Vulnerability

Fixed in Firefox 3.0.2

MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag

Security Advisory
Release Notes
Download

{ 0 comments }

Apple had previously said that the vunerability, found by security consultant Nitesh Dhanjani and dubbed the”carpet bombing” bug, would not be treated as a security issue, but rather filed as an enhancement request.
Certifiedbug: Apple’s Safari Carpet Bomb

A second researcher, Aviv Raff, found a way to execute files on the desktop without notifying the user.
Safari pwns Internet Explorer

Microsoft released a Security Advisory (953818) May 30th:
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Apple:

To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.

About the security content of Safari 3.1.2 for Windows

{ 0 comments }

According to Tipping Point’s Zero Day Initiative, the vulnerability was reported within the first five hours of Firefox 3’s release.

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we’ll be publishing an advisory here. Working with Mozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well.

{ 0 comments }

Securia reports highly critical vulnerabilities in Trillian the popular instant messaging client.

Description:
Some vulnerabilities have been reported in Trillian, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error within the header parsing code for the MSN protocol can be exploited to cause a stack-based buffer overflow via a specially crafted X-MMS-IM-FORMAT header with an overly long attribute.
Successful exploitation allows execution of arbitrary code.

2) An error within the XML parsing in talk.dll can be exploited to cause a memory corruption via certain malformed attributes within an ‘IMG’ tag.

Successful exploitation allows execution of arbitrary code.

3) A boundary error when parsing messages (e.g. via the AIM network) with overly long attribute values within the FONT tag can be exploited to cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code but requires that the user is tricked into opening a malicious image file.

Solution:
Update to version 3.1.10.0.
http://www.ceruleanstudios.com/downloads/

Your Trillian client may not inform you of the updates. I used the drop down menu, “Check for updates” and was informed no updates were available.

After downloading and starting the installation of the latest version, I saw the Weather Channel and ASK toolbar were offered as pre-checked options to install with Trillian.

Inside those tiny EULA boxes was a full page of disclosures for each program, if you copy/paste the text into an editor you can read the EULA rather than squinting at a scroll box. Know what you are agreeing to if leaving the box checked to install.

Weather Channel:
“1. PURPOSE. The software you are installing (the “Software”) is provided by The Weather Channel Interactive, Inc. (”TWCi”) and provides you with a quick view of the current weather in a city you select, and provides other weather-related information and data on your desktop (the “Services”). This Agreement contains terms and conditions that apply to both the subscription version of the Software (”Desktop Max Software”) and Services (”Desktop Max Services”) and the advertisement-supported version of the Software (”Desktop Software”) and Services (”Desktop Services”).
14. DESKTOP MAX SERVICES. You agree that if you license Desktop Max Services, the following additional terms will apply:
A. You agree to pay TWCi the monthly or annual service charge for your use Desktop Max Services using a valid credit or debit card, plus any applicable taxes, in accordance with the billing terms and prices in effect at the time the fee or charge becomes payable. You authorize TWCi to automatically bill the charge card you provide each month or year (as applicable), or withdraw funds via electronic transfer from your checking account (depending on what type of charge card you are using), until you cancel Desktop Max Services. Payments are billed in advance at the beginning of the applicable month or year. You agree to provide TWCi with a valid credit or debit card and accurate, complete and updated information required by the subscription registration form. Failure to comply may result in the immediate termination of Desktop Max Services.
B. You agree to notify TWCi about any billing problems or discrepancies within 90 days after they first appear on your account statement. If you do not bring them to TWCi’s attention within 90 days, you agree that you waive your right to dispute such problems or discrepancies.”

ASK Toolbar:
“END USER LICENSE AGREEMENT/PRIVACY POLICY/TERMS OF SERVICES

IMPORTANT — PLEASE READ CAREFULLY - SHORT PLAIN ENGLISH SUMMARY OF END USER LICENSE

This is a legal contract between you and IAC Search & Media, Inc. You must agree to this contract and abide by its terms in order to download and use the toolbar. You must be 18 years of age in order to agree to this contract and download this product. IF YOU ARE NOT YET 18, PLEASE ASK YOUR PARENT OR GUARDIAN TO DOWNLOAD THE TOOLBAR FOR YOU.

UPON INSTALLATION OF THE TOOLBAR, THE FOLLOWING FEATURES WILL BE ADDED TO YOUR BROWSER:

SEARCH BOX is a toolbar to your Internet browser. The browser toolbar is customizable and will provide you access to Ask.com search results..

SEARCH ASSISTANT: This provides relevant links and results when your search request or browser address request is misspelled or incorrectly formatted.

In addition, an Easy Installer will be downloaded to install this software. It does not install any other software and is automatically deleted the first time you turn off your computer after installation of the above-described products.

THIS PRODUCT AND ALL THE FEATURES LISTED ABOVE ARE FREE.

NO REGISTRATION OR PERSONAL INFORMATION IS REQUIRED.”

Please read each EULA completely and if installing do so as an informed user.

{ 0 comments }

Secunia Research 20/05/2008

Foxit Reader “util.printf()” Buffer Overflow.

1) Affected Software
* Foxit Reader 2.3 build 2825
NOTE: Other versions may also be affected.

2) Severity
Rating: Highly critical
Impact: From remote
Where: System access

3) Vendor’s Description of Software
“Foxit Reader is a free PDF document viewer and printer, with
incredible small size (only 2.55 M download size), breezing-fast
launch speed and rich feature set. Foxit Reader supports Windows Me/
2000/XP/2003/Vista. Its core function is compatible with PDF Standard
1.7.”.
Product Link:
http://www.foxitsoftware.com/pdf/rd_intro.php

4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Foxit Reader, which
can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to a boundary error when parsing
format strings containing a floating point specifier in the
“util.printf()” JavaScript function. This can be exploited to cause a
stack-based buffer overflow via a specially crafted PDF file.
Successful exploitation allows execution of arbitrary code.

5) Solution
The vulnerability is fixed in upcoming version 2.3 build 2912.

6) Time Table
23/04/2008 - Vendor notified.
08/05/2008 - Vendor notified again.
08/05/2008 - Vendor response.
20/05/2008 - Public disclosure.

{ 0 comments }

In an interview with Netcraft, Finnish security researcher Harry Sintonen reported a critical cross-site scripting vulnerability on paypal.com.

Netcraft

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser’s address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal.

{ 0 comments }

Nitesh Dhanjani released his research on issues within Apple’s Safari browser today.

Apprantly Apple has decided not to fix two of the issues and gave Dhanjani permission to discuss them with the security community.

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

The implication of this is obvious: Malware downloaded to the user’s desktop without the user’s consent.

Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple’s response was positive:

…we have been investigating the potential for a “safe” mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

{ 0 comments }

Mozilla Security Blog

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions.

Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.

Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.

A new language pack will be available shortly. Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.

More information is available in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=432406

{ 0 comments }

Fortinet reports multiple vulnerabilities in the javascript API for Adobe Acrobat Professional / Adobe Reader.

Impact: Remote code execution and privilege escalation.
Risk: Critical
Affected Software:
Adobe Acrobat Professional 7.0.9
Adobe Reader 7.0.9

Additional Information:
Two vulnerabilities exist in the Adobe javascript api, which are exploited through a user-supplied callback function:
A memory corruption issue that can be remotely exploited, allowing a remote attacker to execute arbitrary code on the affected system
A privilege escalation issue that allows an attacker to bypass security measures to remotely access restricted functions

Solutions:
Users should apply the update supplied by Adobe to address these issues

http://www.adobe.com/support/security/bulletins/apsb08-13.html

Full Disclosure: Adobe Acrobat Professional Javascript For PDF Security Feature Bypass and Memory Corruption Vulnerabilities
http://seclists.org/fulldisclosure/2008/May/0140.html

Hosted and sponsored by Secunia

{ 0 comments }