Well, I took the first two of the CCNA series so far without it costing ME anything, since I go to City College of San Francisco on a Pell Grant AND get a Board of Governors Fee Waiver as well...
Well, it did cost me the textbook - which is not cheap, either...
Haven't decided yet whether to take the last two courses, since I doubt I'll be doing much WAN router configuration for big corporations. Not to mention the rest of the Cisco training - I have no intention of being a CCIE.
In summary, there are two separate issues that can be combined to execute arbitrary code on a victim's computer: one relating to JavaScript code injection and another involving the icon URL used in the software installation dialogue. However, as described below, the potential for arbitrary code execution is no longer a threat for most users.
The first flaw is less serious, though it can potentially lead to sensitive data being stolen and makes the second flaw easier to exploit. The vulnerability allows a malicious site to use frames and JavaScript to inject arbitrary JavaScript code into another site. This allows the malicious site to steal data like cookies or perform actions such as launching the software installation dialogue without being on the user's software installation whitelist (note that this does not allow software to be installed without user intervention). This flaw affects both Mozilla Firefox and the Mozilla Application Suite and can be eliminated by disabling JavaScript.
The second flaw is more serious and involves the software installation dialogue, which is used to ask the user if they wish to install software (such as an extension) from a website. In Mozilla Firefox (but not the Mozilla Application Suite), this dialogue can include an icon, which is supplied by the site as a URL to an image file. Due to insufficient checking, this icon URL can actually be a piece of JavaScript code, which is run with no further prompting. As this code actually runs from the software installation dialogue, rather than a webpage, it is executed with 'full chrome privileges', meaning that it can do anything that the user running Firefox can, including installing software or deleting files. This is the more serious flaw, allowing arbitrary software execution, and only affects Mozilla Firefox. It can prevented by disabling software installation.
On its own, the second flaw can only be exploited by a site on the user's software installation whitelist. However, a malicious site can combine the first and second attacks to execute arbitrary code if it knows the details of one of the sites on the whitelist. In a standard Firefox installation, only the Mozilla Update sites (update.mozilla.org and addons.mozilla.org) are on the whitelist by default. This has allowed the Mozilla Foundation to apply a server-side change that prevents attackers from exploiting the code execution flaw using its systems. Therefore, if you have not added any additional sites to the whitelist, you are not at risk from the code execution exploit and have not been since yesterday. However, you will still be vulnerable to the less serious JavaScript injection flaw.
And this is the official Mozilla Advisory:
Mozilla Foundation Security Advisory 2005-42 Title: Code execution via javascript: IconURL Severity: Critical Reporter: Paul (Greyhats) Products: Firefox, Mozilla Suite Description:
Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.
By causing a frame to navigate back to a previous javascript: url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).
A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a javascript: URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
The Mozilla Foundation has modified the update servers to prevent their use in this attack.
Workaround
The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit. Users who have added other extension or th
No, it was in the final release IIRC - and in Mandrake and other distros. It was an issue with the disk geometry being reported differently by the 2.6 kernel and parted apparently did not handle it right. The main issue, apparently, was that parted did something Windows didn't like. It was easily fixed with a one line command, but Fedora issued the lame excuse that none of their testers have dual-boot systems (which is ridiculous - dual booting is a VERY common configuration.)
As for OSS testing, I'm not referring to alpha/beta level stuff - I expect alpha/beta stuff not to be entirely bug-free. I do object to "permanent beta" status, however, since that's just ridiculous. Get to a stable point and issue a release. But things like the dual-boot bug are show-stoppers (even though easily fixed) and should not be allowed through.
My understanding was it was because of a change in the disk geometry reporting by the 2.6 kernel, and the failure of parted to deal with this properly - which was aggravated by the lame excuse Fedora issued saying none of their testers had dual-boot systems.
I suppose it is likely that only certain BIOSs were involved, and I agree the problem did not seem to affect everybody, but it still probably would have been detected had Fedora used dual-boot systems (a VERY common configuration) to test - especially since they should have been aware of the 2.6 kernel changes and immediately tested parted.
