Security
Android's first vulnerability
A company's response to security vulnerabilities is always interesting to watch. Google has the reputation of being fairly cavalier regarding flaws reported in its code; the first security vulnerability reported for the Android mobile phone software appears to follow that pattern. Unfortunately for users of Android phones, though, Google's attitude and relatively slow response might some day lead to an "in the wild" exploit targeting the phones.
The flaw was first reported to Google on October 20 by Independent Security Evaluators (ISE), but was not patched for the G1 phone—the only shipping Android phone—until November 3. Details on the vulnerability are thin, but it affects the web browser and is caused by Google shipping an out-of-date component. Presumably a library or content handler was shipped with a known security flaw that could lead to code execution as the user id which runs the browser.
It should be noted that compromising the browser does not affect the rest of the phone due to Android's security architecture. Unlike the iPhone, separate applications are run as different users, so that phone functionality is isolated from the browser, instant messaging, and other tools. An iPhone compromise in any application can lead to the attacker being able to make phone calls and get access to private data associated with any application; clearly Google made a better choice than Apple.
One interesting recent development, though, is the availability of an application that provides a root-owned telnet daemon. With that running, a simple telnet gets full access to the phone's filesystem. From there, jailbreaking—circumventing the restrictions placed by a carrier on applications—as well as unlocking the phone from a specific carrier are possible. While it is easy to see how that might be useful for the owner of Android, though it opens the phone to rather intrusive attacks, it probably is not what T-Mobile (and other carriers down the road) had in mind.
Google's first response to the vulnerability report was to whine that Charlie Miller, who discovered the flaw, was not being "responsible" by talking about it before a fix was ready. Miller did not disclose details, but did report the existence of—along with some general information about—the flaw. Google's previous reputation regarding vulnerability reporting, as well as how it treated Miller, undoubtedly played a role in his decision.
Perhaps the most galling thing is that the flaw was in a free software component that had been updated prior to the Android release to, at least in part, close that hole. It would seem that the Android team was not paying attention to security flaws reported in the free software components that make up the phone software stack. Hopefully, this particular occurrence will serve as a wake-up call on that front.
Given that the fix was already known, it is a bit puzzling that it would take two weeks for updates to become available. It was the first update made for Android phones in the field, but one hopes the bugs in that process were worked out long ago. Overall, Google's response leaves rather a lot to be desired.
If Google wants security researchers to be more "responsible" in their disclosure, it would be well served by looking at its own behavior. Taking too much time to patch a vulnerability—especially one with a known and presumably already tested fix—is not the way to show the security community that it takes such bugs seriously. Whining about disclosure rarely, if ever, goes anywhere; working in a partnership with folks who find security flaws is much more likely to bear fruit.
New vulnerabilities
apache tomcat: restriction bypass
| Package(s): | tomcat5, apache-jakarta-tomcat-connectors | CVE #(s): | CVE-2008-3271 | ||||
| Created: | October 31, 2008 | Updated: | November 5, 2008 | ||||
| Description: | From the CVE entry: Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. | ||||||
| Alerts: |
| ||||||
dovecot: negative rights in ACL plugin
| Package(s): | dovecot | CVE #(s): | CVE-2008-4577 | ||||||||||||||||||||||||||||||||
| Created: | October 30, 2008 | Updated: | September 28, 2009 | ||||||||||||||||||||||||||||||||
| Description: | dovecot has a restriction bypass vulnerability. From the
vulnerability database entry:
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
enscript: stack overflows
| Package(s): | enscript | CVE #(s): | CVE-2008-3863 CVE-2008-4306 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 4, 2008 | Updated: | December 16, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu alert:
Ulf Härnhammar discovered multiple stack overflows in enscript's handling of special escape arguments. If a user or automated system were tricked into processing a malicious file with the "-e" option enabled, a remote attacker could execute arbitrary code or cause enscript to crash, possibly leading to a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
graphviz: stack-based buffer overflow
| Package(s): | graphviz | CVE #(s): | CVE-2008-4555 | ||||||||||||||||
| Created: | October 31, 2008 | Updated: | December 7, 2009 | ||||||||||||||||
| Description: | From the CVE entry: Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: buffer overflow
| Package(s): | kernel | CVE #(s): | CVE-2008-3496 | ||||
| Created: | November 3, 2008 | Updated: | November 5, 2008 | ||||
| Description: | From the Mandriva advisory: Buffer overflow in format descriptor parsing in the uvc_parse_format function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has unknown impact and attack vectors. (CVE-2008-3496) | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-5755 | ||||||||
| Created: | November 4, 2008 | Updated: | November 5, 2008 | ||||||||
| Description: | From the Red Hat alert:
a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-3527 | ||||||||||||||||
| Created: | November 4, 2008 | Updated: | December 16, 2008 | ||||||||||||||||
| Description: | From the Red Hat alert:
Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-5907 | ||||||||
| Created: | November 4, 2008 | Updated: | November 5, 2008 | ||||||||
| Description: | From the Red Hat alert:
the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. | ||||||||||
| Alerts: |
| ||||||||||
libgadu: denial of service
| Package(s): | libgadu | CVE #(s): | CVE-2008-4776 | ||||||||||||||||||||||||||||||||||||||||
| Created: | October 31, 2008 | Updated: | December 21, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: libgadu before 1.8.2 allows remote servers to cause a denial of service (crash) via a contact description with a large length, which triggers a buffer over-read. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
libtirpc: denial of service
| Package(s): | libtirpc | CVE #(s): | CVE-2008-4619 | ||||
| Created: | October 30, 2008 | Updated: | November 5, 2008 | ||||
| Description: | libtirpc performs incorrect handling of negative rights in the ACL
plugin. From the
Red Hat Bug description:
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions. | ||||||
| Alerts: |
| ||||||
ndiswrapper: buffer overflow
| Package(s): | ndiswrapper | CVE #(s): | CVE-2008-4395 | ||||||||||||||||||||
| Created: | November 5, 2008 | Updated: | March 3, 2009 | ||||||||||||||||||||
| Description: | The out-of-tree ndiswrapper kernel module does not properly handle long ESSIDs, enabling remote code-execution attacks. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
net-snmp: denial of service
| Package(s): | net-snmp | CVE #(s): | CVE-2008-4309 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 3, 2008 | Updated: | July 20, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A denial-of-service flaw was found in the way Net-SNMP processes SNMP GETBULK requests. A remote attacker who issued a specially-crafted request could cause the snmpd server to crash. (CVE-2008-4309) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
nfs-client: access restriction bypass
| Package(s): | nfs-client | CVE #(s): | CVE-2008-4552 | ||||||||||||||||||||||||||||||||
| Created: | October 30, 2008 | Updated: | September 16, 2009 | ||||||||||||||||||||||||||||||||
| Description: | nfs-client has an access restriction bypass vulnerability.
