User: Password:
|
|
Subscribe / Log in / New account

Security

Mozilla's Plugin Check

By Jake Edge
June 9, 2010

Browser plugins are a constant source of security vulnerabilities and, because the browser is one of the most commonly used network applications, those vulnerabilities tend to affect a lot of users. But users are often oblivious to the fact that their plugins are not up-to-date. In order to help combat that problem, Mozilla has created a Plugin Check that will test the installed browser plugins and report on those that are out of date.

The site was originally launched last October, but was only set up for Firefox at that time. In May, Mozilla's director of Firefox development, Johnathan Nightingale, announced that Plugin Check had added support for the Safari, Chrome, and Opera browsers. There is also support for Internet Explorer, but only for the most popular plugins, as each plugin requires custom code due to a lack of a JavaScript plugin object in IE.

The basic idea is that the page gathers up information about the installed plugins, including metadata like version numbers, and then checks with a plugin directory to get the status of each. Mozilla is working with plugin vendors to keep an updated list of plugins and versions so that it can report outdated and, importantly, security vulnerable plugins. Mozilla plans to incorporate this technique into Firefox 3.6, so that users will get information on updated plugins without having to visit a special page.

While one could easily claim that it isn't Mozilla's—or any other browser developer's—responsibility to help ensure that these third-party plugins are current, it is a very nice public service. As Nightingale points out, "plugin safety is an issue for the web as a whole". One need only consider the security track record of the most common plugin—Adobe's Flash—to recognize that there have been some fairly nasty, and exploitable, plugin holes over the years. Undoubtedly there will be more in Flash, as well as other plugins, down the road.

For Firefox users, the Plugin Check will eventually be moot. One would hope that other browser developers would also consider adding this feature—they should be able to use the same plugin database that Mozilla has, as the project is open. Until that time, though, users need to find out about, and visit, the Plugin Check page.

There are a variety of Plugin Check web badges available to help inform users about the service. In addition, the page has useful information about plugins and why it is important to keep them updated. That text is, as it should be, geared toward those who may not even realize their browser has any plugins installed, or even that there is some difference between a browser and a plugin. After all, those are the folks who are most likely to be browsing with outdated plugins—perhaps as many as 80% of web users.

User education is an important part of keeping systems secure. While Linux users have, in general, not been targeted by most of the malware—plugin-based or not—out there, that's no good reason to be cavalier about keeping one's software updated. In addition, most Linux users know, perhaps live with, one or more users of other operating systems and browsers. Regularly visiting the Plugin Check page (at least until browsers automatically do that checking), as well as recommending it to others, could go a long way toward reducing the threat from plugin vulnerabilities.

Comments (9 posted)

Brief items

Quote of the week

Even more worrisome is how rapidly these threats are hitting smartphones in comparison to the desktop: What took 15 years to evolve with the desktop machine is happening practically overnight in mobile handsets, security experts say. "We call this the 1999 factor: It feels like about 10 years ago in terms of prevalence of threats. There was a tipping point between 2000 and 2002 [for PC threats] that was driven by broadband" and more consumers going online, according to John Hering, CEO and founder of Lookout, formerly Flexilis. "The same trends are going to hold true here [with smartphones]."

-- Dark Reading

Comments (none posted)

Adobe Flash Player vulnerability

Adobe has reported a vulnerability in Flash Player 10.0.45.2 (and earlier), including the Linux version. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." There is a Flash Player 10.1 Release Candidate that does not appear to be vulnerable.

Comments (19 posted)

New vulnerabilities

bind9: DNS cache poisoning

Package(s):bind9 CVE #(s):CVE-2010-0382
Created:June 7, 2010 Updated:June 16, 2010
Description: From the Debian advisory:

When processing certain responses containing out-of-bailiwick data, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed.

