User: Password:
Subscribe / Log in / New account


Firefox extension vulnerabilities

By Jake Edge
August 26, 2009

Browser extensions, or add-ons, typically provide extra functionality, beyond that which the browser provides, but that comes with a price: increased vulnerability potential. The recent disclosure of five separate vulnerabilities in Firefox extensions serves as a reminder that extensions occupy a privileged position within the browser. That position makes flaws in extensions particularly dangerous, as they generally will allow an attacker's code to run with all the privileges of the user running the browser.

The vulnerabilities were disclosed by Nick Freeman and Roberto Suggi Liverani of, a New Zealand-based web and network security firm. In doing research for a DEFCON presentation [PDF], they found flaws in the following Firefox extensions: Feed Sidebar, ScribeFire, WizzRSS, CoolPreviews, and Update Scanner. The flaws were found between February and June of this year, and the presentation lists three more that have yet to be disclosed.

All five of the flaws have something in common: in one way or another, they take content from a remote site and handle it incorrectly within the privileged Mozilla "chrome" context. For example, the Feed Sidebar extension incorrectly handles the RSS <description> tags, such that a malicious site could do cross-site scripting (XSS) or HTML injection into the chrome trusted zone. That would allow the remote site to potentially perform any action the browser could: access the filesystem, retrieve web site passwords, execute programs, and so on.

The presentation has several proof-of-concept examples; the one associated with Feed Sidebar steals all of the login credentials and sends them off to a remote site. Another example using the ScribeFire extension sets up a reverse VNC session so that an attacker could view the desktop of the browser user. Yet another uses XSS to send a copy of /etc/passwd off to a remote site. These are all very potent exploits that could be used to seriously compromise users' privacy and security.

There are certainly more of these problems out there (beyond even the three undisclosed, thus presumably unpatched, vulnerabilities). Part of the problem is that the "Mozilla extension security model is nonexistent", according to Freeman and Liverani's presentation. All extensions are treated as completely trusted code by Firefox. In addition, there are no security boundaries between the extensions, so one can quietly modify another. They also note that other Mozilla applications that allow extensions (e.g. Thunderbird) are also susceptible to these kinds of vulnerabilities.

Many Firefox extensions are available through (AMO), but the researchers point out that extension developers, and the AMO reviewers, are not necessarily security experts, so bugs like these may slip through. They also note that the NoScript extension, with its XSS protection, may be giving a false sense of security. NoScript whitelists chrome: URLs, which means that it provides no protection against malicious or buggy extensions.

In many ways, it should come as no surprise that there are bugs—and security holes—in Firefox extensions, but it is a problem that has largely flown under the radar. Malicious extensions, downloaded from sites other than AMO, are a fairly well-understood vector for attack—at least to users who are somewhat security-conscious. Extensions that have, or appear to have, the "blessing" of AMO are a bit of a different story. Many users, even those who pay attention to security issues, may well expect that those extensions are rigorously vetted, which seems not to be the case.

There is no reason to believe that these vulnerabilities were anything other than "standard" programming errors, but those with a malicious intent probably could sneak vulnerabilities into AMO extensions—perhaps they have already done so. The presentation lists two plausible scenarios for how malware authors might get vulnerabilities introduced into extensions, particularly popular or recommended extensions.

This research gives us yet another attack vector to be worried about, but there is also some useful information on what to look for in extensions that could lead to these kinds of flaws. With luck, that will help reduce the number of extensions with holes. That still leaves us with the worry about malicious extension authors. Without a more rigorous review of extensions—even that won't find every flaw—there is little that can be done. It is a problem that will likely be with us for quite some time.

Comments (3 posted)

Brief items

Walsh: Secure Virtualization Using SELinux (sVirt)

Red Hat SELinux hacker Dan Walsh writes about Secure Virtualization (sVirt) on his web log. The basic idea is to leverage SELinux to isolate virtual machines from each other and from the host. "After virtualization, we have multiple services running on the same host. If a virtual machine is broken into, the cracker just needs to break though the hypervisor. If a hypervisor vulnerability exists, the cracker can take over all of the virtual machines on the host. He can even write into any virtual host images that are accessible from the host machine. [...] This is very scary stuff. The question is not 'if', but 'when'. Hacker/cracker conventions are already examining hypervisor vulnerabilities. Crackers have already broken though the xen hypervisor, as I documented in one of my previous blogs."

Comments (37 posted)

New vulnerabilities

buildbot: cross-site scripting

Package(s):buildbot CVE #(s):
Created:August 24, 2009 Updated:August 26, 2009

From the buildbot advisory:

In addition to the XSS vulnerability announced on August 12, several other such vulnerabilities were discovered in other portions of the Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The severity of these vulnerabilities is no different that that announced on August 12, except that the vulnerabilities are not limited to the waterfall view.

Fedora FEDORA-2009-8516 buildbot 2009-08-15
Fedora FEDORA-2009-8577 buildbot 2009-08-15

Comments (none posted)

expat: denial of service

Package(s):expat CVE #(s):CVE-2009-2625
Created:August 24, 2009 Updated:June 13, 2011

From the Gentoo bug report:

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Mandriva MDVSA-2011:108 xerces-j2 2011-06-13
Scientific Linux SL-xerc-20110608 xerces-j2 2011-06-08
Slackware SSA:2011-041-02 expat 2011-02-11
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
SuSE SUSE-SR:2010:012 evolution-data-server, python/libpython2_6-1_0, mozilla-nss, memcached, texlive/te_ams, mono/bytefx-data-mysql, libpng-devel, apache2-mod_php5, ncpfs, pango, libcmpiutil 2010-05-25
SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14
Ubuntu USN-890-6 cmake 2010-04-15
Ubuntu USN-890-4 python-xml 2010-01-26
Ubuntu USN-890-3 python2.4 2010-01-22
Ubuntu USN-890-2 python2.5 2010-01-21
Ubuntu USN-890-1 expat 2010-01-20
Mandriva MDVSA-2009:316-1 expat 2010-01-08
Mandriva MDVSA-2009:220-1 davfs 2010-01-05
CentOS CESA-2009:1615 xerces-j2 2009-12-17
Mandriva MDVSA-2009:212-1 python 2009-12-04
Mandriva MDVSA-2009:213-1 wxgtk 2009-12-04
Mandriva MDVSA-2009:211-1 expat 2009-12-04
Mandriva MDVSA-2009:218-1 w3c-libwww 2009-12-04
Mandriva MDVSA-2009:217-3 mozilla-thunderbird 2009-12-03
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
Ubuntu USN-890-5 xmlrpc-c 2010-02-18
Red Hat RHSA-2009:1236-01 java-1.5.0-ibm 2009-08-28
Mandriva MDVSA-2009:220 davfs 2009-08-24
Mandriva MDVSA-2009:219 kompozer 2009-08-24
Mandriva MDVSA-2009:218 w3c-libwww 2009-08-24
Mandriva MDVSA-2009:217 mozilla-thunderbird 2009-08-23
Mandriva MDVSA-2009:216 mozilla-thunderbird 2009-08-23
Mandriva MDVSA-2009:215 audacity 2009-08-23
Mandriva MDVSA-2009:214 python-celementtree 2009-08-23
Mandriva MDVSA-2009:213 wxgtk 2009-08-23
Mandriva MDVSA-2009:212 python 2009-08-23
Mandriva MDVSA-2009:211 expat 2009-08-23
SuSE SUSE-SA:2009:053 java-1_6_0-ibm 2009-11-04
Debian DSA-1984-1 libxerces2-java 2010-01-30
Debian DSA-1921-1 expat 2009-10-28
Red Hat RHSA-2009:1615-01 xerces-j2 2009-11-30

Comments (none posted)

gnutls: certificate spoofing vulnerability

Package(s):gnutls12, gnutls13, gnutls26 CVE #(s):CVE-2009-2730
Created:August 20, 2009 Updated:February 16, 2010
Description: From the National Vulnerability Database entry: "libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority."
Gentoo 201206-18 gnutls 2012-06-23
Gentoo 201110-05 gnutls 2011-10-10
Mandriva MDVSA-2009:308 gnutls 2009-12-03
SuSE SUSE-SR:2010:004 moodle, xpdf, pdns-recursor, pango, horde, gnome-screensaver, fuse, gnutls, flash-player 2010-02-16
Fedora FEDORA-2009-8565 gnutls 2009-08-15
Fedora FEDORA-2009-8622 gnutls 2009-08-15
SuSE SUSE-SR:2009:015 OpenOffice_org, OpenOffice_org-math, dnsmasq, gnutls, ia32el, ib-bonding-kmp-rt/kernel-rt, libxml, opera, perl-IO-Socket-SSL, xen 2009-09-15
CentOS CESA-2009:1232 gnutls 2009-08-26
CentOS CESA-2009:123 gnutls 2009-08-26
Red Hat RHSA-2009:1232-01 gnutls 2009-08-26
Mandriva MDVSA-2009:210 gnutls 2009-08-20
Ubuntu USN-809-1 gnutls12, gnutls13, gnutls26 2009-08-19
Debian DSA-1935-1 gnutls13 2009-11-17
Slackware SSA:2009-290-01 gnutls 2009-10-19

