Security
Firefox extension vulnerabilities
Browser extensions, or add-ons, typically provide extra functionality, beyond that which the browser provides, but that comes with a price: increased vulnerability potential. The recent disclosure of five separate vulnerabilities in Firefox extensions serves as a reminder that extensions occupy a privileged position within the browser. That position makes flaws in extensions particularly dangerous, as they generally will allow an attacker's code to run with all the privileges of the user running the browser.
The vulnerabilities were disclosed by Nick Freeman and Roberto Suggi Liverani of Security-Assessment.com, a New Zealand-based web and network security firm. In doing research for a DEFCON presentation [PDF], they found flaws in the following Firefox extensions: Feed Sidebar, ScribeFire, WizzRSS, CoolPreviews, and Update Scanner. The flaws were found between February and June of this year, and the presentation lists three more that have yet to be disclosed.
All five of the flaws have something in common: in one way or another, they take content from a remote site and handle it incorrectly within the privileged Mozilla "chrome" context. For example, the Feed Sidebar extension incorrectly handles the RSS <description> tags, such that a malicious site could do cross-site scripting (XSS) or HTML injection into the chrome trusted zone. That would allow the remote site to potentially perform any action the browser could: access the filesystem, retrieve web site passwords, execute programs, and so on.
The presentation has several proof-of-concept examples; the one associated with Feed Sidebar steals all of the login credentials and sends them off to a remote site. Another example using the ScribeFire extension sets up a reverse VNC session so that an attacker could view the desktop of the browser user. Yet another uses XSS to send a copy of /etc/passwd off to a remote site. These are all very potent exploits that could be used to seriously compromise users' privacy and security.
There are certainly more of these problems out there (beyond even the
three undisclosed, thus presumably unpatched, vulnerabilities). Part of
the problem is that the "Mozilla extension security model is
nonexistent
", according to Freeman and Liverani's presentation. All
extensions are treated as completely trusted code by Firefox. In addition,
there are no security boundaries between the extensions, so one can quietly
modify another. They also note that other Mozilla applications that allow
extensions (e.g. Thunderbird) are also susceptible to these kinds of
vulnerabilities.
Many Firefox extensions are available through addons.mozilla.org (AMO), but the researchers point out that extension developers, and the AMO reviewers, are not necessarily security experts, so bugs like these may slip through. They also note that the NoScript extension, with its XSS protection, may be giving a false sense of security. NoScript whitelists chrome: URLs, which means that it provides no protection against malicious or buggy extensions.
In many ways, it should come as no surprise that there are bugs—and security holes—in Firefox extensions, but it is a problem that has largely flown under the radar. Malicious extensions, downloaded from sites other than AMO, are a fairly well-understood vector for attack—at least to users who are somewhat security-conscious. Extensions that have, or appear to have, the "blessing" of AMO are a bit of a different story. Many users, even those who pay attention to security issues, may well expect that those extensions are rigorously vetted, which seems not to be the case.
There is no reason to believe that these vulnerabilities were anything other than "standard" programming errors, but those with a malicious intent probably could sneak vulnerabilities into AMO extensions—perhaps they have already done so. The presentation lists two plausible scenarios for how malware authors might get vulnerabilities introduced into extensions, particularly popular or recommended extensions.
This research gives us yet another attack vector to be worried about, but there is also some useful information on what to look for in extensions that could lead to these kinds of flaws. With luck, that will help reduce the number of extensions with holes. That still leaves us with the worry about malicious extension authors. Without a more rigorous review of extensions—even that won't find every flaw—there is little that can be done. It is a problem that will likely be with us for quite some time.
Brief items
Walsh: Secure Virtualization Using SELinux (sVirt)
Red Hat SELinux hacker Dan Walsh writes about Secure Virtualization (sVirt) on his web log. The basic idea is to leverage SELinux to isolate virtual machines from each other and from the host. "After virtualization, we have multiple services running on the same host. If a virtual machine is broken into, the cracker just needs to break though the hypervisor. If a hypervisor vulnerability exists, the cracker can take over all of the virtual machines on the host. He can even write into any virtual host images that are accessible from the host machine. [...] This is very scary stuff. The question is not 'if', but 'when'. Hacker/cracker conventions are already examining hypervisor vulnerabilities. Crackers have already broken though the xen hypervisor, as I documented in one of my previous blogs."
New vulnerabilities
buildbot: cross-site scripting
| Package(s): | buildbot | CVE #(s): | |||||||||
| Created: | August 24, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | From the buildbot advisory: In addition to the XSS vulnerability announced on August 12, several other such vulnerabilities were discovered in other portions of the Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The severity of these vulnerabilities is no different that that announced on August 12, except that the vulnerabilities are not limited to the waterfall view. | ||||||||||
| Alerts: |
| ||||||||||
expat: denial of service
| Package(s): | expat | CVE #(s): | CVE-2009-2625 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 24, 2009 | Updated: | June 13, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo bug report: Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnutls: certificate spoofing vulnerability
| Package(s): | gnutls12, gnutls13, gnutls26 | CVE #(s): | CVE-2009-2730 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 20, 2009 | Updated: | February 16, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-2698 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 24, 2009 | Updated: | March 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | linux-2.6 | CVE #(s): | CVE-2009-2846 CVE-2009-2847 CVE-2009-2848 CVE-2009-2849 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | October 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. (CVE-2009-2846) Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. (CVE-2009-2847) Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). (CVE-2009-2848) Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). (CVE-2009-2849) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libneon: man in the middle attack
| Package(s): | libneon0.27 | CVE #(s): | CVE-2009-2474 | ||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
neon: denial of service, man in the middle attack
| Package(s): | neon | CVE #(s): | CVE-2009-2473 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 21, 2009 | Updated: | January 17, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory: There are two security issues in neon: the "billion laughs" attack against expat could allow a Denial of Service attack by a malicious server. (CVE-2009-2473), and an embedded NUL byte in a certificate subject name could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
ocsinventory: SQL injection
| Package(s): | ocsinventory | CVE #(s): | |||||||||
| Created: | August 21, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | SQL injection vulnerabiltiy found in GUI V.1.02 | ||||||||||
| Alerts: |
| ||||||||||
php5: remote denial of service
| Package(s): | php5 | CVE #(s): | CVE-2009-2687 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | February 23, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that PHP did not properly handle certain malformed JPEG images when being parsed by the Exif module. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
pidgin: "crash" from crafted URL
| Package(s): | pidgin | CVE #(s): | |||||||||
| Created: | August 24, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | From the Fedora advisory: 2.6.1 fixes an issue where pidgin can crash if you are sent a certain type of URL over Yahoo. | ||||||||||
| Alerts: |
| ||||||||||
squirrelmail: cross-site request forgery
| Package(s): | squirrelmail | CVE #(s): | |||||||||
| Created: | August 21, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | From the Red Hat bugzilla: It was reported that SquirrelMail did not implement protections against cross-site request forgery (CSRF) attacks. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page. | ||||||||||
| Alerts: |
| ||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2009-2854 CVE-2009-2851 CVE-2009-2853 | ||||||||
| Created: | August 24, 2009 | Updated: | August 28, 2009 | ||||||||
| Description: | From the Debian advisory: CVE-2009-2854: It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. CVE-2009-2851: It was discovered that the administrator interface is prone to a cross-site scripting attack. CVE-2009-2853: It was discovered that remote attackers can gain privileges via certain direct requests. | ||||||||||
| Alerts: |
| ||||||||||
xerces-c27: stack consumption vulnerability
| Package(s): | xerces-c27 | CVE #(s): | CVE-2009-1885 | ||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>