Nobody has ever said that EVERY OSS project has "many eyes" ON the project.
What has been said is that to the extent that the source code is included, and is available for perusal by those who KNOW how to do so, this is an extra safeguard since SOME people OTHER than the developers will examine the code - possibly for precisely such reason as security.
And that is exactly what is proved by such incidents. Somebody examined the source code and determined there was a problem.
They didn't have to wait on someone at Microsoft to do so.
If anything in OSS can be complained about, it's the relatively poor amount of testing that seems to get done. Things like the dual-boot bug in Fedora last year should not happen.
Excuse me, but "market share increase" != "more security flaws".
That's not even logical.
The flaws were THERE before anybody downloaded the first copy of IE OR FireFox.
And malicious hackers will attack anything they can get their hands on. In fact, FireFox is probably a nice target since it's new (not old news like IE where tons of flaws are already known), has a lot of mindshare (means more "leet" status if you break it), and is different in its design and coding (which means you learn something by breaking it.)
The reason IE HAS flaws is DESIGN, not market share.
When FireFox HAS as much market share as IE, AND has had the SAME number of flaws reported, THEN you can consider saying it was as badly DESIGNED as IE.
I'm not holding my breath either way, because geeks can't program worth shit and neither can corporate slaves.
And yet the only way to be infected by a site pretending to be a whitelisted site is to go back to that site.
Which I for one don't do every day - I get my update, then probably will never see the site again. It's not like a I desperately need every new update to every little extension (I only use two or three anyway).
Compared to the worm currently comprising 25% of Internet email which infects Windows, I find it hard to get excited over this little problem, despite the "critical" nature (being that if indeed it occurs, the malicious user can take over the machine.)
Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.
The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.
So one down, the other to be fixed shortly.
Meanwhile I got a notice this morning that tomorrow's Microsoft security patch will fix one major flaw, but leave others unpatched UNTIL NEXT MONTH.
So much for "days of unpatched vulnerability" supposedly favoring Microsoft.
Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.
The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.
JVM in use on the server (which IS the client in this case) was the (IIRC) 1.4.2 (not 1.5) downloaded that night and installed. Ditto the current Java Media Framework.
I assume it was entirely due to the host OS being 2003 Server and not XP or 2000. The MS servers aren't exactly designed to be a consumer or media machine OS. Or possibly simply the camera client was poorly written (however, I still blame IE for crashing.)
As for the point, the point is Windows is badly designed vis-a-vis task management vrs Linux. When I kill a job in Linux, it's history and it doesn't bug me about it after I've explicitly told it to kill a job. Even my Windows-centric teacher recognizes that as stupid.
I went over to Sys-Con's main site and tried to contact their Editorial department using their email contact address on the page for Editorial.
I get this from ALL their email addresses:
File Not Found Request/contactemail.cfm
BlueDragon Time @ Server: 12:43:48.772 Monday, 9 May 2005
This occurs with both Firefox and IE.
Looks like the "leading Web IT company" can't handle Web email properly. Either that or they DON'T want anybody talking back to them.
Also, I note that their sites are touting this garbage from O'Gara as a "hot story", so clearly their editors are in support of O'Gara. It would probably be a waste of time to contact them, anyway.
Contact their advertisers instead. Especially since many of their advertisers may not be aware that their ads for OSS products are running next to O'Gara's articles - SugarCRM was NOT aware of that or even that their ads were running on Linux Business News as their contract was only with LinuxWorld.
As I mention above, it is quite possible that NONE of these advertisers are AWARE that their ads are running next to O'Gara's articles. That was the case with SugarCRM.
This makes it more imperative to tell them that ads for (any) OSS products are running next to articles attacking OSS.
After the "bozo sues open source" story last week from O'Gara, I sent an email to SugarCRM, whose ad was running next to the story. For those not in the know, SugarCRM is an open source CRM suite that is highly regarded in the CRM market. I figured they might like to know that they were advertising in a journal that is constantly attacking open source while claiming to be about "Linux Business News".
Well, their marketing person got back to me and said they don't run ads on Linux Business News - only with Sys-con's LinuxWorld site.
So I wrote back explaining that I just checked and the ad was right there, and described the ad.
She got back to me saying that they didn't even KNOW the ad was running on that site, as they only had a contract with Sys-con to run on LinuxWorld - and she would be checking their ad rep at Sys-con about it.
So it looks like Linux Business News is running ads unbeknownst to the companies involved (either that or SugarCRM never understood their contract). I find that somewhat bizarre. Is there some business benefit to LBN running ads without the knowledge of the companies involved?
The more people turn to Linux for the reason it needs LESS support than Windows, the more likely Microsoft is to go down. And we're talking corporate here, not home users.
It's quite clear from reports of companies using both or Linux alone that Linux requires fewer sys admins - because it causes fewer problems - than Windows. Personnel expense is something that companies pay attention to.
And just as home users are switching to Firefox - 50 million downloads in the last year - for the ease of use, power, flexibility, speed and security, so they will switch to Linux as these points are eventually demonstrated to them as well.
Well, I took the first two of the CCNA series so far without it costing ME anything, since I go to City College of San Francisco on a Pell Grant AND get a Board of Governors Fee Waiver as well...
Well, it did cost me the textbook - which is not cheap, either...
Haven't decided yet whether to take the last two courses, since I doubt I'll be doing much WAN router configuration for big corporations. Not to mention the rest of the Cisco training - I have no intention of being a CCIE.
Unless you're Yoda...
"What worse wrong word is?!"
Yo, homey! What up? What it is? Run it down! Whaaaas zappening, bro?
Brains? Who needs 'em?
This is
This is the official Mozilla report:
In summary, there are two separate issues that can be combined to execute arbitrary code on a victim's computer: one relating to JavaScript code injection and another involving the icon URL used in the software installation dialogue. However, as described below, the potential for arbitrary code execution is no longer a threat for most users.
The first flaw is less serious, though it can potentially lead to sensitive data being stolen and makes the second flaw easier to exploit. The vulnerability allows a malicious site to use frames and JavaScript to inject arbitrary JavaScript code into another site. This allows the malicious site to steal data like cookies or perform actions such as launching the software installation dialogue without being on the user's software installation whitelist (note that this does not allow software to be installed without user intervention). This flaw affects both Mozilla Firefox and the Mozilla Application Suite and can be eliminated by disabling JavaScript.
The second flaw is more serious and involves the software installation dialogue, which is used to ask the user if they wish to install software (such as an extension) from a website. In Mozilla Firefox (but not the Mozilla Application Suite), this dialogue can include an icon, which is supplied by the site as a URL to an image file. Due to insufficient checking, this icon URL can actually be a piece of JavaScript code, which is run with no further prompting. As this code actually runs from the software installation dialogue, rather than a webpage, it is executed with 'full chrome privileges', meaning that it can do anything that the user running Firefox can, including installing software or deleting files. This is the more serious flaw, allowing arbitrary software execution, and only affects Mozilla Firefox. It can prevented by disabling software installation.
On its own, the second flaw can only be exploited by a site on the user's software installation whitelist. However, a malicious site can combine the first and second attacks to execute arbitrary code if it knows the details of one of the sites on the whitelist. In a standard Firefox installation, only the Mozilla Update sites (update.mozilla.org and addons.mozilla.org) are on the whitelist by default. This has allowed the Mozilla Foundation to apply a server-side change that prevents attackers from exploiting the code execution flaw using its systems. Therefore, if you have not added any additional sites to the whitelist, you are not at risk from the code execution exploit and have not been since yesterday. However, you will still be vulnerable to the less serious JavaScript injection flaw.
And this is the official Mozilla Advisory:
Mozilla Foundation Security Advisory 2005-42
Title: Code execution via javascript: IconURL
Severity: Critical
Reporter: Paul (Greyhats)
Products: Firefox, Mozilla Suite
Description:
Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.
By causing a frame to navigate back to a previous javascript: url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).
A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a javascript: URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
The Mozilla Foundation has modified the update servers to prevent their use in this attack.
Workaround
The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit. Users who have added other extension or th
No, it was in the final release IIRC - and in Mandrake and other distros. It was an issue with the disk geometry being reported differently by the 2.6 kernel and parted apparently did not handle it right. The main issue, apparently, was that parted did something Windows didn't like. It was easily fixed with a one line command, but Fedora issued the lame excuse that none of their testers have dual-boot systems (which is ridiculous - dual booting is a VERY common configuration.)
As for OSS testing, I'm not referring to alpha/beta level stuff - I expect alpha/beta stuff not to be entirely bug-free. I do object to "permanent beta" status, however, since that's just ridiculous. Get to a stable point and issue a release. But things like the dual-boot bug are show-stoppers (even though easily fixed) and should not be allowed through.
My understanding was it was because of a change in the disk geometry reporting by the 2.6 kernel, and the failure of parted to deal with this properly - which was aggravated by the lame excuse Fedora issued saying none of their testers had dual-boot systems.
I suppose it is likely that only certain BIOSs were involved, and I agree the problem did not seem to affect everybody, but it still probably would have been detected had Fedora used dual-boot systems (a VERY common configuration) to test - especially since they should have been aware of the 2.6 kernel changes and immediately tested parted.
Yes, there are quite a few sites out there.
Most of them quite legitimate.
Wake me when you find a Firefox extension site that isn't - and has an extension I might actually have been interested in.
Yawn.
Red herring.
Nobody has ever said that EVERY OSS project has "many eyes" ON the project.
What has been said is that to the extent that the source code is included, and is available for perusal by those who KNOW how to do so, this is an extra safeguard since SOME people OTHER than the developers will examine the code - possibly for precisely such reason as security.
And that is exactly what is proved by such incidents. Somebody examined the source code and determined there was a problem.
They didn't have to wait on someone at Microsoft to do so.
If anything in OSS can be complained about, it's the relatively poor amount of testing that seems to get done. Things like the dual-boot bug in Fedora last year should not happen.
Excuse me, but "market share increase" != "more security flaws".
That's not even logical.
The flaws were THERE before anybody downloaded the first copy of IE OR FireFox.
And malicious hackers will attack anything they can get their hands on. In fact, FireFox is probably a nice target since it's new (not old news like IE where tons of flaws are already known), has a lot of mindshare (means more "leet" status if you break it), and is different in its design and coding (which means you learn something by breaking it.)
The reason IE HAS flaws is DESIGN, not market share.
When FireFox HAS as much market share as IE, AND has had the SAME number of flaws reported, THEN you can consider saying it was as badly DESIGNED as IE.
I'm not holding my breath either way, because geeks can't program worth shit and neither can corporate slaves.
He doesn't have to.
Some moron Windows troll will do it for him.
Just like you.
Excuse me, but nothing in the article says that EVERY site offering an extension is a problem. It says that a site CAN be a problem.
So far, NOBODY has reported actually encountering an exploit site.
That makes this bug MUCH less significant than the current Windows worm comprising 25% of all Internet email traffic.
I'd say that when a Microsoft worm consumes 25% of Internet email traffic, that gets my attention.
This little bug (which requires to go to a whitelisted site I may never visit again) really doesn't give me a hardon.
And yet the only way to be infected by a site pretending to be a whitelisted site is to go back to that site.
Which I for one don't do every day - I get my update, then probably will never see the site again. It's not like a I desperately need every new update to every little extension (I only use two or three anyway).
Compared to the worm currently comprising 25% of Internet email which infects Windows, I find it hard to get excited over this little problem, despite the "critical" nature (being that if indeed it occurs, the malicious user can take over the machine.)
From a news report:
Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.
The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.
So one down, the other to be fixed shortly.
Meanwhile I got a notice this morning that tomorrow's Microsoft security patch will fix one major flaw, but leave others unpatched UNTIL NEXT MONTH.
So much for "days of unpatched vulnerability" supposedly favoring Microsoft.
Correct.
One report says as follows:
Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.
The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.
So one down, the other to be fixed shortly.
JVM in use on the server (which IS the client in this case) was the (IIRC) 1.4.2 (not 1.5) downloaded that night and installed. Ditto the current Java Media Framework.
I assume it was entirely due to the host OS being 2003 Server and not XP or 2000. The MS servers aren't exactly designed to be a consumer or media machine OS. Or possibly simply the camera client was poorly written (however, I still blame IE for crashing.)
As for the point, the point is Windows is badly designed vis-a-vis task management vrs Linux. When I kill a job in Linux, it's history and it doesn't bug me about it after I've explicitly told it to kill a job. Even my Windows-centric teacher recognizes that as stupid.
Wrong. No such adjustments to Winamp.
Thank you for playing.
I went over to Sys-Con's main site and tried to contact their Editorial department using their email contact address on the page for Editorial.
I get this from ALL their email addresses:
File Not Found
Request
BlueDragon Time @ Server: 12:43:48.772 Monday, 9 May 2005
This occurs with both Firefox and IE.
Looks like the "leading Web IT company" can't handle Web email properly. Either that or they DON'T want anybody talking back to them.
Also, I note that their sites are touting this garbage from O'Gara as a "hot story", so clearly their editors are in support of O'Gara. It would probably be a waste of time to contact them, anyway.
Contact their advertisers instead. Especially since many of their advertisers may not be aware that their ads for OSS products are running next to O'Gara's articles - SugarCRM was NOT aware of that or even that their ads were running on Linux Business News as their contract was only with LinuxWorld.
As I mention above, it is quite possible that NONE of these advertisers are AWARE that their ads are running next to O'Gara's articles. That was the case with SugarCRM.
This makes it more imperative to tell them that ads for (any) OSS products are running next to articles attacking OSS.
Get this - some (many?) of the advertisers on Linux Business News DON'T EVEN KNOW their ads on running next to her articles!
See my post elsewhere.
This makes it even more imperative that they need to be told their ads for OSS products are running next to articles attacking OSS.
I wish I had mod points today - you'd be worth more than Gates (in points anyway).
Laughed like hell.
After the "bozo sues open source" story last week from O'Gara, I sent an email to SugarCRM, whose ad was running next to the story. For those not in the know, SugarCRM is an open source CRM suite that is highly regarded in the CRM market. I figured they might like to know that they were advertising in a journal that is constantly attacking open source while claiming to be about "Linux Business News".
Well, their marketing person got back to me and said they don't run ads on Linux Business News - only with Sys-con's LinuxWorld site.
So I wrote back explaining that I just checked and the ad was right there, and described the ad.
She got back to me saying that they didn't even KNOW the ad was running on that site, as they only had a contract with Sys-con to run on LinuxWorld - and she would be checking their ad rep at Sys-con about it.
So it looks like Linux Business News is running ads unbeknownst to the companies involved (either that or SugarCRM never understood their contract). I find that somewhat bizarre. Is there some business benefit to LBN running ads without the knowledge of the companies involved?
You have of course got it backwards.
The more people turn to Linux for the reason it needs LESS support than Windows, the more likely Microsoft is to go down. And we're talking corporate here, not home users.
It's quite clear from reports of companies using both or Linux alone that Linux requires fewer sys admins - because it causes fewer problems - than Windows. Personnel expense is something that companies pay attention to.
And just as home users are switching to Firefox - 50 million downloads in the last year - for the ease of use, power, flexibility, speed and security, so they will switch to Linux as these points are eventually demonstrated to them as well.
We will - as we take yours.