Security
Chrome reflective XSS protection
Cross-site scripting (XSS) is one of the biggest problems on the web today. There are daily reports of XSS problems in various web sites and web applications (including LWN, see below). So, it is not surprising that browser makers are looking at ways to combat the problem. Previously, we looked at Mozilla's Content Security Policy (CSP), which is one approach, but the Chrome browser team has come up with something different: reflective XSS protection.
There are two basic types of XSS, persistent and reflected (or non-persistent). Persistent XSS is an attack that gets stored at the site, in a comment or some other user-generated content, that can then attack any user viewing that content. Reflected attacks, instead, have the payload stored in the HTTP request itself (as GET parameters or FORM submission values). These attacks are generally disguised and the victim is tricked into submitting them. Reflected XSS flaws well outnumber persistent flaws, so it makes some sense to concentrate on those.
The basic idea behind Chrome's reflective protection is to examine each script before it is run to see if it also exists in the request that was sent. If the page contents contain scripts that were sent in the request, it is likely that it is a reflected XSS attack. For example, if a link or form submission contains a parameter foo with the value:
<script>alert("XSS!")</script>
then the browser can recognize it in the response and refuse to run the script.
It isn't quite as simple as a direct string comparison, of course, as there are any number of tricks used by XSS attacks to obfuscate their intent. By using HTML entity encodings, XSS attacks can often slip by naïve tests. Things like:
javascript
may elude simple tests that are meant to prevent XSS, so the browser must
convert the request into a canonical form before doing the comparison.
In fact, a thread on sla.ckers.org shows various types of obfuscation that eludes the Chrome XSS filter. The participants, eventually including Chrome developer Adam Barth, keep attempting—mostly succeeding—to find ways around the filter. Those were then added to a WebKit bugzilla entry and many were fixed. Some of the more complicated cases are not yet handled.
Several comparisons to the Internet Explorer 8 XSS filter were made in the thread, generally unfavorably to Chrome's, but the Chrome filter is still relatively new. Certainly, the Chrome developers can learn from IE8's filter. Barth looked at the IE8 algorithm (by extracting it from the binary) and compared the two:
The whole thread is worth a read for anyone interested in XSS and the various tricks used by those attacks.
While the Chrome reflective protection is fairly recent, with bugs to squash and features to add, it will provide some added protection for users against XSS. It is a much simpler solutions than CSP—and doesn't require web developers to change the way they use Javascript—but it also only handles a subset of the full XSS problem. Both techniques likely have their place, but filtering reflected attacks is something that can be done more quickly than fundamentally changing the Javascript landscape as CSP requires. It seems likely that Mozilla could pick up this technique to add to its XSS protection, while still pushing CSP in the longer term. Given the "popularity" of XSS attacks, it is great to see the browser makers looking at multiple ways to reduce the risk.
Cross-site scripting here at LWN
We would like to thank Marti Raudsepp for letting us know about a security hole in the comment submission code for the site. We believe it is now fixed and, in general, that we have tightened up our HTML handling for comments. As part of that, we removed support for many attributes on HTML tags by whitelisting a small set of attributes. We might very well have been over-zealous and removed support for legitimate attributes. Please let us know at lwn@lwn.net if that is the case.
We would also like to remind folks that we encourage anyone who finds a security problem with the site to contact us (lwn@lwn.net works for that too). We give prompt attention to such things and thank anyone reporting them—rather than, say, turning them over to law enforcement.
Brief items
Strandboge: AppArmor sVirt security driver for libvirt
Jamie Strandboge writes about work he has done to add AppArmor support to sVirt on his blog. "Since virtualization is becoming more and more prevalent, improving the security stance for libvirt users is of primary concern. It was very natural to look at adding an AppArmor security driver to libvirt, and as of libvirt 0.7.2 and Ubuntu 9.10, users have just that. In terms of supported features, the AppArmor driver should be on par with the SELinux driver, where the vast majority of libvirt functionality is supported by both drivers out of the box."
Wheeler: Fully Countering Trusting Trust through Diverse Double-Compiling
David Wheeler announces the defense of his PhD dissertation on countering the classic "Reflections on Trusting Trust" attack, which Ken Thompson spoke about in 1984. That attack subverts compilers to continuously re-infect binaries produced by that compiler (including the compiler binary itself) with some kind of malicious payload (a login back door was Thompson's example). The attack is impossible to detect, except by using Wheeler's technique, which was originally described in a 2005 Annual Computer Security Applications Conference (ACSAC) paper [PDF]. His dissertation expands on that work, and the defense of it is open to the public on November 23 at George Mason University in Fairfax, Virginia. "This 2009 dissertation significantly extends my previous 2005 ACSAC paper. For example, I now have a formal proof that DDC is effective (the ACSAC paper only had an informal justification). I also have additional demonstrations, including one with GCC (to show that it scales up) and one with a maliciously corrupted compiler (to show that it really does detect them in the real world). The dissertation is also more general; the ACSAC paper only considered the special case of a 'self-parenting' compiler, while the dissertation eliminates that assumption."
New vulnerabilities
expat: buffer overflow
| Package(s): | expat PyXML | CVE #(s): | CVE-2009-3720 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 4, 2009 | Updated: | May 6, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Incorrect UTF-8 sequences can cause expat (and tools using it, like PyXML) to read beyond its input buffer, leading to a crash. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, xulrunner: multiple vulnerabilities
| Package(s): | firefox-3.0, firefox-3.5, xulrunner-1.9, xulrunner-1.9.1 | CVE #(s): | CVE-2009-3371 CVE-2009-3377 CVE-2009-3381 CVE-2009-3383 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 2, 2009 | Updated: | June 11, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Orlando Berrera discovered that Firefox did not properly free memory when using web-workers. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 9.10. (CVE-2009-3371) Several flaws were discovered in third party media libraries. If a user were tricked into opening a crafted media file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 9.10. (CVE-2009-3377) Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers, Daniel Banchero, David Keeler, Boris Zbarsky, Thomas Frederiksen, Marcia Knous, Carsten Book, Kevin Brosnan, David Anderson and Jeff Walden discovered various flaws in the browser and JavaScript engines of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: null pointer dereference
| Package(s): | kernel | CVE #(s): | CVE-2009-3547 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 4, 2009 | Updated: | February 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel contains a null pointer dereference vulnerability in the pipe code; see this article for details. Kernels from 2.6.21 (possibly even older) through 2.6.31 are affected. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: null pointer dereference
| Package(s): | kernel-rt | CVE #(s): | CVE-2009-3620 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 4, 2009 | Updated: | November 12, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The r128 driver in the kernel contains a null pointer dereference vulnerability. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-3621 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 4, 2009 | Updated: | February 19, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is a possible denial of service (via deadlock) vulnerability in the kernel Unix-domain socket code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libhtml-parser-perl: denial of service
| Package(s): | libhtml-parser-perl | CVE #(s): | CVE-2009-3627 | ||||||||||||
| Created: | October 30, 2009 | Updated: | January 12, 2010 | ||||||||||||
| Description: | From the Debian advisory: Mark Martinec discovered that the decode_entities() function will get stuck in an infinite loop when parsing certain HTML entities with invalid UTF-8 characters. An attacker can use this to perform denial of service attacks by submitting crafted HTML to an application using this functionality. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mahara: multiple vulnerabilities
| Package(s): | mahara | CVE #(s): | CVE-2009-3298 CVE-2009-3299 | ||||
| Created: | November 2, 2009 | Updated: | November 4, 2009 | ||||
| Description: | From the Debian advisory: CVE-2009-3298: Ruslan Kabalin discovered a issue with resetting passwords, which could lead to a privilege escalation of an institutional administrator account. CVE-2009-3299: Sven Vetsch discovered a cross-site scripting vulnerability via the resume fields. | ||||||
| Alerts: |
| ||||||
proftpd-dfsg: certificate spoofing
| Package(s): | proftpd-dfsg | CVE #(s): | CVE-2009-3639 | ||||||||||||
| Created: | November 2, 2009 | Updated: | December 28, 2009 | ||||||||||||
| Description: | From the Debian advisory: It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled. | ||||||||||||||
| Alerts: |
| ||||||||||||||
rt3: JavaScript injection
| Package(s): | rt3 | CVE #(s): | |||||||||
| Created: | November 4, 2009 | Updated: | November 4, 2009 | ||||||||
| Description: | From the rt 3.8.5 release announcement: During a routine internal audit, it was determined that all versions of RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display of Custom Fields that could allow injection of javascript into the RT UI. | ||||||||||
| Alerts: |
| ||||||||||
squidGuard: buffer overflows
| Package(s): | squidGuard | CVE #(s): | CVE-2009-3700 CVE-2009-3826 | ||||||||||||||||||||||||||||||||
| Created: | November 4, 2009 | Updated: | August 17, 2010 | ||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been found in versions 1.3 and 1.4 of squidGuard. These vulnerabilities can be exploited to cause a denial of service situation or to bypass URL blocking. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-3550 CVE-2009-3829 | ||||||||||||||||||||||||||||||||||||
| Created: | November 3, 2009 | Updated: | May 28, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva alert:
Vulnerabilities have been discovered and corrected in wireshark, affecting DCERPC/NT dissector, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace (CVE-2009-3550); and in wiretap/erf.c which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file (CVE-2009-3829). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2009-3242 | ||||||||
| Created: | November 4, 2009 | Updated: | November 25, 2009 | ||||||||
| Description: | Wireshark's GSM layer 3 radio resource protocol dissector can be made to crash with the wrong input, leading to (at least) a denial of service problem. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>