflow in the exif_data_load_data_entry function in exif-data.c in libexif before 0.6.14 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted EXIF data, involving the (1) doff or (2) s variable.
Debian DSA-1487-1 libexif 2008-02-08
Slackware SSA:2007-164-01 libexif 2007-06-14
Fedora FEDORA-2007-0414 libexif 2007-06-13
Fedora FEDORA-2007-548 libexif 2007-06-11
Ubuntu USN-471-1 libexif 2007-06-11
Mandriva MDKSA-2007:118 libexif 2007-06-08
Gentoo 200706-01 libexif 2007-06-05
rPath rPSA-2007-0115-1 libexif 2007-06-04
Foresight FLEA-2007-0024-1 libexif 2007-06-04
Fedora FEDORA-2007-0001 libexif 2007-06-01

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2007-2872 CVE-2007-2756
Created:June 1, 2007 Updated:January 29, 2008
Description: According to a vendor release announcement multiple security enhancements and fixes were fixed in version 5.2.3 of the programming language PHP.
SuSE SUSE-SA:2008:004 php4, php5 2008-01-29
Ubuntu USN-549-2 php5 2007-12-03
Red Hat RHSA-2007:0891-01 PHP 2007-10-25
Ubuntu USN-549-1 php5 2007-11-29
Red Hat RHSA-2007:0888-01 PHP 2007-10-23
Gentoo 200710-02 php 2007-10-07
Red Hat RHSA-2007:0889-01 PHP 2007-09-26
Fedora FEDORA-2007-709 php 2007-09-24
Mandriva MDKSA-2007:187 php 2007-09-21
Red Hat RHSA-2007:0890-02 PHP 2007-09-20
Fedora FEDORA-2007-2215 php 2007-09-18
rPath rPSA-2007-0188-1 php5 2007-09-17
Slackware SSA:2007-255-03 php 2007-09-13
rPath rPSA-2007-0117-1 gd 2007-06-07
Slackware SSA:2007-152-01 php5 2007-06-04
OpenPKG OpenPKG-SA-2007.020 php 2007-06-01
Arch Linux ASA-201701-1 libwmf 2017-01-01

Comments (none posted)

php-pear: directory traversal

Package(s):php-pear CVE #(s):CVE-2007-2519
Created:June 5, 2007 Updated:June 6, 2007
Description: Directory traversal vulnerability in the installer in PEAR 1.0 through 1.5.3 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the (1) install-as attribute in the file element in package.xml 1.0 or the (2) as attribute in the install element in package.xml 2.0. NOTE: it could be argued that this does not cross privilege boundaries in typical installations, since the code being installed could perform the same actions.
SUSE SUSE-SU-2013:1351-1 PHP5 2013-08-16
Mandriva MDKSA-2007:110 php-pear 2007-06-04

Comments (none posted)

Sun JDK/JRE: multiple vulnerabilities

Package(s):Sun JDK/JRE CVE #(s):CVE-2007-2435 CVE-2007-2788 CVE-2007-2789
Created:June 1, 2007 Updated:April 18, 2008
Description: An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files.
Gentoo 200804-20 sun-jre, sun-jdk 2008-04-17
Red Hat RHSA-2007:1086-01 java-1.4.2-bea 2007-12-12
Red Hat RHSA-2007:0817-01 java-1.4.2-ibm 2007-08-06
SuSE SUSE-SA:2007:045 Java 2007-07-18
Gentoo 200706-08 emul-linux-x86-java 2007-06-26
Gentoo 200705-23 Sun JDK/JRE 2007-05-31

Comments (none posted)

wpa_supplicant: buffer overflow

Package(s):wpa_supplicant networkmanager CVE #(s):
Created:June 5, 2007 Updated:June 6, 2007
Description: A buffer overflow flaw was found in the debugging code of Fedora's version of wpa_supplicant. This can be triggered by those using NetworkManager. It is recommended that users of wpa_supplicant or NetworkManager update to this package (and the accompanying NetworkManager packages) which removes the affected debug code.
Fedora FEDORA-2007-0186 NetworkManager 2007-06-04
Fedora FEDORA-2007-0185 wpa_supplicant 2007-06-04

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds