User: Password:
Subscribe / Log in / New account


Firefox security add-ons

January 21, 2009

This article was contributed by Bruce Byfield

From a security perspective, Firefox add-ons are a nightmare. If you read the legal notice, even on the official download site, Mozilla neither reviews add-ons nor assumes any responsibility for the consequences of using them. Yet any add-on could open unexpected vulnerabilities — at times because of the unexpected consequences of using several in combination — and they provide a new door to your system for crackers. As if to mitigate such concerns, the last year has seen a steady trickle of of security-focused add-ons — and more are on the way. Some of these extensions control how you browse individual web pages, and others alter how Firefox uses passwords, cookies, and scripts, but, if you choose carefully, you should have no trouble finding several that can greatly improve your security while browsing.

Different security for different sites

One of the simplest security-oriented extensions is PrefSwitch. All PrefSwitch does is add a series of icons to the status bar at the bottom of the browsing window for changing existing Firefox preferences, such as the ones for handling javascript, frames, and images. Yet, by making these controls accessible, instead of buried several layers down in Edit -> Preferences, PrefSwitch makes it easier for you to change preferences for each web page. You will still want to add continually visited sites to the exceptions defined in Preferences, but, for on-the-fly browsing, PrefSwitch is more convenient.

By contrast, SecureBrowse takes a more organized approach, offering three sets of preferences for security and privacy that you can assign to each site. The add-on includes a pre-defined set of "Sensitive Sites" — mostly banks and popular sites such as Flickr and Slashdot — that you can edit and extend as you choose.

Still another approach is used by Karma Blocker, which rates the sites you visit according to how it accesses Mozilla's chrome files (so you can see if anything non-standard is happening), and the resources it uses from other sites (the apparent assumption being that a malicious script is likely to be hidden on another site, and, the more off-site resources are used, the more likely cracker activity might be happening). If a site is rated above a certain karma — the default is 100 — then Karma Blocker prevents access to it unless you specifically add the site to the extension's white list. To help you evaluate the automatic rating, you can monitor what Karma Blocker reports to decide whether a use is harmless or not. The monitoring is especially useful because, as you soon discover, many modern sites use off-site resources for harmless reasons — for instance, to link to a graphic on Flickr. One drawback is that Karma Blocker's configuration is a plain text file, which might intimidate more inexperienced users.

Passwords and cookies

If you are concerned about password security, an extension to start with is Master Password Timeout. Its sole purpose is to add a control that should have been in default Firefox long ago: An expiry time in seconds for the master password — set in Edit -> Preferences -> Security — which protects access to the site passwords stored by Firefox.

For more detailed control of passwords, you can install Password Hasher. Password Hasher replaces your password on sites with a master key and a hash; you enter the hash to prevent your key strokes from being monitored. It also obscures passwords as you enter them to prevent anyone who is physically present from learning any details about them, such as the number of characters. It also enforces a minimum size and contents for passwords, and, like the Master Password extension, limits the time that the master password remains in effect once entered.

Cookies are reasonably well handled by Firefox, though you will find a number of add-ons to make control easier. By using Cookie Watcher, you can view and edit cookies in more detail than when you click the Show Cookies button on the Privacy tab in Edit -> Preferences. By contrast, Extended Cookie Manager and Cookie Context take a different approach, adding pop-up controls directly on each web page.

However, none of the extensions for handling standard cookies is much good against the new generation of Super Cookies, such as the Local Shared Objects deposited on your system by Flash or click-pings (scripts that record when you select certain items on a web page, allowing your activities to be detected and logged). Both Local Shared Objects and click-pings are frequently used for reasons no more malicious than any cookie, but the point is that such items are generally stored outside Mozilla's usual cookie folders, and are therefore not removed when you remove cookies using Edit -> Preferences -> Privacy -> Cookies. Fortunately, you can remove Super Cookies with Better Privacy, which provides an insightful and rather alarming glimpse of what can creep into your home directory without your knowledge.

Script controls

Other extensions change how Firefox works with scripts. For instance, Controle de Scripts, which specifically targets Javascript, a language that is praised and discouraged in almost equal measure. The default Firefox preferences give you half a dozen options for specifying what you will allow Javascript to do to your browser window, but Controle de Scripts allows you to control another half-dozen basic Javascript actions, as well as the behavior of pop-up windows and the maximum time that a script is allowed to run. You can also set your own limitations, provided you are familiar enough with Javascript to know what you might want to prevent.

But by far the most comprehensive extension for controlling scripts is NoScript. NoScript is a detailed set of controls for Java, Flash, and Silverlight, as well as frame and iframe tags (both of which could potentially be used to embed a malicious script), and HTTPS-carried content. All these settings, as well as a whitelist, can be set globally from Tools -> Add-ons -> NoScript -> Preferences, or for individual sites from the icon in the lower right of the status bar at the bottom of the Firefox window.

