November 25, 2014

Mozilla Fixes Critical Vulnerability in Firefox and Thunderbird

(LiveHacking.Com) – Mozilla has released new versions of Firefox and Thunderbird to fix a “use after free” crash which is potentially exploitable. According to the security advisory Mozilla developers Andrew McCreight and Olli Pettay found that the ReadPrototypeBindings code leaves a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

The Mozilla Foundation said Firefox 9 and earlier browser versions are not affected by this vulnerability.

Cache Timings Allow Browser History Extraction

(LiveHacking.Com) – Security Researcher and author of the book “The Tangled Web” Michal Zalewski has created a proof of concept web page which can extract browser history (without relying on browser quirks) using a non-destructive cache timings inspection method. A visit to the “cachetime” web page (after you give your permission) runs the script to reveal which of the top Internet sites you have visited including Facebook, YouTube and Amazon.com.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects.

Over the past two years the major browsers changed the way the CSS :visited selectors work in order to prevent websites from stealing your browsing history.

Attacks on the cache timings, although theoretically possible, have until now been deemed infeasible as they relied on destructive, one-shot testing that alters the state of the examined cache. However Zalewski’s proof of concept offers non-destructive cache inspection.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects.

Michal has released the source code which outlines the algorithm in more detail.

Firefox 7 Fixes Security Related Bugs While Reducing Memory Footprint

(LiveHacking.Com) – Mozilla has fixed half a dozen critical security flaws in its popular web browser with the release of Firefox 7.  The patches fix buffer overruns, potentially exploitable crashes and arbitrary extension installations.

The critical level security related bugs fixed in Firefox 7 include:

  • MFSA 2011-44 Use after free reading OGG headers
  • MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
  • MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library
  • MFSA 2011-41 Potentially exploitable WebGL crashes
  • MFSA 2011-40 Code installation through holding down Enter
  • MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

Firefox 7 also brings some new features, the most notable of which is that Firefox now uses 20% to 30% less memory  which increases overall performance and also means that Firefox is less likely to crash or abort due to running out of memory.

The new memory efficiency is due to an effort called MemShrink where Mozilla’s engineers strarted to reduce Firefox’s memory consumption by slimming down memory usage with more space-efficient data structures and by  avoiding memory leaks (including lifetime issues, where memory is not reclaimed until you close the page/tab/window/process).

As well as stability bug fixes, Firefox 7 includes:

  • Added a new rendering backend to speed up Canvas operations on Windows systems
  • Bookmark and password changes now sync almost instantly when using Firefox Sync
  • The ‘http://’ URL prefix is now hidden by default
  • Added support for text-overflow: ellipsis
  • Added support for the Web Timing specification
  • Enhanced support for MathML
  • The WebSocket protocol has been updated from version 7 to version 8
  • Added an opt-in system for users to send performance data back to Mozilla to improve future versions of Firefox

Once Bitten, Twice Shy – Mozilla Tell CAs to Audit Their Systems

(LiveHacking.Com) – Mozilla has sent a message to all the certificate authorities which participate in the Mozilla root certificate program. It has requested that all participating CA’s complete and audit of their PKI systems by September 16, 2011.

This call to review and confirm the integrity of their certificate systems comes after Mozilla removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates.

As part of the audit Mozilla are asking that each CA confirm that it has automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Plus the CA needs to further confirm its process for manually verifying such requests, when blocked.

Mozilla also have reminded the CAs that participation in Mozilla’s root program is at its sole discretion. Which is code for, comply or we will kick you out. However the message does change it tone a little by underlining Mozilla’s commitment to working with CAs as partners, “to foster open and frank communication, and to be diligent in looking for ways to improve.”

Mozilla Releases Firefox 6, Patches Critical Vulnerabilities

(LiveHacking.Com) – Mozilla has shipped a new version of its Firefox web browser with increased support for HTML5, faster startup times and improved per-site permission management. But most importantly it fixes a number of critical vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

The Critical and High impact bugs include:

  • Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
  • Rafael Gieschke reported that unsigned JavaScript could call into script inside a signed JAR thereby inheriting the identity of the site that signed the JAR as well as any permissions that a user had granted the signed JAR.
  • Michael Jordon of Context IS reported that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code.
  • Michael Jordon of Context IS reported a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation.
  • Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability.
  • Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.
  • nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Mozilla Updates Firefox 3.5, 3.6 and 4.0

Mozilla has released a series of security updates for all currently supported versions of Firefox. Firefox 4.0.1, 3.6.17 and 3.5.19 are now available for Windows, Mac, and Linux. Mozilla is recommending that users update to the latest versions but also encourage all users to upgrade to Firefox 4 as this is the last planned security and stability release for Firefox 3.5.

The first fixes are for several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code.

A minor security vulnerability was fixed in the XSLT generate-id() function as it was revealing a specific valid address of an object on the memory heap. It is theoretical that this information could have been used in combination with other heap corruption exploits.

There is also a fix for a vulnerability in the Java Embedding Plugin (JEP) shipped with the Mac OS X versions of Firefox 3.5 and 3.6 that if exploited could allow an attacker to obtain elevated access to resources on a user’s system.

Specific to Firefox 4 is an additional fix to its WebGL feature. Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature. Also there is a fix for a vulnerability that could potentially be used to bypass a security feature of recent Windows versions.

Mozilla has also released Thunderbird 3.1.10. The release notes are available here.

Honest Achmed’s Used Cars and Certificates Wants To Become a Trusted Certificate Authority

On the lighter side of things, a request to add Honest Achmed’s root certificate to Mozilla has been rejected. A humorous request was made to Mozilla to add “Honest Achmed’s Used Cars and Certificates” as a trusted root certificate. Clearly the request is a poke at Comodo who recently suffered a security breach which resulted in several fraudulent certificates being generated. This in turn then forced all the major browsers and operating systems to release updates which blacklisted the fake certificates.

According to the request “Achmed’s business plan is to sell a sufficiently large number of certificates as quickly as possible in order to become too big to fail (see “regulatory capture”), at which point most of the rest of this application will become
irrelevant.” And that the “purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money.”

The Comodo security breach actually took place at one of Comodo sub CAs and so in the section on “Sub CAs Operated by 3rd Parties” the request states that Honest Achmed’s uncles may invite some of their friends to issue certificates as well, in particular their cousins Refik and Abdi or “RA” as they’re known. Honest Achmed’s uncles assure us that their RA can be trusted, apart from that one time when they lent them the keys to the car, but that was a one-off that
won’t happen again.” But that “Honest Achmed promises to studiously verify that payment from anyone requesting a certificate clears before issuing it (except for his uncles, who are good for credit). Achmed guarantees that no certificate will be issued without payment having been received, as per the old latin proverb ‘nil certificati sine lucre’.”

New Chrome and New Thunderbird – Multiple Vulnerabilities Fixed (Updated)

Google has released Chrome 9.0.597.107 for all platforms with a total of 19 security fixes which cost Google $14,000 under its Chromium Security Rewards program. To date Google has given away over $100,000 to ethical hackers who have found and reported security issues with Google’s browser.

The success of the Chrome rewards program led Google to launch a similar program for its Web services back in November. It covers XSS, CSRF, XSSI and other types of vulnerabilities.

Of the 19 fixes to Chrome, 16 where considered high priority by Google including a “URL bar spoof”. The details of the fixes haven’t yet been made public as Google restricts the access to the fix details until “the majority of Chrome users have updated to the latest patched version.”

Google isn’t the only one who has been updating its software. Mozilla has released a new version of its email client Thunderbird. According to its web site Thunderbird 3.1.8 contains several fixes to improve performance, stability and security. The improved stability includes a fix for a crash caused by corrupted JPEG image.

For a more detailed list of bug fixes, see the Rumbling Edge for a Thunderbird-focused list, or the complete list of changes in this version.

UPDATE: Mozilla has also released Firefox 3.5.17 with several security related fixes including a fix for CVE-2010-3777 a vulnerability which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

Security Breach at Mozilla.Org

A database of addons.mozilla.org user accounts was available to public. Chris Lyon, the director of infrastructure security at Mozilla has disclosed a security breach that revealed the addons.mozilla.org user accounts.

According to a post at Mozilla Security Blog, “On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.”.

Apparently, the database included 44,000 inactive accounts using older, md5-based password hashes. Mozilla has erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts.

“It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure.”, said Mr. Lyon, Mozilla’s Director of Infrastructure Security.