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2009-2698
Created:August 24, 2009 Updated:March 21, 2011

From the Red Hat advisory:

a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important)

Mandriva MDVSA-2011:051 kernel 2011-03-18
Red Hat RHSA-2009:1469-01 kernel 2009-09-30
Red Hat RHSA-2009:1457-01 kernel 2009-09-22
CentOS CESA-2009:1233 kernel 2009-08-29
SuSE SUSE-SA:2009:046 kernel 2009-08-28
Red Hat RHSA-2009:1233-01 kernel 2009-08-27
Debian DSA-1872-1 linux-2.6 2009-08-24
CentOS CESA-2009:1222 kernel 2009-08-24
CentOS CESA-2009:1223 kernel 2009-08-24
Red Hat RHSA-2009:1222-02 kernel 2009-08-24
Red Hat RHSA-2009:1223-02 kernel 2009-08-24
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2009-2846 CVE-2009-2847 CVE-2009-2848 CVE-2009-2849
Created:August 25, 2009 Updated:October 8, 2010
Description: From the Debian advisory:

Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. (CVE-2009-2846)

Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. (CVE-2009-2847)

Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). (CVE-2009-2848)

Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). (CVE-2009-2849)

Mandriva MDVSA-2010:188 kernel 2010-09-23
Mandriva MDVSA-2010:198 kernel 2010-10-07
SuSE SUSE-SA:2010:012 kernel 2010-02-15
Red Hat RHSA-2009:1455-01 kernel 2009-09-29
Red Hat RHSA-2009:1466-01 kernel 2009-09-29
CentOS CESA-2009:1243 kernel 2009-09-15
CentOS CESA-2009:1438 kernel 2009-09-15
Red Hat RHSA-2009:1438-01 kernel 2009-09-15
SuSE SUSE-SA:2009:056 kernel 2009-11-16
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Red Hat RHSA-2009:1243-02 kernel 2009-09-02
Red Hat RHSA-2009:1239-02 kernel-rt 2009-09-01
Red Hat RHSA-2009:1239-01 kernel-rt 2009-09-01
Fedora FEDORA-2009-9044 kernel 2009-08-27
Debian DSA-1872-1 linux-2.6 2009-08-24
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22
SuSE SUSE-SA:2009:054 kernel 2009-11-11
CentOS CESA-2009:1455 kernel 2009-10-30
Fedora FEDORA-2009-10639 kernel 2009-10-21
CentOS CESA-2009:1550 kernel 2009-11-04
Red Hat RHSA-2009:1550-01 kernel 2009-11-03
Debian DSA-1928-1 linux-2.6.24 2009-11-05
Fedora FEDORA-2009-10165 kernel 2009-10-03

Comments (none posted)

libneon: man in the middle attack

Package(s):libneon0.27 CVE #(s):CVE-2009-2474
Created:August 25, 2009 Updated:December 4, 2009
Description: From the Mandriva advisory: neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408
Mandriva MDVSA-2009:315 libneon 2009-12-04
Ubuntu USN-835-1 neon, neon27 2009-09-21
CentOS CESA-2009:1452 neon 2009-09-22
Red Hat RHSA-2009:1452-01 neon 2009-09-21
Mandriva MDVSA-2009:228 libneon 2009-09-10
Mandriva MDVSA-2009:221 libneon0.27 2009-08-24
CentOS CESA-2009:1452 neon 2009-10-30

Comments (none posted)

neon: denial of service, man in the middle attack

Package(s):neon CVE #(s):CVE-2009-2473
Created:August 21, 2009 Updated:January 17, 2013
Description: From the Fedora advisory: There are two security issues in neon: the "billion laughs" attack against expat could allow a Denial of Service attack by a malicious server. (CVE-2009-2473), and an embedded NUL byte in a certificate subject name could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert.
Scientific Linux SL-gnom-20130116 gnome-vfs2 2013-01-16
Oracle ELSA-2013-0131 gnome-vfs2 2013-01-12
CentOS CESA-2013:0131 gnome-vfs2 2013-01-09
CentOS CESA-2009:1452 neon 2009-09-22
Red Hat RHSA-2009:1452-01 neon 2009-09-21
SuSE SUSE-SR:2009:018 cyrus-imapd, neon/libneon, freeradius, strongswan, openldap2, apache2-mod_jk, expat, xpdf, mozilla-nspr 2009-11-10
Mandriva MDVSA-2009:221 libneon0.27 2009-08-24
Fedora FEDORA-2009-8815 neon 2009-08-20
Fedora FEDORA-2009-8794 neon 2009-08-20
CentOS CESA-2009:1452 neon 2009-10-30

