Security
The Firefox extension war
By now, the escalating battle between the NoScript and Adblock Plus Firefox extensions is fairly well-publicized. In fact, the LWN comment thread on the topic has attracted an enormous number of comments—though many are rather tangential to the actual issue. While the original dispute has been settled, there are still a few issues to ponder from that incident.
For those who didn't follow the dispute, a review is probably in order. Both NoScript and Adblock Plus are meant to assist users in controlling the content that their browsers display. As their names imply, NoScript is focused on blocking things like Javascript, Flash, and the like, whereas Adblock Plus blocks advertisements. There is some overlap between the two, of course, because much of the advertising on the web is served via Javascript and/or contains Flash content.
NoScript's author, Giorgio Maone, uses advertising on the NoScript web pages to help fund development of the extension, which is part of why the frequently-updated extension opens a tab on the release notes page after an update. This particular feature—which can be disabled fairly easily—is quite annoying to some. Part of that annoyance may be because of the ads on that page. In late April, Adblock Plus added the NoScript site to its filter list so that its users would no longer see the ads. That led to an arms race.
The NoScript and Adblock Plus developers went back and forth, with NoScript circumventing the filters and Adblock Plus adding new filters to block the ads. This continued until the Adblock Plus filter fundamentally broke the NoScript site so that users could no longer even see the links to download NoScript. This sent Maone around the bend, evidently, as his next step was to add obfuscated code—though the extent of the obfuscation is disputed—to NoScript that disabled the Adblock Plus filter for his site.
At that point, Adblock Plus author Wladimir Palant wrote a blistering blog post about the dispute, which brought it to the attention of many. Maone quickly backed down, offering a detailed and seemingly heartfelt apology. In the meantime, though, the folks at addons.mozilla.org (AMO) noticed the problem and are considering changes to their policy on legitimate extension behavior.
It should be noted that AMO did not review the NoScript changes (or, presumably, the Adblock Plus filter changes) before the updates were made available to users. As Maone explains, once an extension reaches a certain level of trust, the AMO reviewers do not check updates—they are approved automatically. It is unclear how that process works exactly, but given the number of escalating changes both extensions were making over a short period of time, some kind of minimal oversight might have noticed that something was amiss.
For someone of malicious intent, as opposed to someone just exhibiting some incredibly bad judgment, a Firefox extension makes a pretty tempting target. Much of what goes on inside the browser involves sensitive information which users do not wish to have exposed (passwords, browsing history, etc.). If an extension can get to the point where it can push out "trusted" updates, without any review, that seems rather troubling.
Some distributions—Debian at least—package Firefox extensions for their users. Though it isn't a foolproof solution, it does add a level of review to the code before it gets installed. It probably makes sense for other distributions to consider doing that as well. Changing the AMO policy is certainly a good idea, but it will hardly protect against attackers of various sorts.
While there is nothing wrong with supporting development via advertising, clearly Maone crossed the line. Adblock Plus users specifically want ad blocking, so turning that functionality off, even "just" for one site, is plain wrong. Maone seems to recognize that now and this dispute will hopefully serve as a warning to other extension authors before they allow their anger to get in the way of their good sense. For the rest of us, though, it serves as a reminder that we are sometimes, perhaps even frequently, installing software in our browsers that has had little or no oversight.
New vulnerabilities
apache: information leak
| Package(s): | apache | CVE #(s): | CVE-2009-1191 | ||||||||||||||||||||||||
| Created: | May 1, 2009 | Updated: | December 7, 2009 | ||||||||||||||||||||||||
| Description: | From the Mandriva advisory: mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Apport: arbitrary file removal
| Package(s): | Apport | CVE #(s): | CVE-2009-1295 | ||||||||
| Created: | April 30, 2009 | Updated: | May 13, 2009 | ||||||||
| Description: | From the Ubuntu alert: Stephane Chazelas discovered that Apport did not safely remove files from its crash report directory. If Apport had been enabled at some point, a local attacker could remove arbitrary files from the system. | ||||||||||
| Alerts: |
| ||||||||||
bash-completion: incorrect metacharacter quoting
| Package(s): | bash-completion | CVE #(s): | |||||||||
| Created: | May 4, 2009 | Updated: | May 6, 2009 | ||||||||
| Description: | From the Red Hat bugzilla: An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &. Most bash completions are escaped fine, but certain ones (such as aspell) do not. | ||||||||||
| Alerts: |
| ||||||||||
clamav: incorrect ownership
| Package(s): | clamav | CVE #(s): | |||||
| Created: | May 5, 2009 | Updated: | May 6, 2009 | ||||
| Description: | From the Ubuntu advisory: A flaw was discovered in the clamav-milter initscript which caused the ownership of the current working directory to be changed to the 'clamav' user. | ||||||
| Alerts: |
| ||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | CVE-2008-3661 | ||||||||||||
| Created: | May 4, 2009 | Updated: | May 6, 2009 | ||||||||||||
| Description: | From the Drupal advisory: Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gpdf: buffer overflows
| Package(s): | gpdf | CVE #(s): | CVE-2009-0195 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 1, 2009 | Updated: | August 18, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5701 | ||||||||
| Created: | May 4, 2009 | Updated: | May 7, 2009 | ||||||||
| Description: | From the Debian advisory: Vlad Malov reported an issue on 64-bit MIPS systems where a local user could cause a system crash by crafing a malicious binary which makes o32 syscalls with a number less than 4000. | ||||||||||
| Alerts: |
| ||||||||||
kernel: multiple vulnerabilities
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2009-1192 CVE-2009-1242 CVE-2009-1265 CVE-2009-1337 CVE-2009-1338 CVE-2009-1439 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 4, 2009 | Updated: | November 16, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2009-1192: Shaohua Li reported an issue in the AGP subsystem they may allow local users to read sensitive kernel memory due to a leak of uninitialized memory. CVE-2009-1242: Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops. CVE-2009-1265: Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data. CVE-2009-1337: Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. CVE-2009-1338: Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to reach processes outside of the current process namespace. CVE-2009-1439: Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libwmf: pointer use-after-free flaw
| Package(s): | libwmf | CVE #(s): | CVE-2009-1364 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 1, 2009 | Updated: | December 3, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
memcached: information leak
| Package(s): | memcached | CVE #(s): | CVE-2009-1255 CVE-2009-1494 | ||||||||||||||||
| Created: | May 4, 2009 | Updated: | August 11, 2009 | ||||||||||||||||
| Description: | From the Mandriva advisory: The process_stat function in Memcached prior 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to the daemon's TCP port (CVE-2009-1255, CVE-2009-1494). | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
moin: cross-site scripting
| Package(s): | moin | CVE #(s): | CVE-2009-1482 | ||||||||
| Created: | May 6, 2009 | Updated: | May 11, 2009 | ||||||||
| Description: | From the Debian advisory: It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks when renaming attachements or performing other sub-actions. | ||||||||||
| Alerts: |
| ||||||||||
pam_ssh: information (user account existence) leak
| Package(s): | pam_ssh | CVE #(s): | CVE-2009-1273 | ||||||||
| Created: | May 4, 2009 | Updated: | May 6, 2009 | ||||||||
| Description: | From the Red Hat bugzilla: A security flaw was found in PAM module, providing user authentication based on SSH keys. A remote attacker could use this flaw to recognize, if some username/login belongs to set of user accounts, existing on the system, and subsequently perform dictionary based password guess attack. | ||||||||||
| Alerts: |
| ||||||||||
prelude-manager: database password in world-readable configuration
| Package(s): | prelude-manager | CVE #(s): | |||||||||
| Created: | May 4, 2009 | Updated: | May 6, 2009 | ||||||||
| Description: | From the Fedora advisory: The configuration file of prelude-manager contains a database password and is world readable. This update restricts permissions to the root account. | ||||||||||
| Alerts: |
| ||||||||||
quagga: improper assertion
| Package(s): | quagga | CVE #(s): | |||||
| Created: | May 5, 2009 | Updated: | May 6, 2009 | ||||
| Description: | From the Debian advisory: It was discovered that Quagga, an IP routing daemon, could no longer process the Internet routing table due to broken handling of multiple 4-byte AS numbers in an AS path. If such a prefix is received, the BGP daemon crashes with an assert failure, leading to a denial of service. | ||||||
| Alerts: |
| ||||||
ruby: denial of service
| Package(s): | ruby | CVE #(s): | |||||
| Created: | May 1, 2009 | Updated: | May 6, 2009 | ||||
| Description: | From the ruby advisory: There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>