Security
Google Chrome and master passwords
Master passwords for browsers provide a measure of security against some common, if weak, attack vectors. Firefox has had master passwords for some time, but Google's Chrome browser does not, nor does it seem to have any kind of priority to be added. That makes some users rather unhappy, to the point of saying that they won't use the browser until it is implemented. Google's position seems to be that master passwords only provide an illusion of security, but that is an oversimplification.
The idea behind a master password is to protect the credentials (username and password) for accessing web sites that are stored by the browser. The master password is required to unlock (really decrypt) the credential storage before the browser can auto-fill login forms. Without a master password, Firefox stores credential information unencrypted on the disk. Chrome does encrypt the credentials using the user's session information—but only on Windows—for Linux it stores them unencrypted.
As Jamie Strandboge describes in a blog posting, it is trivial to extract the credentials stored by Chrome on Linux in a SQLite database file. A bug filed against Chrome in September 2008 requests adding a master password, and, while it has seen many comments, it has also seen little action on the part of the Chrome developers. For Linux users, it is pretty clear that leaving an unencrypted version of all stored passwords on the disk is a security hole; it definitely requires access to the data, either on the machine itself or elsewhere—like a network share or backup of the home directory. Ways to get that access aren't very hard to envision. Since the data is encrypted on Windows, the picture there is a little murkier.
It is certainly true that anyone who gets physical access to your machine can do an amazing amount of harm to it if they want to. But it is also true that many people allow their computer to be used by others to do a quick search or check email. Those uses are typically short in duration and are "semi-supervised" in the sense that the owner is often around and might very well notice someone installing a keylogger or running some kind of password cracker. What may escape notice is someone using the browser interface in fairly standard ways—to look at stored passwords for example.
The answer, according
to Chrome developer Peter Kasting is to "lock your desktop (it's two keys!) or close
Chrome
" if you don't trust those with physical access. Essentially,
because of the way Chrome is implemented, there is no secure way to allow
someone to use your open browser session—or even to start a new one
for them to use. With Firefox, one can start a new
browser and not provide the master password (or just log out of the
"Software Security Device"), which will allow
semi-untrusted users to jump on and do a quick Google—or check Gmail.
Given the sensitivity of stored passwords—though many sensitive web sites, like banks and brokerages, have started disallowing credential storage—a master password protecting them gives users a sense of protection. It may well be that the average user overestimates the amount of protection that a master password provides, but that doesn't mean it provides no protection. There is certainly a big difference between a sophisticated hacker willing to risk jail time by installing a keylogger and a "friend" who thinks it would be funny to update your Facebook status for you. The latter is likely to be thwarted by a master password.
It is a bit hard to understand why the Chrome developers are so unwilling
to consider adding the feature. It shouldn't be particularly difficult in
a technical sense. The "UI complexity
" argument
rings a little hollow. The lack of any way to get password encryption on
Linux just seems like
a bug that needs to be fixed, though there isn't any real indication that it
will be. Maybe someone in the community needs to take a crack at
it—it is, after all, free software.
Brief items
Quotes of the week
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words "insert," "delete," "drop," "update," "null," or "select."
-- Boing Boing looks at a since-changed credit union online banking FAQ
-- Bruce Schneier on worst-case thinking
- new ways to share, track, and analyze information (and accompanying new questions about the definition of "user information");
- users who want to connect and share (Facebook didn't get 400M users accidentally); and
- an increasing expectation that users, when they do intend to share, also expect some reasonable control of their information and information about them.
-- Harvey Anderson, Mozilla Corporation VP and General Counsel
-- Mike Chan about Android's always-on "phone home" connection
Morris: SELinux Notebook Edition 2 Released
Over at SELinux News, James Morris announces the second edition of The SELinux Notebook. "Richard Haines has released the 2nd edition of The SELinux Notebook, an extensive work of documentation aimed at explaining SELinux to newcomers. It is also intended to be a reference document for the policy language and configuration. The Notebook has now been split into two volumes: The Foundations and Sample Policy Source, and updated to the latest implementation of SELinux in the Fedora 12 distribution. New topics in this edition include virtualization (sVirt), SE-PostgreSQL, XSELinux and Apache/SELinux Plus."
New vulnerabilities
aria2: insufficient input sanitizing
| Package(s): | aria2 | CVE #(s): | CVE-2010-1512 | ||||||||||||||||||||||||||||||||||||||||
| Created: | May 18, 2010 | Updated: | January 17, 2011 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
fetchmail: denial of service
| Package(s): | fetchmail | CVE #(s): | CVE-2010-1167 | ||||||||
| Created: | May 17, 2010 | Updated: | June 7, 2011 | ||||||||
| Description: | From the CVE entry:
fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list. | ||||||||||
| Alerts: |
| ||||||||||
kdenetwork: arbitrary code execution
| Package(s): | kdenetwork | CVE #(s): | CVE-2010-1000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 13, 2010 | Updated: | May 26, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that KGet did not properly perform input validation when processing metalink files. If a user were tricked into opening a crafted metalink file, a remote attacker could overwrite files via directory traversal, which could eventually lead to arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2010-1321 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 19, 2010 | Updated: | May 3, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Kerberos GSS-API library contains a null pointer dereference vulnerability; an remote authenticated attacker could use this vulnerability to crash the server. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libxext: application crash
| Package(s): | libxext | CVE #(s): | |||||
| Created: | May 19, 2010 | Updated: | May 19, 2010 | ||||
| Description: | From the Mandriva advisory: A vulnerability has been discovered and fixed in libxext: There's a race condition in libXext that causes apps that use the X shared memory extensions to occasionally crash. | ||||||
| Alerts: |
| ||||||
mysql: forced data loss
| Package(s): | mysql | CVE #(s): | CVE-2010-1626 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 19, 2010 | Updated: | November 16, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | It is possible to cause a DROP TABLE command on one MyISAM table to remove data and index files from a different table. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: privilege escalation
| Package(s): | mysql | CVE #(s): | CVE-2010-1621 | ||||||||||||||||||||||||||||
| Created: | May 14, 2010 | Updated: | October 18, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
UNINSTALL PLUGIN, looking in the mysql_uninstall_plugin() function shows that there is no code at all for checking required privileges. This means that ANY user, even a user with no privileges, can uninstall ANY plugin. (At least plugins that are loaded dynamically.) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
phpgroupware: multiple vulnerabilities
| Package(s): | phpgroupware | CVE #(s): | CVE-2010-0403 CVE-2010-0404 | ||||
| Created: | May 14, 2010 | Updated: | May 19, 2010 | ||||
| Description: | From the Debian advisory:
Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0403: A local file inclusion vulnerability allows remote attackers to execute arbitrary PHP code and include arbitrary local files. CVE-2010-0404: Multiple SQL injection vulnerabilities allows remote attackers to execute arbitrary SQL commands. | ||||||
| Alerts: |
| ||||||
php-ZendFramework: multiple vulnerabilities
| Package(s): | php-ZendFramework | CVE #(s): | |||||||||
| Created: | May 14, 2010 | Updated: | May 19, 2010 | ||||||||
| Description: | From the ZendFrameWork advisory:
In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo... In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production. | ||||||||||
| Alerts: |
| ||||||||||
pidgin: denial of service
| Package(s): | pidgin | CVE #(s): | CVE-2010-1624 | ||||||||||||||||||||||||||||||||||||||||
| Created: | May 18, 2010 | Updated: | November 4, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote attackers to cause a denial of service (application crash) via a custom emoticon in a malformed SLP message. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
PostgreSQL: possible code execution
| Package(s): | postgresql | CVE #(s): | CVE-2010-1169 CVE-2010-1170 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 19, 2010 | Updated: | October 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The PostgreSQL project has released versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This update fixes potential code execution flaws in the PL/perl and PL/tcl modules. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
qt: multiple vulnerabilities
| Package(s): | qt | CVE #(s): | CVE-2010-0648 CVE-2010-0656 | ||||||||||||||||||||||||
| Created: | May 17, 2010 | Updated: | March 2, 2011 | ||||||||||||||||||||||||
| Description: | From the CVE entries:
Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. (CVE-2010-0648) WebKit before r51295, as used in Google Chrome before 4.0.249.78, presents a directory-listing page in response to an XMLHttpRequest for a file:/// URL that corresponds to a directory, which allows attackers to obtain sensitive information or possibly have unspecified other impact via a crafted local HTML document. (CVE-2010-0656) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
quake3: multiple vulnerabilities
| Package(s): | quake3 | CVE #(s): | |||||
| Created: | May 17, 2010 | Updated: | May 19, 2010 | ||||
| Description: | From the Red
Hat bugzilla:
Based on search started from http://bugs.gentoo.org/show_bug.cgi?id=222119, it seems that tremulous packages as shipped in Fedora contains multiple unfixed security issues, that were previously addressed in Quake3. | ||||||
| Alerts: |
| ||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2010-1455 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 18, 2010 | Updated: | April 19, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory:
The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>