Comments (none posted)

ocsinventory: SQL injection

Package(s):ocsinventory CVE #(s):
Created:August 21, 2009 Updated:August 26, 2009
Description: SQL injection vulnerabiltiy found in GUI V.1.02
Fedora FEDORA-2009-8819 ocsinventory 2009-08-20
Fedora FEDORA-2009-8799 ocsinventory 2009-08-20

Comments (none posted)

php5: remote denial of service

Package(s):php5 CVE #(s):CVE-2009-2687
Created:August 25, 2009 Updated:February 23, 2010
Description: From the Ubuntu advisory: It was discovered that PHP did not properly handle certain malformed JPEG images when being parsed by the Exif module. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service.
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
CentOS CESA-2010:0040 php 2010-01-15
Red Hat RHSA-2010:0040-01 php 2010-01-13
CentOS CESA-2010:0040 php 2010-01-13
Gentoo 201001-03 php 2010-01-05
Mandriva MDVSA-2009:324 php 2009-12-07
Red Hat RHSA-2009:1461-01 Red Hat Application Stack 2009-09-23
Ubuntu USN-824-1 php5 2009-08-24
SuSE SUSE-SR:2009:017 php5, newt, rubygem-actionpack, rubygem-activesupport, java-1_4_2-ibm, postgresql, samba, phpMyAdmin, viewvc 2009-10-26
Debian DSA-1940-1 php5 2009-11-25

Comments (none posted)

pidgin: "crash" from crafted URL

Package(s):pidgin CVE #(s):
Created:August 24, 2009 Updated:August 26, 2009

From the Fedora advisory:

2.6.1 fixes an issue where pidgin can crash if you are sent a certain type of URL over Yahoo.

Fedora FEDORA-2009-8874 pidgin 2009-08-22
Fedora FEDORA-2009-8826 pidgin 2009-08-22

Comments (none posted)

squirrelmail: cross-site request forgery

Package(s):squirrelmail CVE #(s):
Created:August 21, 2009 Updated:August 26, 2009
Description: From the Red Hat bugzilla: It was reported that SquirrelMail did not implement protections against cross-site request forgery (CSRF) attacks. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page.
Fedora FEDORA-2009-8822 squirrelmail 2009-08-20
Fedora FEDORA-2009-8797 squirrelmail 2009-08-20

Comments (none posted)

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2009-2854 CVE-2009-2851 CVE-2009-2853
Created:August 24, 2009 Updated:August 28, 2009

From the Debian advisory:

CVE-2009-2854: It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions.

CVE-2009-2851: It was discovered that the administrator interface is prone to a cross-site scripting attack.

CVE-2009-2853: It was discovered that remote attackers can gain privileges via certain direct requests.

Debian DSA-1871-2 wordpress 2009-08-27
Debian DSA-1871-1 wordpress 2009-08-23

Comments (9 posted)

xerces-c27: stack consumption vulnerability

Package(s):xerces-c27 CVE #(s):CVE-2009-1885
Created:August 25, 2009 Updated:December 4, 2009
Description: From the CVE entry: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework.
Mandriva MDVSA-2009:223-1 xerces-c 2009-12-04
SuSE SUSE-SR:2009:014 dnsmasq, icu, libcurl3/libcurl2/curl/compat-curl2, Xerces-c/xerces-j2, tiff/libtiff, acroread_ja, xpdf, xemacs, mysql, squirrelmail, OpenEXR, wireshark 2009-09-01
Mandriva MDVSA-2009:223 xerces-c 2009-08-30
Fedora FEDORA-2009-8345 xerces-c 2009-08-07
Fedora FEDORA-2009-8350 xerces-c 2009-08-07
Fedora FEDORA-2009-8332 xerces-c27 2009-08-07
Fedora FEDORA-2009-8305 xerces-c27 2009-08-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds