October 22, 2014

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

Firefox 17 fixes 19 Critical security vulnerabilities and drops support for OS X Leopard

(LiveHacking.Com) – Mozilla has released Firefox 17 and in the processes it has closed 19 Critical security vulnerabilities, fixed 2365 bugs and addressed 10 other sets of High or Moderate security risks. Quite impressive! Firefox 17 also includes the first revision of the Mozilla’s Social API, drops support for Mac OS X 10.5 and implements the sandbox attribute for iframes. The sandbox attribute brings better security as it enables extra restrictions on the content that can appear in the inline frame.

The Critical security vulnerabilities are divided into six bundles. First miaubiz, famous for his work on Google Chrome,  used the Address Sanitizer tool to discover a series of critically rated of use-after-free, buffer overflow, and memory corruption issues. The individual issues are use-after-free when loading html file on osx (CVE-2012-5830), Mesa crashes on certain texImage2D calls involving level>0 (CVE-2012-5833), integer overflow, invalid write w/webgl bufferdata (CVE-2012-5835) and crash in copyTexImage2D with image dimensions too large for given level (CVE-2012-5838).

Second, Abhishek Arya (Inferno) of the Google Chrome Security Team also used the Address Sanitizer tool to find a series of critically rated of use-after-free and buffer overflow issues. The full list of issues are: Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-4214)Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215), Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216), Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829), heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart CVE-2012-5839Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-5840), Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212), Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213), Heap-use-after-free in nsViewManager::ProcessPendingUpdates (CVE-2012-4217) and Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218).

Next, security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. The references for his discoveries are Arbitrary code execution from Style Inspector and CVE-2012-4210.

Following on from this, Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash. See SVG text on path + setting a style crashes Firefox and CVE-2012-5836.

Penultimately, Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This flaw is documented at ASAN: Heap-buffer-overflow at image::RasterImage::DrawFrameTo and CVE-2012-4202.

Finally, Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, and Bill McCloskey reported memory safety problems and crashes that affect Firefox 16: Memory safety bugs fixed in Firefox 17 and CVE-2012-5843. While Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle Huey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 16: Memory safety bugs fixed in Firefox ESR 10.0.11 and Firefox 17 and CVE-2012-5842.

 

Mozilla 13 Fixes Critical Security Vulnerabilities and Improves New Tab Page

(LiveHacking.Com) – The Mozilla foundation has released Mozilla 13 with some new features including redesigned Home and New Tab pages, the use of the SPDY by default and a series of performance improvements. The new release also fixes some Critical security vulnerabilities including two issues with the Mozilla updater and the Mozilla updater service which were introduced in Firefox 12 the Windows versions of the browser.

According to Mozilla Foundation Security Advisory 2012-35 Security researcher James Forshaw of Context Information Security discovered that Mozilla’s updater is able to load a local DLL file in a privileged context. He also discovered that the updater service is able to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. For a hacker to exploit these vulnerabilities they would need local file system access.

The other critical fixes were all memory related:

  • MFSA 2012-40 – Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover two heap buffer overflow bugs and a use-after-free problem. Affected components include Mozilla’s Unicode conversion functions, the nsFrameList and the nsHTMLReflowState. All three of these issues are potentially exploitable.
  • MFSA 2012-38 – Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution.
  • MFSA 2012-34 – Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be turned into a full exploit that allows arbitrary code execution.

SPDY

Along with the various UI changes, Firefox now supports SPDY by default to make browsing more secure. The SPDY, which is designed as a successor to HTTP, tried to reduces the amount of time it takes for web pages to load. The result is that when using services like Google and Twitter, users should notice faster page load times.

Mozilla Releases Firefox 10 and Firefox 3.6.26 to Address Multiple Vulnerabilities

(LiveHacking.Com) – The Mozilla Foundation has released Firefox 10 and Firefox 3.6.26 to address multiple security vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or perform a cross-site scripting attack.

Firefox 10 fixes 8 security issues of which 5 are rated as “Critical”. A “Critical” vulnerability can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. These include fixes for a possible memory corruption during the decoding of Ogg Vorbis files that could cause a crash during decoding and has the potential for remote code execution. There are also several memory safety bugs in the browser engine. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The full list of fixes is:

  • MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission
  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
  • MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-03 <iframe> element exposed across domains via name attribute
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

New features in Firefox 10 include:

  • The forward button is now hidden until you navigate back
  • Most add-ons are now compatible with new versions of Firefox by default
  • Anti-Aliasing for WebGL is now implemented (see bug 615976)
  • CSS3 3D-Transforms are now supported (see bug 505115)
  • New <bdi> element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
  • Full Screen APIs allow you to build a web application that runs full screen (see the feature page)

The fixes for 3.6.26 are backports of fixes applied to Firefox 10 including:

  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

The only unique fix to the 3.6 series is MFSA 2012-02 Overly permissive IPv6 literal syntax. This was fixed previously for Firefox 7.0 but only fixed in Firefox 3.6.26 now.

Google Sponsored Report Says Chrome is the Safest Browser

(LiveHacking.Com) – Accuvant has published a report, commissioned by Google, called “Browser Security Comparison: A Quantitative Approach” which evaluates the security of Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. The report finds that Google Chrome is currently the browser that is most secured against attacks.

“Anybody who surfs the internet is familiar with malware, spyware and viruses. These malicious programs can lead to system pop-ups, slowdowns, account takeovers, and theft of credit card data, social security numbers and other personally identifiable information. While antivirus and anti-malware can help prevent infection, the first line of defense is using a secure web browser,” said Ryan Smith, chief scientist for Accuvant. “Accuvant is dedicated to providing essential services, like this in-depth, proactive research, that help protect vendors, companies, government agencies, and the public-at-large against those with malicious intent.”

Although the report was commissioned by Google, Accuvant says its analysis is independent and based on the premise that all software of sufficient complexity has vulnerabilities. As such the web browser with the best anti-exploitation techniques is the most resistant to attack.

“Our researchers used a completely different and more extensive methodology than previous, similar studies,” said Chris Valasek, Accuvant LABS senior research scientist. “We compared web browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques. Like antivirus or anti-malware software, each provides an additional layer of defense. This methodology requires a greater depth of technical expertise than statistical analysis of vulnerabilities, and also provides a more accurate window into the security of each browser.”

The Conclusion

The reports executive conclusion reads “the URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art antiexploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.

Multiple Unspecified Vulnerabilities in Mozilla Firefox, Thunderbird and SeaMonkey

Mozilla Firefox, Thunderbird and SeaMonkey are vulnerable to multiple unspecified security issues. The vulnerabilities occur in the operating system (OS) font code. No further information is available about these issues.

New versions of Firefox, Thunderbird and SeaMonkey are available to address these issues.

These issues are fixed in the following versions:

  • Firefox 3.6.13
  • Firefox 3.5.16
  • Thunderbird 3.0.11
  • Thunderbird 3.1.7
  • SeaMonkey 2.0.11