As you might expect from the name, NoScript begins with the sound security practice of forbidding scripts on every site except for those entered by default on the whitelist. That means that you need patience to bring NoScript to a state with which you can live, especially since the white list is all or nothing — either you allow all types of scripts to be run on a site, or none. Still, the Preferences tab in Tools -> Add-ons links to clear and comprehensive help, and the end results will be peace of mind if you persist.

These are just the most useful security extensions I've encountered. If you check under Privacy and Security on the Add-on site, you can find dozens more. You might especially want to note some of the extensions currently marked as experimental, such as Content Security Policy, Policy Manager, Magic Password Generator and Startup Master. These extensions are not quite ready for you to rely on them, but together they suggest that even more security options will soon be available for Firefox users.

Comments (11 posted)

Security reports

Enterprise Linux 5.2 to 5.3 risk report (Red Hat Magazine)

Red Hat's Mark Cox has put out another risk report looking at the vulnerabilities fixed from RHEL 5.2 until today's release of RHEL 5.3. In the report, he looks at the number of vulnerabilities as well as the time it took to fix them. "In fact, for Red Hat Enterprise Linux 5 since release and to date, every critical vulnerability has had an update to address it available from the Red Hat Network either the same day or the next calendar day after the issue was public."

Comments (21 posted)

New vulnerabilities

amarok: integer overflows

Package(s):amarok CVE #(s):CVE-2009-0135 CVE-2009-0136
Created:January 16, 2009 Updated:December 9, 2009
Description: From the Debian advisory: Tobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code.
Mandriva MDVSA-2009:030-1 amarok 2009-12-08
Gentoo 200903-34 amarok 2009-03-20
Ubuntu USN-739-1 amarok 2009-03-17
Mandriva MDVSA-2009:030 amarok 2008-01-26
SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02
Fedora FEDORA-2009-0715 amarok 2009-01-21
Debian DSA-1706-1 amarok 2009-01-15

Comments (none posted)

bind: load problem

Package(s):bind CVE #(s):
Created:January 16, 2009 Updated:January 21, 2009
Description: From the Slackware advisory: Updated bind packages are available for Slackware 10.2 and 11.0 to address a load problem. It was reported that the initial build of these updates complained that the Linux capability module was not present and would refuse to load. It was determined that the packages which were compiled on 10.2 and 11.0 systems running 2.6 kernels, and although the installed kernel headers are from 2.4.x, it picked up on this resulting in packages that would only run under 2.4 kernels.
Slackware SSA:2009-015-01 bind 2009-01-16

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):drupal CVE #(s):
Created:January 19, 2009 Updated:January 21, 2009

From the drupal advisory:

Access Bypass: The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that process the existing node's content is copied into the new node's submission form. The module contains a flaw that allows a user with the 'translate content' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.

Validation Bypass: When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.

Hardening against SQL injection: A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries. While there is no direct risk of SQL injection from Drupal core, it's possible that this could have presented a risk in combination with a contributed module. Additional validation has been added to eliminate this risk.

Fedora FEDORA-2009-0653 drupal 2009-01-16
Fedora FEDORA-2009-0678 drupal 2009-01-16

Comments (none posted)

ffmpeg: several vulnerabilities

Package(s):ffmpeg CVE #(s):CVE-2008-4866 CVE-2008-4867
Created:January 16, 2009 Updated:April 29, 2009
Description: From the Mandriva advisory: Several vulnerabilities have been discovered in ffmpeg, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867).
Debian DSA-1782-1 mplayer 2009-04-29
Gentoo 200903-33 ffmpeg 2009-03-19
Ubuntu USN-734-1 ffmpeg, ffmpeg-debian 2009-03-16
Mandriva MDVSA-2009:015 ffmpeg 2008-01-15

Comments (none posted)

git: shell command execution

Package(s):git-core CVE #(s):CVE-2008-5516
Created:January 20, 2009 Updated:March 9, 2009
Description: From the Debian advisory: It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality. See also CVE-2008-5517.
Gentoo 200903-15 git 2009-03-09
Slackware SSA:2009-051-02 git 2009-02-23
Ubuntu USN-723-1 git-core 2009-02-18
Debian DSA-1708-1 git-core 2009-01-19

Comments (none posted)

kernel: buffer underflow

Package(s):kernel CVE #(s):CVE-2008-5702
Created:January 15, 2009 Updated:June 8, 2009
Description: The kernel has a buffer underflow vulnerability. From the vulnerability database entry: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.
SuSE SUSE-SA:2009:030 kernel 2009-06-08
Debian DSA-1794-1 linux-2.6 2009-05-06
Debian DSA-1787-1 linux-2.6.24 2009-05-02
SuSE SUSE-SA:2009:010 kernel 2009-02-26
Ubuntu USN-714-1 linux-source-2.6.15/22, linux 2009-01-29
Ubuntu USN-715-1 linux 2009-01-29
SuSE SUSE-SA:2009:003 kernel-debug 2009-01-20
CentOS CESA-2009:0014 kernel 2009-01-15

