December 18, 2014

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

Firefox 17 fixes 19 Critical security vulnerabilities and drops support for OS X Leopard

(LiveHacking.Com) – Mozilla has released Firefox 17 and in the processes it has closed 19 Critical security vulnerabilities, fixed 2365 bugs and addressed 10 other sets of High or Moderate security risks. Quite impressive! Firefox 17 also includes the first revision of the Mozilla’s Social API, drops support for Mac OS X 10.5 and implements the sandbox attribute for iframes. The sandbox attribute brings better security as it enables extra restrictions on the content that can appear in the inline frame.

The Critical security vulnerabilities are divided into six bundles. First miaubiz, famous for his work on Google Chrome,  used the Address Sanitizer tool to discover a series of critically rated of use-after-free, buffer overflow, and memory corruption issues. The individual issues are use-after-free when loading html file on osx (CVE-2012-5830), Mesa crashes on certain texImage2D calls involving level>0 (CVE-2012-5833), integer overflow, invalid write w/webgl bufferdata (CVE-2012-5835) and crash in copyTexImage2D with image dimensions too large for given level (CVE-2012-5838).

Second, Abhishek Arya (Inferno) of the Google Chrome Security Team also used the Address Sanitizer tool to find a series of critically rated of use-after-free and buffer overflow issues. The full list of issues are: Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-4214)Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215), Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216), Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829), heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart CVE-2012-5839Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-5840), Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212), Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213), Heap-use-after-free in nsViewManager::ProcessPendingUpdates (CVE-2012-4217) and Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218).

Next, security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. The references for his discoveries are Arbitrary code execution from Style Inspector and CVE-2012-4210.

Following on from this, Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash. See SVG text on path + setting a style crashes Firefox and CVE-2012-5836.

Penultimately, Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This flaw is documented at ASAN: Heap-buffer-overflow at image::RasterImage::DrawFrameTo and CVE-2012-4202.

Finally, Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, and Bill McCloskey reported memory safety problems and crashes that affect Firefox 16: Memory safety bugs fixed in Firefox 17 and CVE-2012-5843. While Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle Huey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 16: Memory safety bugs fixed in Firefox ESR 10.0.11 and Firefox 17 and CVE-2012-5842.

 

Another day, another Firefox release

Mozilla released version 16 of its popular web browser only a few weeks ago and since then it has had two point releases to fix security issues. The latest release, 16.0.2 adds fixes for problems with the Javascript location object.

Three separate issues with the Javascript Location object where reported to Mozilla and fixed in this release:

  1. Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.
  2. Mozilla security researcher moz_bug_r_a4 discovered that the CheckURL function in window.location can be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content.
  3. Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object.

Mozilla also released a new version of its Thunderbird email cleint but noted that Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content.

The latest version can be downloaded from here while the release notes for 16.0.2 are available from http://www.mozilla.org/en-US/firefox/16.0.2/releasenotes/.

Mozilla releases Firefox 16.0.0, then withdraws it, then releases 16.0.1

(LiveHacking.Com) – Mozilla recently released the latest version of its Firefox web browser with initial web app support plus some changes to the incremental garbage collection which will boost the JavaScript engine performance. Everything looked good. But then a privacy and security vulnerability was found that forced Mozilla to “temporarily” suspend its distribution.

Firefox 16.0.0 suffers from a security vulnerability that could allow a malicious site to snoop at the list of websites that users have visited and access the URL or URL parameters. Although there was no indication that this vulnerability was being exploited in the wild, Mozilla decided to pull Firefox 16 until a patch could be written.

In the interim users could downgrade to version 15.0.1 or just wait until patches are issued and automatically applied to address the vulnerability, Michael Coates, director of security assurance at Mozilla said in a blog post.

Now Mozilla has released Firefox 16.0.1 to fix the flaw. It also released a patch for the Android versions which can be downloaded from the Google Play store.

An update posted to Mozilla’s blog said:

  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.

Some users reacted angrily to the fiasco with lots of comments using words like “disappointed” and calls for users to switch to Chrome.

