September 2, 2014

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the first of which was used to issue a fraudulent digital certificate for *.google.com.

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Firefox 17 fixes 19 Critical security vulnerabilities and drops support for OS X Leopard

(LiveHacking.Com) – Mozilla has released Firefox 17 and in the processes it has closed 19 Critical security vulnerabilities, fixed 2365 bugs and addressed 10 other sets of High or Moderate security risks. Quite impressive! Firefox 17 also includes the first revision of the Mozilla’s Social API, drops support for Mac OS X 10.5 and implements the sandbox attribute for iframes. The sandbox attribute brings better security as it enables extra restrictions on the content that can appear in the inline frame.

The Critical security vulnerabilities are divided into six bundles. First miaubiz, famous for his work on Google Chrome,  used the Address Sanitizer tool to discover a series of critically rated of use-after-free, buffer overflow, and memory corruption issues. The individual issues are use-after-free when loading html file on osx (CVE-2012-5830), Mesa crashes on certain texImage2D calls involving level>0 (CVE-2012-5833), integer overflow, invalid write w/webgl bufferdata (CVE-2012-5835) and crash in copyTexImage2D with image dimensions too large for given level (CVE-2012-5838).

Second, Abhishek Arya (Inferno) of the Google Chrome Security Team also used the Address Sanitizer tool to find a series of critically rated of use-after-free and buffer overflow issues. The full list of issues are: Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-4214)Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215), Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216), Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829), heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart CVE-2012-5839Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-5840), Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212), Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213), Heap-use-after-free in nsViewManager::ProcessPendingUpdates (CVE-2012-4217) and Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218).

Next, security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. The references for his discoveries are Arbitrary code execution from Style Inspector and CVE-2012-4210.

Following on from this, Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash. See SVG text on path + setting a style crashes Firefox and CVE-2012-5836.

Penultimately, Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This flaw is documented at ASAN: Heap-buffer-overflow at image::RasterImage::DrawFrameTo and CVE-2012-4202.

Finally, Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, and Bill McCloskey reported memory safety problems and crashes that affect Firefox 16: Memory safety bugs fixed in Firefox 17 and CVE-2012-5843. While Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle Huey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 16: Memory safety bugs fixed in Firefox ESR 10.0.11 and Firefox 17 and CVE-2012-5842.

 

Another day, another Firefox release

Mozilla released version 16 of its popular web browser only a few weeks ago and since then it has had two point releases to fix security issues. The latest release, 16.0.2 adds fixes for problems with the Javascript location object.

Three separate issues with the Javascript Location object where reported to Mozilla and fixed in this release:

  1. Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.
  2. Mozilla security researcher moz_bug_r_a4 discovered that the CheckURL function in window.location can be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content.
  3. Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object.

Mozilla also released a new version of its Thunderbird email cleint but noted that Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content.

The latest version can be downloaded from here while the release notes for 16.0.2 are available from http://www.mozilla.org/en-US/firefox/16.0.2/releasenotes/.

Mozilla releases Firefox 16.0.0, then withdraws it, then releases 16.0.1

(LiveHacking.Com) – Mozilla recently released the latest version of its Firefox web browser with initial web app support plus some changes to the incremental garbage collection which will boost the JavaScript engine performance. Everything looked good. But then a privacy and security vulnerability was found that forced Mozilla to “temporarily” suspend its distribution.

Firefox 16.0.0 suffers from a security vulnerability that could allow a malicious site to snoop at the list of websites that users have visited and access the URL or URL parameters. Although there was no indication that this vulnerability was being exploited in the wild, Mozilla decided to pull Firefox 16 until a patch could be written.

In the interim users could downgrade to version 15.0.1 or just wait until patches are issued and automatically applied to address the vulnerability, Michael Coates, director of security assurance at Mozilla said in a blog post.

Now Mozilla has released Firefox 16.0.1 to fix the flaw. It also released a patch for the Android versions which can be downloaded from the Google Play store.

An update posted to Mozilla’s blog said:

  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.

Some users reacted angrily to the fiasco with lots of comments using words like “disappointed” and calls for users to switch to Chrome.

Firefox 16 security fixes

Excluding this last minute bug, Firefox 16 did fix a lengthy list of Critical security vulnerabilities most of which were deemed as Critical. A Critical vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. The full list of fixes including those to 16.0.1 is:

  • MFSA 2012-89 defaultValue security checks not applied
  • MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
  • MFSA 2012-87 Use-after-free in the IME State Manager
  • MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
  • MFSA 2012-85 Use-after-free, buffer overflow, and out-of-bounds read issues found using Address Sanitizer
  • MFSA 2012-84 Spoofing and script injection through location.hash
  • MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
  • MFSA 2012-82 top object and location property accessible by plugins
  • MFSA 2012-81 GetProperty function can bypass security checks
  • MFSA 2012-80 Crash with invalid cast when using instanceof operator
  • MFSA 2012-79 DOS and crash with full screen and history navigation
  • MFSA 2012-78 Reader Mode pages have chrome privileges
  • MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
  • MFSA 2012-76 Continued access to initial origin after setting document.domain
  • MFSA 2012-75 select element persistance allows for attacks
  • MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

In that list is an item for “Use-after-free, buffer overflow, and out-of-bounds read issues found using Address Sanitizer”. Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team notified Mozilla about a series of memory issues that are potentially exploitable, allowing for remote code execution.

Mozilla fixes 5 critical security vulnerabilities in FireFox

(LiveHacking.Com) – Mozilla has released Firefox 14 and in doing so it has patched five critical security vulnerabilities and added support for HTTPS when searching Google.

The first critical bug fixed was a problem with Javascript: URLS. Firefox’s Javascript engine allows add-ons to execute scripts  in a sandbox. In some cases, Javascript: URLs are executed without sufficient context which can allow those scripts to escape from the sandbox and execute arbitrary code.

The second critical vulnerability was with the JSDependentString::undepend function. The string conversion results in memory corruption where data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash.

Mozilla developer Bobby Holley found the third vulnerability. He discovered that the same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. An exploit of the vulnerability would mean that untrusted content would have access to the XBL that implements browser functionality.

The fourth critical vulnerability is comprised of  four memory corruption issues:  two use-after-free problems, one out-of-bounds read bug, and a bad cast. All four of these issues are potentially exploitable, however there are no known exploits at the moment but it is presumed that with enough effort at least one of these could be exploited to run arbitrary code.

The fifth and final critical patches are again for memory corruption issues. Mozilla developers identified and fixed several memory safety bugs that showed evidence of memory corruption under certain circumstances. With effort, it is presumed that these could allow remote attackers to cause a denial of service or possibly execute arbitrary code.

Alongside these Critical fixes, Mozilla also fixed several other security vulnerabilities:

On the new features front, Firefox 14 now automatically encrypts (via HTTPS) all searches passed to Google’s search engine. The now by-default secure connection between the browser and Google’s search site encrypts the data sent to the search engine to keep it from being monitored especially when using public or shared WiFi networks.

Mozilla also released new versions of Thunderbird and SeaMonkey. Users should review the advisories  for Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any updates.

Mozilla 13 Fixes Critical Security Vulnerabilities and Improves New Tab Page

(LiveHacking.Com) – The Mozilla foundation has released Mozilla 13 with some new features including redesigned Home and New Tab pages, the use of the SPDY by default and a series of performance improvements. The new release also fixes some Critical security vulnerabilities including two issues with the Mozilla updater and the Mozilla updater service which were introduced in Firefox 12 the Windows versions of the browser.

According to Mozilla Foundation Security Advisory 2012-35 Security researcher James Forshaw of Context Information Security discovered that Mozilla’s updater is able to load a local DLL file in a privileged context. He also discovered that the updater service is able to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. For a hacker to exploit these vulnerabilities they would need local file system access.

The other critical fixes were all memory related:

  • MFSA 2012-40 - Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover two heap buffer overflow bugs and a use-after-free problem. Affected components include Mozilla’s Unicode conversion functions, the nsFrameList and the nsHTMLReflowState. All three of these issues are potentially exploitable.
  • MFSA 2012-38 - Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution.
  • MFSA 2012-34 - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be turned into a full exploit that allows arbitrary code execution.

SPDY

Along with the various UI changes, Firefox now supports SPDY by default to make browsing more secure. The SPDY, which is designed as a successor to HTTP, tried to reduces the amount of time it takes for web pages to load. The result is that when using services like Google and Twitter, users should notice faster page load times.

Mozilla Fixes Critical Security Vulnerabilities and Adds Silent Updating to Firefox

(LiveHacking.Com) – The Mozilla Foundation has released a new version of its popular web browser. Firefox 12 brings some new features including silent updates and fixes several critical security vulnerabilities. The biggest change for Windows Vista and Windows 7 users is the addition of silent updates which means that the UAC (User Account Control) pop-up won’t appear when Firefox upgrades from one release to another. To by-pass the UAC, which is first appeared in Windows Vista, Mozilla have added a standalone update service to apply the updates in the background. During the installation of Firefox 12 the user will be asked to give their explicit permission to install the update service, but they will not be prompted again for any subsequent releases.

Google’s Chrome also offers silent updates but rather than use a special Windows service, Chrome is installed in the user’s folder within Windows which doesn’t require UAC permission. However the downside to Google’s approach is that Chrome needs to be installed independently for every user on a PC which can be an administrative headache for those who have multiple user accounts for example on a shared family PC.

The functionality to relaunch and complete the update entirely in the background is scheduled for Firefox 13 or Firefox 14 this summer.

Mozilla 12 also fixes 7 Critical level security vulnerabilities, one of which only applies to Firefox Mobile.

  • MFSA 2012-31 Off-by-one error in OpenType Sanitizer
  • MFSA 2012-30 Crash with WebGL content using textImage2D
  • MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
  • MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
  • MFSA 2012-22 use-after-free in IDBKeyRange
  • MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9 (Firefox Mobile only)
  • MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
Along with these seven Critical bugs, Mozilla also fixed four High level security vulnerabilities and three Moderate ones. In total three cross-site scripting (XSS) vulnerabilities were fixed, one of which only applied Windows Vista and Windows 7 with hardware acceleration disabled.
The FreeType vulnerabilities in Firefox mobile were discovered by the Google Security Team using the Address Sanitizer tool. Some of the bugs cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType version 2.4.9 which addresses these issues. Desktop Firefox does not use Freetype for fonts and was not affected.
More details about the changes can be found in the release notes. Firefox 12 is available for Windows, Mac OS X and Linux from the Firefox home page.

Mozilla Sends Another Message to Certificate Authorities

(LiveHacking.Com) – Mozilla has sent an email to all certificate authorities in the Mozilla root program to reiterate that the issuance of subordinate CA certificates for the purposes of SSL man-in-the-middle interception or traffic management is unacceptable. Mozilla has asked the CAs to revoke any such certificates by April 27, 2012. After that date, if it is found that a subordinate CA is being used for MITM, Mozilla could remove the corresponding root certificate from the Mozilla root program. This would mean the applications like Mozilla FireFox wouldn’t accept the certificate when presented.

“We made it clear that this practice remains unacceptable even when the intended deployment of such a certificate is restricted to a closed network,” said Johnathan Nightingale, Senior Director of Firefox Engineering.

Mozilla also reinforced the the Certificate Authorities responsibilities reminding them that they are accountable for every certificate they sign, directly or through its subordinates.

This isn’t the first time Mozilla has asked CAs to be more responsible. In September 2011 Mozilla sent a message to all the certificate authorities (which participate in the Mozilla root certificate program) requesting that they complete an audit of their PKI systems. This call to review and confirm the integrity of their certificate systems came after Mozilla removed the DigiNotar root certificate in response to its failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates.

Mozilla Releases Another New Version of Firefox to Fix Yet Another Critical Vulnerability

(LiveHacking.Com) – Less then 7 days after the release of Firefox 10.0.1, Mozilla has now released a new version of Firefox (10.0.2) and Thunderbird (also 10.0.2) to fix a Critical libpng integer overflow vulnerability. The bug, which affects Firefox, Thunderbird, SeaMonkey, is an integer overflow in the libpng library that can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable.

The presence of the bug first came to light when Google released Chrome 17.0.963.56 to fix the integer overflow in libpng where it was noted that the bug allows remote attackers to cause a denial of service. According to the Chromium source code the fix includes a check for both truncation (64-bit platforms) and integer overflow.

Also fixed in 10.0.2 is a bug where Java applets sometimes caused text input to become unresponsive (bug 718939).