Slashdot Mirror
Gaping Holes In Fully Patched IE7, Firefox 2
Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.
What's better...
IE7
Firefox 2
No holes for Opera? Oh well...
(sits back in corner with large grin on face)
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!
Oh, wait, what did that say?
-AC
Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?
Article tagged as goatse.
In order to be affected, doesn't one first have to go to the shady site that has this stuff scripted in the page? Yes, this may be a bug, but like a web page-bound virus, is one that the user has to inflict upon himself by going to a site he probably shouldn't be going to in the first place.
And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.
Well there's always Opera?
I use Lynx, you insolent clod! Get off my lawn!
Anyone have info on how stacks up to IE/FF? http://30days.itious.com/
21st-Century-Citizen
I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.
The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.
Anyone has better "luck" to demo the keyboard snooping?
Fantasy: http://ferrisfantasy.blogspot.com/
Just frickin' wonderful. In every version of the browser, totally massive security holes, all announced at the same time. Sheer beauty.
Get to cuttin, boys!
oh well... most if not all sites that I frequent that use javascript I tend to trust... if they have a backend exploit then they would rather take other info without bothering us web surfers.
cookie STEALING, page HIJACKING, memory CORRUPTION, code EXECUTION, and URL bar spoofing ATTACKS.
So where the fuck is home land security when you need them.
Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)
if Javascript is turned off. Move along, nothing to see here.
No holes for elinks? Oh well...
(sits back in corner with large grin on face)
Train stations have bugs too, apparently.
no, I don't have a sig
http://impoll.net/cgi-bin/v.cgi?p=1585&r=1
following could cause cookie stealing, page hijacking, memory corruption, code execution or URL bar spoofing attacks !!
Mongrel News all the news that fits and froths
No holes for Lynx? Oh well...
(sits back with biggest grin on face)
3 holes in Natalie Portman? Oh yeah!
(sits back with the biggest grin on his face)
Do you even lift?
These aren't the 'roids you're looking for.
I'm not familiar with iframes, but would not running javascript on untrusted webpages protect from this?
--The universe will not be altered by forum threads, even those which are very wry. --Tycho Brahe (Penny Arcade)
And they want to drop support of 1.5 this month, when 2.0 isn't even really ready yet? When did Microsoft take over the Mozilla Foundation?
Anyone want to wager on who has this hole fixed first, IE or Firefox?
that is not stable.
Most of the malware is for IE, but it's quite frequent for an advertising network or such to be compromised and to send out infected ads. Plenty of websites and ad networks have been hacked for no apparent reason other than to infect people. It's far from the only way they trick people, of course. They like to require special software to use their smileys, screen savers, programs to download some site's crap (especially for porn, like the porn dialers from the days when modems were common), fake anti-virus and spyware tools, etc. If you have to download some special tool to use a site, and it's not a well-known thing like a common media codec or something to extract RARs, etc., it seems like it's almost certainly illegitimate.
That said, I personally have not been affected, but I use Firefox (which has the less critical holes) + NoScript (which completely blocks the holes in TFA, not to mention many others). And even if they did get the exploit to work and had it steal my cookies, there's hardly anything in there because all cookies get deleted when I log out. And I have Adblock Plus, so I'm not going to get hit by any compromised ad networks or whatever to begin with, especially because I'm incredibly mistrustful about what programs I install.
If you want a blog to read, try F-Secure's blog.
1) If Article Posted about IE security bugs
- Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.
2) If Article Posted about FF security bugs
- Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.
Now both are posted together, let's collate responses
at the end of the day
And once again, Slashdot fails to mention that the exploit does not work if you are using Vista and IE7.
I guess they can't afford to admit how Firefox is old crap, so they keep failing to mention when the one-two punch combo of Vista and IE knocks them on their asses. Again. And again.
A damn lot of crashes are exploitable.
Even something as harmless-looking as a NULL pointer read can indicate an exploitable crash. It may mean a stack overflow. It may just be a NULL pointer read, which is (almost unbelivably) exploitable on Windows because of the way plug-ins and exception handlers work.
Why am I not surprised that the ever so awesome Opera isn't mentioned there and yet nobody seems to have any love for the one and only best browser in the universe.
I will never get it what is it with people that they will fight over whether white or black bread is better when they can have cookies.
You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.
You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.
Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.
Comment removed based on user account deletion
Thor Larholm also announced a Firefox hole today. Wasn't completely patched in the last release.
.. paranoid crackpot leftover from the days of Amiga.
Now I can figure IE is running on a MSFT product, but Firefox is a little more eclectic.
So is this a problem with Firefox on Linux, and on what flavor?
There, fixed that for you.
I run Microsoft Windows XP SP2, so I am safe. IE users can simply disable JavaScript in the control panel - any user of closed source knows how to do that! Plus, they don't even have to go to the web site. Microsoft will fix the bug by the next Tuesday of the next month, which is an AMAZING response time, don't you think! The best thing about closed source is you don't have hackers accessing it!
Now, as far as Firefox, that STUPID Mozilla Foundation makes some of the most amateur mistakes! They can't even forsee these sorts of bugs! What sort of poor excuse for a QA department do they have over there? I bet they employ high school kids just learning C to write their code for them. And, plus, they have the gall to be open source! I despise them with every ounce of my very being. Everything they do makes my blood boil!
Friends don't let friends install MZ junk!
i'll give it this, even though it's HIGHLY frustrating when trying to create truly rich experience applications: Flash is now amazingly sandboxed. so much so that it's actually quite handicapped. you can go so far as to disallow hyperlinks from flash domain-wide, as myspace has now done after flash was used in an XSS attack - which, incidentally, is not so much the fault of javascript as it is poorly sanitising input on the part of web developers.
So, is this the solution? Plug that hole.
Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.
I have yet to get the demo to work for the "bait and switch" attack. I'm running IE7 on Vista... Anyone had success getting the demo to work? Scratch that... As I was typing this a dialog prompted me my Google cookie info. OK... this "vulnerability" took over a minute to accomplish and my browser kept navigating back and forth between 2 different sites. It was pretty obvious that something malicious was going on and I hardly doubt that this will be leashed onto many unsuspecting web users. This is one hole that is far stretched... err... fetched.
then the demos don't work :-)
Bring out the Opera fan boys... (of which I must deny if asked if I am one... for safety purposes)
while Fx/Linux or OS X are? This had to come some day. :P
We all knew back in the early days of Javascript that it would be a security nightmare. But we (collectively) went ahead with it. We put together web pages that depended on it, so browsers had to support it and users had to enable it. Now we've waited so long that it seems impossible to undo what we've done. But maybe it isn't completely impossible to undo. And keep in mind that the longer we wait, the harder it will be to undo.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
You young whippersnappers and your fancy shell doo-dads. In my day, we had to lick a live 10Base5 cable to browse gopher and that's the way we liked it!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
(sits back with the biggest grin on his face)
but do you have pics of her sealed up air-tight?
become like they Quarreled on around return it playing 5o it's Prima donnas to
If we're going to require that the most secure OS for IE7 be used to test it, shouldn't we use the most secure OS for Firefox 2.0 be used to test it? If so then a Linux distro is required for Firefox and none of these holes work (or so people here claim, if you've got evidence to the contrary I'd be interested to hear it). Or we could simply use the most common OS that IE7 and Firefox is used in, which would be XP. Your choice.
My first reaction was that people had gotten bored with the joke tags. This is the internet, after all, and internet fads fade with time just as the real-world ones do -- faster, even.
Then I remembered that a few days ago I saw people commenting on pouring hot grits down pants, and petrified Natalie Portman (though admittedly this was a Star Wars thread), and realized that on Slashdot, old jokes don't fade away.
One might even say, in Soviet Slashdot, old memes forget you!
i definitely agree; there's so much complexity to securing a browser regarding javascript (since the javascript concept is essentially innately insecure), i definitely feel that moving to a static-er web would make sense. additionally, without having to develop things with javascript, developers could put more effort towards more useful things, or experimenting with newish interesting stuff like xhtml (and xlink's embed feature, so we can have the 'slashdot new discussion system' types of things without javascript, maybe)
the privacy of one's mind is important.
you do have something to hide.
Are you serious? Have you looked at that icon? There's a huge hole right in the middle, and no one seems to acknowledge it!
I've been using their "free" basic service for years; it was always their small little 16x16/32x32 icon; not really intrusive.
Then suddenly my pages using their stats service had a nasty pop-under. I've seen this at other sites too and found out the "new" advertisement ways after a few weeks when I started getting bothered seeing the same pop-unders over and over while I wasn't even on any other sites.
These pop-unders were all activated under Firefox and it's clearly in their TOS they can advertise on websites; only; which I had on my website was all except "good" for my site; the pop-under involved pornography because of a reference to some articles about STD's a couple of years ago. It made me sick to always get that XXX-commercial on my own website and got rid of Nedstat ever since.
webalizer for the win! less eye candy but still enough stats to chew on without all the nastyness...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Cue website installing a WoW password stealer in 3, 2, 1 ...
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
So secure in fact, that you could write an operating system with full memory protection and filesystem access control in it. It only needs threading, but no doubt someone has already figured out a way to do that, probably by letting the host application add some needed functions to the object model. There is nothing in the JavaScript language that is inherently insecure. Perhaps implementations can be buggy, but then again, HTML or CSS implementations can be buggy too.
The security holes are usually not within JavaScript, but within the obscure, convoluted object model that has become the standard, most often some way of having the browser fetch pages from other websites as if the user loaded them or similar loopholes. That these are possible at all is a major design flaw, but, and I'll say this again, it's not a flaw in JavaScript.
the first and second ones are pretty scary. the 3rd one is kind of silly to me.
by the way, this is a test page I wrote, stealing your slashdot cookie by exploiting vulnerability #1: slashdot_hack1.html. once clicked your session will be kicked out because I pwned it. tested under IE6
"Upon completion of this investigation, Microsoft ... may [issue] a security advisory"
First off, thanks for replying & sorry for my late reply (busy & it's late now, here goes):
8 74ee73e9a212bfbabbaba41cf36e3&t=16097
.txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though)))
I tried it, & didn't see it! NO PROBLEMO here, & I checked for "error #3" you mentioned, on Mr. Zalewski's actual referring page...
SOME BACKGROUND INFO. HERE (I assumed you were on Win32 yourself by the by, like I am) FOR ANYONE WHO TRIES THIS TEST ON A WIN32 RIG & OPERA:
Here I am running Windows Server 2003 SP #2!
(A personally 'security-hardened' model I have been working on for many years since the NT 3.5x days onward to this version of the OS)
It has been way, WAY hacked up for security via things like:
1.) IP security policies (modded AnalogX one, very good)
2.) SCW was run over it first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, @ least, as as starting point)
3.) PLUS, this version of the OS has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting of all types by default)
4.) General security policies in gpedit.msc/secpol.msc
5.) Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc in UNIX/LINUX I suppose)
6.) AND std. stuff like AntiVirus (NOD32 latest) + SpyBot as my resident antispyware tool running in the background!
7.) Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:
http://forums.techpowerup.com/showthread.php?s=51
(And, of course, the user feedback on its effectiveness, as well as MacOS X, which uses the same general principals)
8.) Plus good email client practices like using
As is now? I score an 84.735 on the CIS Tool 1.x (Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run), from "The Center for Internet Security" here:
http://www.cisecurity.org/bench.html
Ah man... There's SO MUCH MORE I do to secure this, but too much to list really!
(I am sure I am overlooking some stuff, details & such - things like the fact I use a LinkSys/CISCO BEFSX41 "NAT" true firewalling router with cookie & scripting filtering built-in @ the hardware level), but that IS the bulk of it!)
ALL for security... & this post is especially for background to anyone on Win32 that DOES show an error in this test, as giorgosts on Linux did (to whom I am responding).
So, based on my test?
This has to be script related, because I did not see it @ all (no action from err #3 reported on Mr. Zalewski's page (and I did not think I would, because I keep scriptings of ALL kinds generally turned off 99.999% of the time in my webbrowsers on the public internet @ least)).
Good news!
(Above all - Thanks for your response & data)...
I would write more, but it is VERY late here, & time for shuteye!
APK
This Freaking IE is never ever secure. Its really a worthless app. I use Safari and firefox...
Best Regards, Eliena Andrews
I use NoScript all the time. If I get to a page who's scripts I _want_ I allow them, or temporarily allow them.
I don't miss much except for the bullcrap. Yea, it takes all of a keystroke or a context menu selection whenever I decided I want "the full web experience".
The truth is, most of the time, nobody _wants_ "the full web experience."
Live and Learn... give it a try for a while and you will get hooked (unless you are incredibly lazy, which I am also, sometimes. 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
That's the most brilliant idea I've seen in this entire thread so far. We need a <noscript>, or perhaps a <sandbox></sandbox> tag which allows us to specify what can be done inside of a frame, embedded object, or anything else linked to from a remote site.
That would make a huge difference.
Is Epiphany affected? (My install of Epiphany (Debian Etch) is using a gecko-1.8 backend, according to Help >> About)
mod parent up. (possibly gp)
Blah blah sig blah blah blah irony blah blah
I had mod points a week ago, I wish they hadn't expired.
This is an awesome idea, and we need it!
http://img367.imageshack.us/img367/9813/snapshot9j p4.png
homeland security is a fairy tale.
Reduce, reuse, cycle
Sounds like the US government to me. :)
He who lights his taper at mine, receives light without darkening me.
Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.
Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.
Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.
So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.
And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.
You almost had me take the bait.
"This hideous CSS-laden version of slash is a big step down from the previous pure html version"
Wonderful mis-use of "laden" and "pure".
The AJAX-y comment system is far better than the old multiple-page-load model, and I suspect you know it. The point being, as you said yourself, that a site has to work without javascript. But it doesn't have to work *well*.
-
Brendan Eich, the father of JavaScript, proposes a <JAIL> tag to block scripting (PDF slides warning)
-
RSnake's take on content restrictions proposals.
And for users? good ole NoScriptThere's a browser safer than Firefox, it is Firefox, with NoScript
Where's the multi-million dollar independent security analysis of the Wii Browser?
;)
*Thinks about it*
Runs on Opera so it's probably fine.
Oh, gosh, mister! Please don't steal my chips ahoy, or my oreos! Anything, but that!
I don't care what you think, nobody is going to use that extension by default and it will never be enabled by default. Your attempt to make measurements of Firefox security with it enabled are reminiscent of Microsoft's attempts to get C2 certification for Windows NT when it wasn't connected to a network.
The most meaningful measurement of security for an application is looking at the default installation. Most people will never get beyond that.
Need a Python, C++, Unix, Linux develop
davecb5620@gmail.com
LOL, man... that's whacked: "Evil Script"!
(The name, makes the point though, & thanks for showing me that madness - I believe you)!
APK
P.S.=> I am glad I do not keep JavaScript running on my webbrowsers on the public net typically! apk
I'm running Vista Business 32 with IE7 fully patched. None of the IE demos worked for me specifically the first one marked critical. I guess I feel a little better, but I do believe the vulnerability exists.
For how much Slashdotters rip apart the DRM industry, which spends millions upon millions only to have their key's hacked in a day, we sure do expect a lot from our browsers.
Just frickin' wonderful. In every version of the browser, totally massive security holes, all announced at the same time. Sheer beauty.
Hey, don't worry, there are plenty of undiscovered massive security holes in there too.
Plan your backups accordingly.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Opera has an independent code base, so there's hope. I usually install all three for my users to have on days like this.
(Of course, I worry about it less than many, since half of my people are still using PPC-era Macs.)
//Information does not want to be free; it wants to breed.
The hard thing about NoScript is when a page totally fails to load anything useful and you have to decide to allow one or more of three scripts each from different domain. Often it is easy, you're on yahoo so you allow yahoo. Sometimes it is far from obvious. To get some yahoo pages to work you have to allow yming.com to run scripts, and you have to pick that one from a list including several cryptically named advertiser sites. I don't mind this extra step, and with the current web model I don't see another way around it, but I hardly expect Joe Casual Surfer to even know what a script is.
-- QED
The google groups IFRAME was replaced in FF and not in Opera.
Once again I'm proud of my choice of browser.
We are Turing O-Machines. The Oracle is out there.
It seems like it would be pretty easy for the Anti-virus vendors and other anti-malware vendors to tap into the javascript engine and detect these sorts of things.
So you go to www.somecrappysite.com and it tries to run jscript. Then the tool you are running does some analysis and says...hmmm...that seems strange. If it knows it is an attack it stops the page from loading and blocks the page straight up. If it is unsure it can ask the user if they want to continue AND ask the user if they can upload the information for analysis.
I think we should keep IE and Firefox patched up, but realtime analysis seems like a better idea.
Oh, additionally:
/click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!
s /cableguy/cg0605.mspx
I omitted 1 more thing I do for securing a Windows NT-based OS: IP Port Filtrations!
Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it &
You may need a reboot:
I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA?
This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):
http://www.microsoft.com/technet/community/column
Enjoy the read, it is VERY informative!
APK
P.S.=> Shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security! apk
and Eve sends you a video of herself? Hmmm...maybe not so bad.
Tharkban (It is a signature after all)
the browsers should protect us against criminals
drm protects criminals against fair use
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I'm glad I use Opera 9.21 for most of my browsing.
http://www.opera.com/
But I really love Firefox 2.0 because of the Firebug plugin.
Count me as another. Not only "Noscript", but a javascript&cookie filtering firewall set to default block everything not explicitly permitted. That's behind a linux proxy server (windows boxes on unroutable, internal subnet) which is behind a hardware firewall box.
May not be perfect, but I haven't had a break-in yet... (~7+ years managing my own broadband vs. using employer's and their firewall).
Yep, the Qt plugin for Firefox is a piece of crap. Anyone know of an alternative plugin to play mp3s (I mean, how often do you come across an embedded quicktime file these days)?
sealed up.. air-tight... naked and petrified.. covered in hot grits.
OH LAWD.