Firefox 16 security fixes

Excluding this last minute bug, Firefox 16 did fix a lengthy list of Critical security vulnerabilities most of which were deemed as Critical. A Critical vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. The full list of fixes including those to 16.0.1 is:

  • MFSA 2012-89 defaultValue security checks not applied
  • MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
  • MFSA 2012-87 Use-after-free in the IME State Manager
  • MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
  • MFSA 2012-85 Use-after-free, buffer overflow, and out-of-bounds read issues found using Address Sanitizer
  • MFSA 2012-84 Spoofing and script injection through location.hash
  • MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
  • MFSA 2012-82 top object and location property accessible by plugins
  • MFSA 2012-81 GetProperty function can bypass security checks
  • MFSA 2012-80 Crash with invalid cast when using instanceof operator
  • MFSA 2012-79 DOS and crash with full screen and history navigation
  • MFSA 2012-78 Reader Mode pages have chrome privileges
  • MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
  • MFSA 2012-76 Continued access to initial origin after setting document.domain
  • MFSA 2012-75 select element persistance allows for attacks
  • MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

In that list is an item for “Use-after-free, buffer overflow, and out-of-bounds read issues found using Address Sanitizer”. Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team notified Mozilla about a series of memory issues that are potentially exploitable, allowing for remote code execution.

Mozilla fixes 5 critical security vulnerabilities in FireFox

(LiveHacking.Com) – Mozilla has released Firefox 14 and in doing so it has patched five critical security vulnerabilities and added support for HTTPS when searching Google.

The first critical bug fixed was a problem with Javascript: URLS. Firefox’s Javascript engine allows add-ons to execute scripts  in a sandbox. In some cases, Javascript: URLs are executed without sufficient context which can allow those scripts to escape from the sandbox and execute arbitrary code.

The second critical vulnerability was with the JSDependentString::undepend function. The string conversion results in memory corruption where data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash.

Mozilla developer Bobby Holley found the third vulnerability. He discovered that the same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. An exploit of the vulnerability would mean that untrusted content would have access to the XBL that implements browser functionality.

The fourth critical vulnerability is comprised of  four memory corruption issues:  two use-after-free problems, one out-of-bounds read bug, and a bad cast. All four of these issues are potentially exploitable, however there are no known exploits at the moment but it is presumed that with enough effort at least one of these could be exploited to run arbitrary code.

The fifth and final critical patches are again for memory corruption issues. Mozilla developers identified and fixed several memory safety bugs that showed evidence of memory corruption under certain circumstances. With effort, it is presumed that these could allow remote attackers to cause a denial of service or possibly execute arbitrary code.

Alongside these Critical fixes, Mozilla also fixed several other security vulnerabilities:

On the new features front, Firefox 14 now automatically encrypts (via HTTPS) all searches passed to Google’s search engine. The now by-default secure connection between the browser and Google’s search site encrypts the data sent to the search engine to keep it from being monitored especially when using public or shared WiFi networks.

Mozilla also released new versions of Thunderbird and SeaMonkey. Users should review the advisories  for Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any updates.

Firefox’s ‘new tab’ feature raises privacy concerns – Fix coming

When Firefox 13 was released almost three weeks ago it touted redesigned Home and New Tab pages to compete with other browsers like Chrome and Opera. However new concerns about these redesigned pages have surfaced. According to The Register, users of Firefox 13 have found that the thumbnails shown on the “New Tab” page can include snapshots of private information. One user discovered that after opening a new tab he found a snapshot of his earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.

Mozilla has acknowledged that the behavior isn’t desirable and has promised a fix:

We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not  transmit nor store personal information outside the user’s direct control.

The new tab thumbnails are based on  users’ browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened.

Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools in in Firefox, such as Private Browsing Mode.

Mozilla 13 Fixes Critical Security Vulnerabilities and Improves New Tab Page

(LiveHacking.Com) – The Mozilla foundation has released Mozilla 13 with some new features including redesigned Home and New Tab pages, the use of the SPDY by default and a series of performance improvements. The new release also fixes some Critical security vulnerabilities including two issues with the Mozilla updater and the Mozilla updater service which were introduced in Firefox 12 the Windows versions of the browser.

According to Mozilla Foundation Security Advisory 2012-35 Security researcher James Forshaw of Context Information Security discovered that Mozilla’s updater is able to load a local DLL file in a privileged context. He also discovered that the updater service is able to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. For a hacker to exploit these vulnerabilities they would need local file system access.

The other critical fixes were all memory related:

  • MFSA 2012-40 – Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover two heap buffer overflow bugs and a use-after-free problem. Affected components include Mozilla’s Unicode conversion functions, the nsFrameList and the nsHTMLReflowState. All three of these issues are potentially exploitable.
  • MFSA 2012-38 – Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution.
  • MFSA 2012-34 – Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be turned into a full exploit that allows arbitrary code execution.

SPDY

Along with the various UI changes, Firefox now supports SPDY by default to make browsing more secure. The SPDY, which is designed as a successor to HTTP, tried to reduces the amount of time it takes for web pages to load. The result is that when using services like Google and Twitter, users should notice faster page load times.

Mozilla Fixes Critical Security Vulnerabilities and Adds Silent Updating to Firefox

(LiveHacking.Com) – The Mozilla Foundation has released a new version of its popular web browser. Firefox 12 brings some new features including silent updates and fixes several critical security vulnerabilities. The biggest change for Windows Vista and Windows 7 users is the addition of silent updates which means that the UAC (User Account Control) pop-up won’t appear when Firefox upgrades from one release to another. To by-pass the UAC, which is first appeared in Windows Vista, Mozilla have added a standalone update service to apply the updates in the background. During the installation of Firefox 12 the user will be asked to give their explicit permission to install the update service, but they will not be prompted again for any subsequent releases.

Google’s Chrome also offers silent updates but rather than use a special Windows service, Chrome is installed in the user’s folder within Windows which doesn’t require UAC permission. However the downside to Google’s approach is that Chrome needs to be installed independently for every user on a PC which can be an administrative headache for those who have multiple user accounts for example on a shared family PC.

The functionality to relaunch and complete the update entirely in the background is scheduled for Firefox 13 or Firefox 14 this summer.

Mozilla 12 also fixes 7 Critical level security vulnerabilities, one of which only applies to Firefox Mobile.

  • MFSA 2012-31 Off-by-one error in OpenType Sanitizer
  • MFSA 2012-30 Crash with WebGL content using textImage2D
  • MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
  • MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
  • MFSA 2012-22 use-after-free in IDBKeyRange
  • MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9 (Firefox Mobile only)
  • MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
Along with these seven Critical bugs, Mozilla also fixed four High level security vulnerabilities and three Moderate ones. In total three cross-site scripting (XSS) vulnerabilities were fixed, one of which only applied Windows Vista and Windows 7 with hardware acceleration disabled.
The FreeType vulnerabilities in Firefox mobile were discovered by the Google Security Team using the Address Sanitizer tool. Some of the bugs cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType version 2.4.9 which addresses these issues. Desktop Firefox does not use Freetype for fonts and was not affected.
More details about the changes can be found in the release notes. Firefox 12 is available for Windows, Mac OS X and Linux from the Firefox home page.

Mozilla Releases Firefox 11 and Updates Firefox 3.6 to Fix Security Vulnerabilities

(LiveHacking.Com) – The Mozilla Foundation has released Firefox 11 with new features and five critical security fixes. It has also simultaneously released security updates for Firefox 3.6.28, Thunderbird 3.1.20 and SeaMonkey 2.8. The vulnerabilities addressed may allow an attacker to execute arbitrary code, cause a denial-of-service condition, bypass security restrictions, operate with escalated privileges, or perform a cross-site scripting attack.

Mozilla had earlier written that the release of FireFox 11 would be delayed as it was waiting for a report from ZDI about a possible new security vulnerability. However it transpired that the bug was one Mozilla had already identified and fixed. However, Mozilla did add that in order to understand the impacts of Microsoft’s “Patch Tuesday” fixes, it would initially release Firefox for manual updates only.

In Firefox 11 Mozilla has fixed the following Critical vulnerabilities:

  • MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
  • MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
  • MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
  • MFSA 2012-14 SVG issues found with Address Sanitizer
  • MFSA 2012-12 Use-after-free in shlwapi.dll

The new verison also contains the following “Moderate” priority secrurity fixes:

  • MFSA 2012-18 window.fullScreen writeable by untrusted content
  • MFSA 2012-15 XSS with multiple Content Security Policy headers
  • MFSA 2012-13 XSS with Drag and Drop and Javascript: URL

 

Mozilla Releases Another New Version of Firefox to Fix Yet Another Critical Vulnerability

(LiveHacking.Com) – Less then 7 days after the release of Firefox 10.0.1, Mozilla has now released a new version of Firefox (10.0.2) and Thunderbird (also 10.0.2) to fix a Critical libpng integer overflow vulnerability. The bug, which affects Firefox, Thunderbird, SeaMonkey, is an integer overflow in the libpng library that can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable.

The presence of the bug first came to light when Google released Chrome 17.0.963.56 to fix the integer overflow in libpng where it was noted that the bug allows remote attackers to cause a denial of service. According to the Chromium source code the fix includes a check for both truncation (64-bit platforms) and integer overflow.

Also fixed in 10.0.2 is a bug where Java applets sometimes caused text input to become unresponsive (bug 718939).