Secunia Advisory: SA29526
Release Date: 2008-03-26
Critical: Highly critical

Description:
Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user’s system.

1. An unspecified error in the handling of “XPCNativeWrappers” can lead to the execution of arbitrary Javascript code with the user’s privileges via “setTimeout()” calls.

2. Various errors in the handling of Javascript code can be exploited to conduct cross-site scripting attacks or execute arbitrary code.

3. Various errors in the layout engine can be exploited to cause a memory corruption.

4. Various errors in the Javascript engine can be exploited to cause a memory corruption.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

5. An error within the handling of HTTP “Referer:” headers sent with requests to URLs containing “Basic Authentication” credentials having an empty username can be exploited to bypass cross-site request forgery protections.

6. The problem is that Firefox offers a previously configured private SSL certificate when establishing connections to webservers requesting SSL Client Authentication. This can potentially be exploited to disclose sensitive information via a malicious webserver.

7. An error in the handling of the “jar:” protocol can be exploited to establish connections to arbitrary ports on the local machine.

8. An error when displaying XUL pop-up windows can be exploited to hide the window’s borders and facilitate phishing attacks.

The vulnerabilities are reported in versions prior to 2.0.0.13.

Solution:
Update to version 2.0.0.13.

Provided and/or discovered by:
1. moz_bug_r_a4
2. moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback
3. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett, and Mats Palmgren
4. georgi, tgirmann, and Igor Bukanov
5, 7. Gregory Fleischer
6. Peter Brodersen and Alexander Klink
8. Chris Thomas

Original Advisory:
http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
http://www.mozilla.org/security/announce/2008/mfsa2008-15.html
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html
http://www.mozilla.org/security/announce/2008/mfsa2008-17.html
http://www.mozilla.org/security/announce/2008/mfsa2008-18.html
http://www.mozilla.org/security/announce/2008/mfsa2008-19.html

Other References:
SA27311: http://secunia.com/advisories/27311/

By Jack M. Germain
LinuxInsider
Part of the ECT News Network
03/25/08 4:00 AM PT

The Linux operating system is not immune to virus infections, although Linux-specific viruses are extremely rare. Linux servers face more risk of virus attack than Linux desktops. That said, IT security and control firm Sophos recently issued a warning about potential virus infections targeting Linux servers that could pose risks to the Linux operating system. Sophos researchers warned Linux users of the importance of properly securing their Linux systems following findings from SophosLabs that a 6-year-old threat known as “Linux/Rst-B” is still infecting computers and servers. [More...]

By Dan Goodin in San Francisco
26 Mar 2008 00:56

Washington state cracks down

The alleged supplier of some of the net’s most hated malware titles has been sued by Washington state’s attorney general.

Ron Cooke, the owner of Scottsdale, Arizona-based Messenger Solutions, stands accused of violating Washington’s Computer Spyware Act and Consumer Protection Act for marketing programs that went under names including WinAntiVirus Pro 2007, System Doctor, WinAntiSpyware and Messenger Blocker.

According to a complaint filed Tuesday in Washington state court, the company caused some people surfing the net to receive a torrent of pop-ups that advertised porn links and other sketchy sites. The messages were sent through Windows Messenger Service, a feature in Windows that allows network administrators to send notices to users. (The service has been turned off by default since Microsoft pushed out Service Pack 2 for Windows XP, but evidently plenty of people still have it turned on for one reason or another.) [Read Entire Article at the Register]

While checking headlines at TechNewsWorld, I found this opinion piece by Gene Marks, 10 Technologies Not Yet Ready for SMBs. Can’t miss it. It’s the first article on the home page. Gene Marks is a columnist for Business Week.

I was rather enjoying the cheekiness of the piece, until I got to this:

Open Source Software. Sure, open-source software may be “free,” but the propeller-heads you need to actually get it working, customized, and supported aren’t.

Spending time customizing a software product, just because it’s “open source,” doesn’t mean that time is well spent. Business owners should stick to the boring, off-the-shelf stuff for now.

That passage alone tells me this guy, just doesn’t have a clue.

Gene why don’t you go ask your employer, MSNBC, what type of technology powers their web presence. If the answer is Apache on a Linux Server. Guess what? It’s Open Source Software.

I find that in general, people who make these kind of statements, like the above by you, have never used Open Source Software.

The ability to customize open source, to fit a particular need, is a selling point. Fact is, that the vast majority of the time, the software fits the need without customization. If a person can use MS Word, I bet they won’t have a problem using OpenOffice Writer. No need to pay some “propeller head” to install, configure, and customize Writer, to get it to work.

From the results of a Google search, I deduce this isn’t the first time you have been off the mark.

I’ve come the conclusion, that the writer’s for main stream technical publications; are just as over-the-top, as any other journalist.

Very recently, some one discovered the Microsoft article, Strong passwords: How to create and use them, published 22 March, 2006. It’s 2 years old. The article as you can imagine is about creating strong passwords. About two-thirds down the page, you encounter this: The “blank password” option.

The author of the article goes on to say at this point, “A blank password (no password at all) on your account is more secure than a weak password such as “1234″.” Whoa, wait-a-minute, what the… Then he/she clarifies that statement, be explaining what he/she means.

What’s so special about a blank password? On a computer with Windows XP or newer installed, an account without a password cannot be accessed remotely by means such as a network or the Internet.

If the default settings have not been altered by the system user.

Under very specific conditions, and somewhat rare, the use of a blank password is just fine.

• You only have one computer or you have several computers but you do not need to access information on one computer from another one
• The computer is physically secure (you trust everyone who has physical access to the computer)

The second bullet is the most difficult condition to meet.

So, this passage of the MS article has been translated into “Blank Passwords Are More Secure” by the technical media. Have you lost your minds? Get real! The average non-technical reader is going to take that as gospel, and switch to using no password at all. Which, I have no doubt that many are doing so or using something like “password1″ or “1234″.

Now here comes my thoughts of the subject:

The sheer lunacy of even suggesting using a blank password for local log-on. That’s the first thing a hacker will try, when sitting in front of a terminal.

Forcing local log-in using a strong password is meant to prevent unauthorized access to the local system; and if the system is configured properly, you’ll be locked out after x number of failed attempts. Which, means reboot and start over. Brute force attacks aren’t effective when the system in configured correctly; and a hacker won’t spend that much time trying to get into the system.

If the system is connected to a network, then Network log-on should be required, and if that is configured properly; not only are you locked out of the system after x number of failed attempts, you are locked out of the network. Until the Network Administrator resets your account and issues you a new password.

There’s been a lot of articles talking about password strength, password security, password cracking of late. None of them, absolutely none of them, with the exception of the MS article, talk about the use of pass phrases of 15 character or greater in length. Why a pass phrase 15 characters or longer? They can not be broken by existing methods. They can be captured by keyloggers.

If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

These articles also fail to point out that the hacker must have access, either remotely or locally, to crack a password. If they have access to the system, then they don’t need to crack the password. There are far more reliable (quicker) methods of compromising a system, Social Engineering attacks leading the way.

The rest of the Microsoft article, Strong passwords: How to create and use them, gives very sound advice on creating strong passwords. You should read it, following the advice given on that page will go a long ways to making your online experience a safer one.

Creating strong passwords and keeping them private, is just one piece of the security puzzle; a very critical piece, but still just one piece.