Comments (none posted)

kernel: denial of service

Package(s):kernel-debug CVE #(s):CVE-2008-5700
Created:January 20, 2009 Updated:May 4, 2009
Description: From the SUSE advisory: libata did not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.
Debian DSA-1787-1 linux-2.6.24 2009-05-02
CentOS CESA-2009:0331 kernel 2009-04-20
CentOS CESA-2009:0326 kernel 2009-04-01
Red Hat RHSA-2009:0326-01 kernel 2009-04-01
Red Hat RHSA-2009:0331-01 kernel 2009-03-12
SuSE SUSE-SA:2009:010 kernel 2009-02-26
Red Hat RHSA-2009:0053-01 kernel 2009-02-04
Ubuntu USN-714-1 linux-source-2.6.15/22, linux 2009-01-29
SuSE SUSE-SA:2009:003 kernel-debug 2009-01-20
Ubuntu USN-715-1 linux 2009-01-29

Comments (none posted)

kvm: arbitrary code execution

Package(s):kvm CVE #(s):CVE-2007-5729
Created:January 19, 2009 Updated:January 21, 2009

From the SUSE advisory:

Virtualized guests could potentially execute code on the host by triggering a buffer overflow in the network emulation code via large ethernet frames (CVE-2007-5729)

SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19

Comments (none posted)

netatalk: command injection vulnerability

Package(s):netatalk CVE #(s):CVE-2008-5718
Created:January 16, 2009 Updated:March 26, 2009
Description: From the Debian advisory: It was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job.
Fedora FEDORA-2009-3069 netatalk 2009-03-26
Fedora FEDORA-2009-3064 netatalk 2009-03-26
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
Debian DSA-1704-2 netatalk 2009-01-30
Debian DSA-1705-1 netatalk 2009-01-15

Comments (none posted)

shadow: privilege escalation

Package(s):shadow CVE #(s):CVE-2008-5394
Created:January 21, 2009 Updated:March 11, 2009

From the Debian advisory:

Paul Szabo discovered that login, the system login tool, did not correctly handle symlinks while setting up tty permissions. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.

Gentoo 200903-24 shadow 2009-03-10
Mandriva MDVSA-2009:062 shadow-utils 2008-03-02
Debian DSA-1709-1 shadow 2009-01-21

Comments (none posted)

squirrelmail: session handling flaw

Package(s):squirrelmail CVE #(s):CVE-2009-0030
Created:January 20, 2009 Updated:February 17, 2009
Description: From the Red Hat advisory: The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions.
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
CentOS CESA-2009:0057 squirrelmail 2009-01-19
Red Hat RHSA-2009:0057-01 squirrelmail 2009-01-19

Comments (none posted)

valgrind: arbitrary code execution

Package(s):imlib2, valgrind, kvm, cups, lynx, xterm CVE #(s):CVE-2008-4865
Created:January 19, 2009 Updated:February 26, 2009

From the CVE entry:

Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario.

Mandriva MDVSA-2009:057 valgrind 2009-02-26
Gentoo 200902-03 valgrind 2009-02-12
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19

Comments (none posted)

virtualbox: symlink vulnerability

Package(s):virtualbox CVE #(s):CVE-2008-5256
Created:January 15, 2009 Updated:February 17, 2009
Description: virtualbox has a symlink vulnerability. From the Madriva alert: A vulnerability have been discovered and corrected in VirtualBox, affecting versions prior to 2.0.6, which allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-qateam-ipc/lock temporary file.
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
Mandriva MDVSA-2009:011 virtualbox 2009-01-14

Comments (none posted)

xine-lib: multiple vulnerabilities

Package(s):xine-lib CVE #(s):CVE-2008-5234 CVE-2008-5236 CVE-2008-5237 CVE-2008-5239 CVE-2008-5240 CVE-2008-5243
Created:January 15, 2009 Updated:June 1, 2010
Description: xine-lib has multiple vulnerabilities. The project release notes has more details: - Heap overflow in Quicktime atom parsing. (CVE-2008-5234 vector 1) - Multiple buffer overflows. (CVE-2008-5236) - Multiple integer overflows. (CVE-2008-5237) - Unchecked read function results. (CVE-2008-5239) - Unchecked malloc using untrusted values. (CVE-2008-5240 vectors 3 & 4) - Buffer indexing using an untrusted value. (CVE-2008-5243)
Gentoo 201006-04 xine-lib 2010-06-01
Mandriva MDVSA-2009:319 xine-lib 2009-12-05
Ubuntu USN-746-1 xine-lib 2009-03-26
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
Fedora FEDORA-2009-1524 xine-lib 2009-02-12
Fedora FEDORA-2009-1525 xine-lib 2009-02-12
Ubuntu USN-710-1 xine-lib 2009-01-26
Fedora FEDORA-2009-0483 xine-lib 2009-01-14
Fedora FEDORA-2009-0542 xine-lib 2009-01-14
Mandriva MDVSA-2009:020 xine-lib 2009-01-21

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds