Security
Trustedbird: Additional email security for Thunderbird
A collaboration between the French military, BT, and Mozilla has resulted in a version of Thunderbird that has features more suited to military organizations. Trustedbird includes changes to Thunderbird to support additional encryption and message handling options, and some of that code has made its way into the Thunderbird 3 release. The reasons given for working with free software, rather than a proprietary alternative, make it clear that access to the source and the ability to make changes—hallmarks of free software—were key.
There are a number of message handling features that were added into the Trustedbird core, along with some additional features that were implemented as add-ons that will work with either Trustedbird or Thunderbird. The add-ons are for features that others might find useful outside of organizations that require the level of security that Trustedbird provides. Features like Multi-LDAP directory lookup for addresses, MDN Extended for deletion receipt handling, and Mail XForms that allows adding various headers through forms, are all available as add-ons. There is a list of these add-on on the documentation page.
The Thunderbird changes that make up Trustedbird are all based on various RFCs and may well end up in Thunderbird itself some day. Much of the work was based on RFC 2634 (Enhanced Security Services for S/MIME), which includes "triple wrapping", signed receipts, and security labels. In addition, Trustedbird implements Delivery Status Notification (DSN), based on RFC 3461, and SMTP Priorities based on a draft RFC.
For military organizations, it is important to be able to receive signed and encrypted messages that have not been surreptitiously forwarded. Standard encrypted email only signs the body of an email before encrypting it with the recipients public key. A malicious recipient can re-encrypt the mail with a different recipient's key and forward the mail (presumably with some header forgery). The new recipient may be confused into believing the mail was actually sent to them (as the signature will verify for the original sender).
Triple wrapping allows a recipient to detect that the mail has been forwarded by also signing the encrypted message. That additional signing can be done over some additional headers, along with the encrypted body, but that is not required. A proper message will be signed twice by the sender, while a surreptitiously forwarded one requires that the attacker re-encrypt the body (using the new recipient's public key), which will invalidate the outer signature.
Signed receipts are basically what they sound like. A receipt that a message has been received can be signed by the recipient. When a properly signed receipt is received by the sender, they can be sure that the recipient did receive the message—or at least that their Trustedbird client did.
Security labels are headers that can be added to the signed portion of a triple wrapped message and specify various kinds of information about the security policy that applies to the message. Standard labels like "classified" or "top secret" can be applied, and then be enforced based on the recipient's access level. The labels themselves can be customized in an XML file, but it is unclear from the documentation how exactly the security policies are specified and propagated.
The DSN feature has already been incorporated into Thunderbird 3. It allows clients to ask the Mail Transfer Agent (MTA, e.g. Sendmail or Postfix) for a notification on the delivery status of an email. Three kinds of notifications can be requested: success, failure, or delay in delivering the email.
SMTP Priority allows for five levels of priority (NONE, ROUTINE, PRIORITY, IMMEDIATE, and FLASH) to be sent to an MTA in the envelope part of the SMTP conversation. For additional complexity, different priorities can be given for each recipient. MTAs must be changed to support priorities so Trustedbird provides a priority email gateway that works with Postfix using Qpsmtpd.
While most of these are features that may be of little interest to many, it is always nice to see governments taking advantage of the benefits of free software. In addition, some of the features—triple wrapping in particular—may well be of interest to those who regularly use email encryption. The fact that the French military is working with the Thunderbird project to get its code upstream is also rather novel for government-sponsored projects.
It seems likely that Trustedbird will find its way into more agencies and organizations with a need for a higher security level in their email handling; the fact that it's free software will likely save the taxpayers in those places some money—always a good thing. It also shows that free software ideas and ideals have rather wide applicability. It is not just monetary savings; there is something rather comforting in knowing what's in the code that is being used for security purposes.
Brief items
Chuck Norris Botnet Karate-chops Routers Hard (PC World)
PC World reports on a botnet based on poorly-secured Linux routers. "Right now Chuck Norris-infected machines can be used to attack other systems on the Internet, in what are known as distributed denial of service attacks. The botnet can launch a password-guessing dictionary attack on another computer, and it can also change the DNS (Domain Name System) settings in the router. With this attack, victims on the router's network who think they are connecting to Facebook or Google end up redirected to a malicious Web page that then tries to install a virus on their computers."
Researchers: Rootkits Work Nicely On Smartphones, Thank You (Dark Reading)
Dark Reading looks at research into rootkits on smartphones. It shouldn't come as a big surprise to those who pay attention to security issues, but it is a class of attacks that could be quite dangerous. "In one test, the researchers showed how a rootkit could turn on a phone's microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone, telling it to place a call and turn on the microphone, such as when the phone's owner is in a meeting and the attacker wants to eavesdrop."
New vulnerabilities
cronie: modification time changes
| Package(s): | cronie | CVE #(s): | CVE-2010-0424 | ||||||||||||||||||||||||||||
| Created: | February 24, 2010 | Updated: | November 7, 2013 | ||||||||||||||||||||||||||||
| Description: | The cronie tool suffers from a race condition which can allow a local user to modify the modification time of otherwise inaccessible files. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
ffmpeg: multiple vulnerabilities
| Package(s): | ffmpeg | CVE #(s): | CVE-2009-4631 CVE-2009-4632 CVE-2009-4633 CVE-2009-4634 CVE-2009-4635 CVE-2009-4636 CVE-2009-4637 CVE-2009-4638 CVE-2009-4640 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 19, 2010 | Updated: | July 18, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder, which also provides a range of multimedia libraries used in applications like MPlayer: Various programming errors in container and codec implementations may lead to denial of service or the execution of arbitrary code if the user is tricked into opening a malformed media file or stream. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-1571 CVE-2009-3988 CVE-2010-0159 CVE-2010-0160 CVE-2010-0162 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2010 | Updated: | April 23, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159, CVE-2010-0160) Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988, CVE-2010-0162) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnome-screensaver: unauthorized local access
| Package(s): | gnome-screensaver | CVE #(s): | CVE-2009-4641 | ||||
| Created: | February 18, 2010 | Updated: | February 24, 2010 | ||||
| Description: | From the Mandriva alert:
gnome-screensaver 2.28.0 does not resume adherence to its activation settings after an inhibiting application becomes unavailable on the session bus, which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended (CVE-2009-4641). | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | linux-2.6 | CVE #(s): | CVE-2010-0622 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 23, 2010 | Updated: | October 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Jermome Marchand reported an issue in the futex subsystem that allows a local user to force an invalid futex state which results in a denial of service (oops). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
konversation: remote crash
| Package(s): | konversation | CVE #(s): | |||||||||
| Created: | February 22, 2010 | Updated: | February 24, 2010 | ||||||||
| Description: | Konversation through version 1.2.2 can be made to crash (with unknown consequences) by a message containing invalid Unicode characters. | ||||||||||
| Alerts: |
| ||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2010-0283 | ||||||||||||||||
| Created: | February 19, 2010 | Updated: | March 24, 2010 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
A flaw was found in how the KDC processed invalid requests. An unauthenticated remote attacker could send an invalid request to a KDC process that would cause it to crash due to an assertion failure, resulting in a denial of service of the KDC. This flaw only affects MIT krb5 version 1.7 and later; earlier versions did not contain the vulnerable code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
moin: "major unspecified" vulnerabilities.
| Package(s): | moin | CVE #(s): | |||||||||
| Created: | February 22, 2010 | Updated: | February 24, 2010 | ||||||||
| Description: | The MoinMoin wiki system suffers from a series of poorly described (but evidently serious) vulnerabilities. More information, such as it is, can be found in the 1.8.7 changelog and this Secunia advisory. | ||||||||||
| Alerts: |
| ||||||||||
netpbm: buffer overflow
| Package(s): | netpbm | CVE #(s): | CVE-2009-4274 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2010 | Updated: | November 13, 2013 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva alert:
Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value (CVE-2009-4274). | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
pidgin: multiple vulnerabilities
| Package(s): | pidgin | CVE #(s): | CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2010 | Updated: | November 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially-crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML "br" element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
polipo: denial of service
| Package(s): | polipo | CVE #(s): | CVE-2009-3305 CVE-2009-4413 | ||||
| Created: | February 19, 2010 | Updated: | February 24, 2010 | ||||
| Description: | From the Debian advisory:
Several denial of service vulnerabilities have been discovered in polipo, a small, caching web proxy. The Common Vulnerabilities and Exposures project identifies the following problems: A malicious remote sever could cause polipo to crash by sending an invalid Cache-Control header. CVE-2009-3305 A malicious client could cause polipo to crash by sending a large Content-Length value. CVE-2009-4413 | ||||||
| Alerts: |
| ||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2010-0639 | ||||||||||||||||||||
| Created: | February 24, 2010 | Updated: | January 19, 2012 | ||||||||||||||||||||
| Description: | Squid fails to properly handle malformed HTCP packets; as a result, a remote attacker can cause squid to crash with a null pointer dereference. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
systemtap: denial of service
| Package(s): | systemtap | CVE #(s): | CVE-2010-0411 CVE-2010-0412 | ||||||||||||||||||||||||||||
| Created: | February 19, 2010 | Updated: | April 27, 2010 | ||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>