From the rPath alert:
Previous versions of the nfs-utils package contain a bug that causes NIS netgroup restrictions to be ignored by TCP Wrappers, which may allow remote attackers to bypass intended access restrictions. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
openoffice.org: multiple vulnerabilities
| Package(s): | openoffice.org | CVE #(s): | CVE-2008-2237 CVE-2008-2238 | ||||||||||||||||||||||||||||||||||||||||
| Created: | October 30, 2008 | Updated: | January 13, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | openoffice.org has two file parser vulnerabilities. From the
Debian alert:
CVE-2008-2237 The SureRun Security team discovered a bug in the WMF file parser that can be triggered by manipulated WMF files and can lead to heap overflows and arbitrary code execution. CVE-2008-2238 An anonymous researcher working with the iDefense discovered a bug in the EMF file parser that can be triggered by manipulated EMF files and can lead to heap overflows and arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2008-4195 CVE-2008-4196 CVE-2008-4197 CVE-2008-4198 CVE-2008-4199 CVE-2008-4200 CVE-2008-4292 CVE-2008-4694 CVE-2008-4695 CVE-2008-4696 CVE-2008-4697 CVE-2008-4698 CVE-2008-4794 CVE-2008-4795 | ||||
| Created: | November 4, 2008 | Updated: | November 5, 2008 | ||||
| Description: | The Opera browser has multiple vulnerabilities. From the Gentoo alert:
Opera does not restrict the ability of a framed web page to change the address associated with a different frame (CVE-2008-4195). Chris Weber (Casaba Security) discovered a Cross-site scripting vulnerability (CVE-2008-4196). Michael A. Puls II discovered that Opera can produce argument strings that contain uninitialized memory, when processing custom shortcut and menu commands (CVE-2008-4197). Lars Kleinschmidt discovered that Opera, when rendering an HTTP page that has loaded an HTTPS page into a frame, displays a padlock icon and offers a security information dialog reporting a secure connection (CVE-2008-4198). Opera does not prevent use of links from web pages to feed source files on the local disk (CVE-2008-4199). Opera does not ensure that the address field of a news feed represents the feed's actual URL (CVE-2008-4200). Opera does not check the CRL override upon encountering a certificate that lacks a CRL (CVE-2008-4292). Chris (Matasano Security) reported that Opera may crash if it is redirected by a malicious page to a specially crafted address (CVE-2008-4694). Nate McFeters reported that Opera runs Java applets in the context of the local machine, if that applet has been cached and a page can predict the cache path for that applet and load it from the cache (CVE-2008-4695). Roberto Suggi Liverani (Security-Assessment.com) reported that Opera's History Search results does not escape certain constructs correctly, allowing for the injection of scripts into the page (CVE-2008-4696). David Bloom reported that Opera's Fast Forward feature incorrectly executes scripts from a page held in a frame in the outermost page instead of the page the JavaScript URL was located (CVE-2008-4697). David Bloom reported that Opera does not block some scripts when previewing a news feed (CVE-2008-4698). Opera does not correctly sanitize content when certain parameters are passed to Opera's History Search, allowing scripts to be injected into the History Search results page (CVE-2008-4794). Opera's links panel incorrectly causes scripts from a page held in a frame to be executed in the outermost page instead of the page where the URL was located (CVE-2008-4795). | ||||||
| Alerts: |
| ||||||
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2008-4775 | ||||||||||||||||||||
| Created: | October 31, 2008 | Updated: | March 19, 2009 | ||||||||||||||||||||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
samba: denial of service
| Package(s): | samba | CVE #(s): | |||||
| Created: | November 5, 2008 | Updated: | November 5, 2008 | ||||
| Description: | From the rPath advisory: Previous versions of the samba package contain a race condition which may lead to a crash of the winbindd daemon (Denial of Service). | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>