Alerts:
Debian DSA-2054-2 bind9 2010-06-15
Debian DSA-2054-1 bind9 2010-06-04

Comments (none posted)

exim: privilege escalation

Package(s):exim CVE #(s):CVE-2010-2023 CVE-2010-2024
Created:June 9, 2010 Updated:April 13, 2011
Description: From the CVE entries:

transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. (CVE-2010-2023)

transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/. (CVE-2010-2024)

Alerts:
Gentoo 201401-32 exim 2014-01-27
Fedora FEDORA-2010-12375 exim 2010-08-10
Ubuntu USN-1060-1 exim4 2011-02-10
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
openSUSE openSUSE-SU-2010:0416-1 exim 2010-07-22
Fedora FEDORA-2010-9506 exim 2010-06-04
Fedora FEDORA-2010-9524 exim 2010-06-04

Comments (7 posted)

gnutls: denial of service

Package(s):gnutls12 CVE #(s):CVE-2006-7239
Created:June 4, 2010 Updated:June 10, 2010
Description: From the Ubuntu advisory:

It was discovered that GnuTLS did not always properly verify the hash algorithm of X.509 certificates. If an application linked against GnuTLS processed a crafted certificate, an attacker could make GnuTLS dereference a NULL pointer and cause a DoS via application crash.

Alerts:
Ubuntu USN-948-1 gnutls12 2010-06-03

Comments (1 posted)

java: unspecified vulnerability

Package(s):sun-jre-bin CVE #(s):CVE-2010-0850
Created:June 4, 2010 Updated:June 9, 2010
Description: From the CVE entry:

Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Alerts:
Gentoo 201006-18 sun-jre-bin 2010-06-04

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):linux, linux-source-2.6.15 CVE #(s):CVE-2010-1148 CVE-2010-1488
Created:June 3, 2010 Updated:September 23, 2010
Description:

From the Ubuntu advisory:

Eugene Teo discovered that CIFS did not correctly validate arguments when creating new files. A local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges if mmap_min_addr was not set. (CVE-2010-1148)

Oleg Nesterov discovered that the Out-Of-Memory handler did not correctly handle certain arrangements of processes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-1488)

Alerts:
openSUSE openSUSE-SU-2010:0664-1 Linux 2010-09-23
MeeGo MeeGo-SA-10:01 kernel 2010-07-07
Ubuntu USN-947-1 linux, linux-source-2.6.15 2010-06-03
Ubuntu USN-947-2 kernel 2010-06-04

Comments (none posted)

openoffice.org: arbitrary code execution

Package(s):openoffice.org CVE #(s):CVE-2010-0395
Created:June 7, 2010 Updated:June 16, 2010
Description: From the Debian advisory:

It was discovered that OpenOffice.org, a full-featured office productivity suite that provides a near drop-in replacement for Microsoft(R) Office, is not properly handling python macros embedded in an office document. This allows an attacker to perform user-assisted execution of arbitrary code in certain use cases of the python macro viewer component.

Alerts:
Gentoo 201408-19 openoffice-bin 2014-08-31
CentOS CESA-2010:0459 openoffice.org 2010-06-15
Fedora FEDORA-2010-9633 openoffice.org 2010-06-07
Debian DSA-2055-1 openoffice.org 2010-06-05
Ubuntu USN-949-1 openoffice.org 2010-06-08
Red Hat RHSA-2010:0459-01 openoffice.org 2010-06-07
Fedora FEDORA-2010-9628 openoffice.org 2010-06-07
Fedora FEDORA-2010-9576 openoffice.org 2010-06-07

Comments (none posted)

perl: restriction bypass

Package(s):perl CVE #(s):CVE-2010-1168
Created:June 8, 2010 Updated:November 21, 2011
Description: From the Red Hat advisory:

The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions.

Alerts:
Gentoo 201111-09 perl-core/Safe 2011-11-20
Ubuntu USN-1129-1 perl 2011-05-03
SUSE SUSE-SR:2010:016 yast2-webclient-patch_updates, perl, openldap2, opera, freetype2/libfreetype6, java-1_6_0-openjdk 2010-08-26
openSUSE openSUSE-SU-2010:0519-1 perl 2010-08-18
openSUSE openSUSE-SU-2010:0518-1 perl 2010-08-18
Fedora FEDORA-2010-11340 perl 2010-07-23
Fedora FEDORA-2010-11323 perl 2010-07-23
rPath rPSA-2010-0063-1 perl 2010-10-17
Red Hat RHSA-2010:0458-02 perl 2010-06-07
Red Hat RHSA-2010:0457-01 perl 2010-06-07
Mandriva MDVSA-2010:116 perl 2010-06-11
Pardus 2010-88 perl 2010-06-24
Mandriva MDVSA-2010:115 perl 2010-06-11
MeeGo MeeGo-SA-10:07 perl 2010-07-07
CentOS CESA-2010:0458 perl 2010-06-12

Comments (none posted)

postgresql: arbitrary code execution

Package(s):postgresql-server CVE #(s):CVE-2010-1447
Created:June 4, 2010 Updated:July 5, 2011
Description: From the CVE entry:

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which might allow remote attackers to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl.

Alerts:
Gentoo 201110-22 postgresql-base 2011-10-25
Debian DSA-2267-1 perl 2011-07-01
Ubuntu USN-1129-1 perl 2011-05-03
SUSE SUSE-SR:2010:016 yast2-webclient-patch_updates, perl, openldap2, opera, freetype2/libfreetype6, java-1_6_0-openjdk 2010-08-26
openSUSE openSUSE-SU-2010:0519-1 perl 2010-08-18
openSUSE openSUSE-SU-2010:0518-1 perl 2010-08-18
Fedora FEDORA-2010-11340 perl 2010-07-23
Fedora FEDORA-2010-11323 perl 2010-07-23
rPath rPSA-2010-0063-1 perl 2010-10-17
Pardus 2010-74 postgresql-server 2010-06-04
Mandriva MDVSA-2010:116 perl 2010-06-11
Mandriva MDVSA-2010:115 perl 2010-06-11
Red Hat RHSA-2010:0457-01 perl 2010-06-07
MeeGo MeeGo-SA-10:07 perl 2010-07-07
CentOS CESA-2010:0458 perl 2010-06-12
Red Hat RHSA-2010:0458-02 perl 2010-06-07

Comments (none posted)

vlc: arbitrary code execution

Package(s):vlc CVE #(s):
Created:June 4, 2010 Updated:June 9, 2010
Description: From the Pardus advisory:

VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams. If successful, a malicious third party could crash the player instance or perhaps execute arbitrary code within the context of VLC media player.

Alerts:
Pardus 2010-65 vlc vlc-firefox 2010-06-04

Comments (none posted)

xinha: restriction bypass

Package(s):xinha CVE #(s):CVE-2010-1916
Created:June 9, 2010 Updated:June 17, 2010
Description: From the CVE entry:

The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.

Alerts:
Fedora FEDORA-2010-9260 xinha 2010-05-31
Fedora FEDORA-2010-9320 xinha 2010-05-31

Comments (none posted)

zikula: multiple vulnerabilities

Package(s):zikula CVE #(s):CVE-2010-1724 CVE-2010-1732
Created:June 8, 2010 Updated:June 9, 2010
Description: From the CVE entries:

Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php. (CVE-2010-1724)

Cross-site request forgery (CSRF) vulnerability in the users module in Zikula Application Framework before 1.2.3 allows remote attackers to hijack the authentication of administrators for requests that change the administrator email address (updateemail action). (CVE-2010-1732)

Alerts:
Fedora FEDORA-2010-8464 zikula 2010-05-13
Fedora FEDORA-2010-8501 zikula 2010-05-13

Comments (none posted)

zonecheck: cross-site scripting

Package(s):zonecheck CVE #(s):CVE-2010-2052 CVE-2010-2155 CVE-2009-4882
Created:June 7, 2010 Updated:June 9, 2010
Description: From the Debian advisory:

It was discovered that in zonecheck, a tool to check DNS configurations, the CGI does not perform sufficient sanitation of user input; an attacker can take advantage of this and pass script code in order to perform cross-site scripting attacks.

Alerts:
Debian DSA-2056-1 zonecheck 2010-06-06

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds