Firefox update fixes critical security vulnerabilities

March 26, 2008 – 5:05 AM

The Mozilla project is distributing version 2.0.0.13 of its popular open source Firefox browser. This release fixes several critical vulnerabilities which could be exploited by attackers to inject malicious code or fake page content.

The browser’s JavaScript engine contains several of the security vulnerabilities. Due to incorrect processing, attackers can execute external code with maximum privileges in the browser and also perform cross-site scripting (MFSA-2008-14 and MFSA-2008-15). Security advisory MSFA-2008-18 describes a vulnerability which allows Java applets to access any port on a local computer. According to the Mozilla security advisory, Sun has integrated a bug fix into the current version of Java Runtime, but the Mozilla programmers have also introduced countermeasures into their new version.

A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user’s active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website.

Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version 2.0.0.13 and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans.

Source: Heise Online

Security and safe browsing for Firefox

March 25, 2008 – 5:02 AM

You installed Firefox.  How do you make it more secure for daily use?  How do the Mozilla developers ensure that they are doing all the right things?  How do you safely browse the Internet?

These are not easy questions to answer, and  some of the answers will be system/OS-dependent.

Security functionality in Windows versions of Firefox

Using LookingGlass.exe, one can see a few issues with Firefox beta 3 on Windows Vista or XPSP2.

Clearly, some Firefox binaries (executables and DLL’s) are safer now that they support NX, and as seen using LookingGlass.exe — Firefox 3 is likely overall much safer than Firefox 2 (although adding new functionality must also be taken into account).

I have already seen a few traversals in Firefox 3, although according to the DVLabs PWN2OWN competition at CanSecWest, “simple directory traversal style bugs are inadequate”.  In other words, they’re only good in the real world, not in a hacking competition.  Just like XSS and CSRF, right?

Almost anyone can get Firefox 3 betas to crash, which also worries me.  Yes, there’s a lot more use of some protections e.g. NX, but not others (ASLR would be nice, Mozilla!).

Take a look for yourself at this output from `dumpbin.exe /headers firefox.exe’:

100 DLL characteristics
NX compatible

If ASLR was available, the “100 DLL characteristics” would have the second most-significant bit set to 4 to appear as “140 DLL characteristics”, or in many cases simply “40 DLL characteristics”.  Of course, this hardly matters to those who are not running Vista, but who wants to wait until Firefox 4 for this functionality?

Safe browsing with Firefox

I browse Firefox using multiple profiles for each web application that I use.  By setting the environmental variable, MOZ_NO_REMOTE=1, or by running Firefox with`-no-remote’, multiple profiles can be created, named, and run individually as separate processes.

Additionally, NoScript can protect against some URI attacks and some XSS.  Most of these are blacklisted, but it helps if all Javascript, Flash, PDF files, SilverLight, Java applets, and JAR files are whitelisted on a per-case basis.

Most people will want to use cookies, and these cookies can be edited to be secure using Add N Edit Cookies.  They can be allowed on a site-by-site basis using CookieSafe.  One can also build multiple “cookie profiles” using CookieSwap.  Simply by using multiple Firefox profiles, only the cookies allowed on a particular web application can be made to be the only cookies allowed in that particular profile.  For example, I can search using Google’s search functionality in one profile (with no Google cookies allowed), while another separate profile allows Google top-level domain cookies so that I can login/use GMail.

I think there are other URI abuse issues that can be prevented.  Using the guidelines at ush.it on a blog post called Clientside security: Hardening Mozilla Firefox, I have setup my profiles to globally deny new URI’s, as well as explicitly whitelist only http, https, ftp, and javascript.

By default, Firefox provides some insecure and unsafe features.  Automatic form filling is one such feature, including saving passwords for websites.  I even think that some Firefox 3 features such as “safe browsing” are not, in fact, “safe” — and I turn them off.  Most of the URL’s to get the “safe browsing” information don’t even use SSL!

In the default Firefox permissions for Javascript, many of mine are tweaked.  All of the `dom.disable_window’ about:config settings are set to “true”.  Scripts cannot be made to raise/lower windows, disable/replace context menus, hise the status bar, or change the status bar text.  Other features such as Java (security.enable_java) and IDN (network.enableIDN) are also turned off (i.e. set to “false”), unless they are needed for a certain web application to work.

Security assurance for Firefox

Assurance is the critical missing piece.  This is why some people that I know use w3m, curl, and/or links/elinks to access web applications.  Full assurance would mean that every line of code has been verified as secure by a significant majority of security code reviewers/testers in the world.  This may never be possible.

Looking at the source code for Firefox seems rather daunting, but I would be willing to bet there are at least a handful of people dedicated to this cause.  Surely, most of them work for Mozilla, and therefore are empowered to do something about it.  However, when vulnerability research from Michal Zalewski and others pop up — often unannounced, with full-disclosure, and on a semi-regular basis — it is hard to envision a future where Firefox is secure to the same degree as software such as qmail.

The problem is not just the size of the code, but how often it is changed.  There have been almost 15k changes (and 2.5 MLOC) in a little over 2 years.  900 changes were made in between Firefox 3 beta 3 and beta 4 alone!  This is the primary problem facing discerning security code review for this type of project.  How often do you find yourself updating?

The same issues have plagued Internet Explorer for years, which is why these two browsers have become the vehicles of choice for any would-be adversary.  The only way to stop this madness is to stop changing code and to stop adding features.  It worked for Microsoft when they implemented their SDL — at least it worked with other products.

I’m not sure to what degree the size and rate of change in IE had on security or if the SDL-forced change moratorium worked sufficiently.  There are and will continue to be security-related bugs in IE for quite some time.  In the past 9 Patch events that have had Vista vulnerabilities, 7 of them were at least partially related to IE.  Of the 36 vulnerabilities, almost 20 were related to IE.

Besides suggesting a change moratorium on the Mozilla source code (which I still contend is a good idea), I can only recommend one other strategy to improve this situation.  I suggest better unit/component-level testing of Mozilla code that asserts each defect’s fix — in the same way that I have made recommendations for the CPSL process I described back in December.

Efficiencies in refactoring the Firefox source code might also help here and there.  I don’t think that the Mozilla developers use Microsoft’s Visual Studio, but their development environment could probably stand to use something like ReSharper.  I have not seen a C++ equivalent, and would be interested in seeing other tools in this class.

I’ve heard a lot of analogies thrown around in the security world year-over-year.  Here’s a new one for you to think over:

Like an open front door, web browsers are the most common entry point for attackers.  Many spirited vulnerability researchers additionally contend that the web browser is the most powerful weapon in an attacker’s arsenal.  Until we can close and lock this door, the rest of our protections will also continue to fail.

Source: TS/SCI Security

How to Speed Up Windows Vista

March 25, 2008 – 4:50 AM

SP1 may not give your system much more oomph, but there are other ways to speed Vista up. Spending a few minutes (or a few dollars) optimizing your Vista PC can help it get its groove on.

Get flashy: If you have an extra USB flash drive that you don’t use for much else, Vista can cache disk reads on it, thereby boosting performance beyond what you’d get from your hard disk alone. Simply insert your flash drive into a USB 2.0 slot. If the drive is fast enough, a prompt will appear, asking whether you want to open the folder for the drive or use it to ‘Speed up my system using Windows ReadyBoost’ (see the screen shot at left). Choose the latter option, and follow the remaining prompts. When you’re calculating how much space to set aside for ReadyBoost to use, Microsoft recommends that you let ReadyBoost use one to three times the amount of RAM on your system.Play your cards right: USB thumb drives aren’t the only way to boost system performance–fortunately, since USB memory sticks protruding from a computer (particularly a laptop) are easy to dislodge, and they can be a pain to remove and stow for traveling. If your PC has a reader for SD (Secure Digital) or CompactFlash cards, you can use those media in place of a USB stick to handle your ReadyBoost needs.

Seize control: Speeding up Vista isn’t enough; you need to prevent the OS from slowing you down. The annoying Vista pop-ups that ask you to ‘Allow’ or ‘Deny’ many actions are examples of Vista’s User Account Control at work. The process makes you safer, but your productivity may suffer if you must constantly respond to UAC’s demands. For ways to reduce the intrusiveness of this feature, see “Annoyance Buster: Make Vista’s User Account Control Work for You.”

See if your hardware is slowing you down: In Explorer, right-click Computer and choose Properties. Next to ‘Rating’, click Windows Experience Index. The item with the lowest score is the biggest drain on your getting a better Vista experience. For example, if the lowest score is attributed to Graphics, it may be time to invest in a new graphics card.

Sideline sidebar: If you don’t need the little “gadget” doo-dads in the Vista sidebar, get rid of them. Right-click the Windows Sidebar icon in the taskbar tray and choose Exit. Open the Control Panel and launch Windows Sidebar Properties in the ‘Appearance and Personalization’ category. Uncheck Start sidebar when Windows starts and click OK (see the screen shot at left).What would Windows do? If you have an older or less capable video card, click Start, type systempropertiesperformance, and press Enter. Click Continue if prompted by User Account Control. Select Adjust for best performance. Or cherry-pick the options you can’t live without. (Fewer checkmarks mean better performance.) Click OK.

Dis-Service yourself: Don’t let unneeded software components waste memory or put a ball-and-chain on your Windows startup. Click Start, type msconfig, and press Enter. Confirm if prompted by User Account Control. But be careful! Click the Services tab, and uncheck only the services you’re certain you don’t need. To be safe, uncheck one, reboot, and see if everything still works fine before moving on to another. Do your homework via Online help or a Web search before experimenting!

Here are some services that you might be able to do without: If you don’t work interactively with a remote computer, don’t run programs from a server, and don’t need Remote Desktop, uncheck Terminal Services. If you can live without Windows diagnostic and troubleshooting services, uncheck Diagnostic Policy Service, Diagnostic Service Host, and Diagnostic System Host. If you don’t want Windows to index your files for searching, uncheck Windows Search. Other Services options to consider disabling include ‘Fax’, ‘Offline Files’, ‘Smart Card’, ‘Smart Card Removal Policy’, ‘Themes’, and ‘Windows Error Reporting Service’.

Keep your disk in shape: The same advice you’ve heard for years is true for Vista, too: Delete the useless clutter on your hard disk and defragment it. To do the former, click Start, type Cleanup, and press Enter. Specify the drive and files to clean and click OK. You may need to repeat the steps for multiple drives. To defrag your drives, click Start, type Defragmenter, and press Enter. Use this dialog box to set up a time to defrag your disk regularly at a time when you are away from your system. Vista has an automatic defragmenting feature that may kick in at inopportune times; scheduling your defrags will help ensure that these operations don’t occur while you’re working.

Be a power pig: If you don’t mind spending more, you can boost your system’s performance by adjusting its power options. In the Control Panel, launch Power Options in the ‘System and Maintenance’ category. Select High Performance, close the dialog box (see the screen shot at left), and prepare yourself for a higher electric bill.

Source: PC World

Does IE 8 Equal Safer Surfing?

March 24, 2008 – 6:17 PM

Microsoft is promising that the upcoming IE (Internet Explorer) 8 will be the safest and most secure version of its Web browser yet. Of course, everyone has heard this song before. Still, with the addition of two significant new security features, it’s hard to argue that the new release won’t represent at least a modest step forward in Microsoft’s quest for rock-solid browser security.

Despite improvements, IE 8 won’t offer the same degree of security improvement as IE 7 did. That version boasted a slew of new security features and signified a major advancement over its frequently attacked predecessor, IE 6.

The Enhancements

IE 8’s security environment benefits from the addition of two major enhancements: the Safety Filter tool and the Domain Highlighting feature. Here’s a closer look at both of these new enhancements.

Safety Filter

Because phishing attacks have become more frequent, more damaging and more sophisticated, Microsoft has equipped IE 8 with improved technology that clearly identifies dodgy Web sites. IE 7 took a big step forward in this direction with its Phishing Filter. Now, IE 8 ups the ante with a new Safety Filter that analyzes the entire URL string to search for carefully hidden signs that a Web site may be something other than it claims to be.

In Microsoft’s words, the Safety Filter provides “a more granular detection” capability, allowing the browser to protect users from more targeted and sophisticated attacks. IT administrators also have access to new Group Policy options that enable them to remove the user-override option and completely block access to known unsafe sites.

IE 8’s Safety Filter may not be the most powerful anti-phishing tool ever developed, but it marks a definite incremental advance in the battle against email frauds, at least those that target IT users.

Domain Highlighting

IE 8’s other major new security feature is a technology that highlights the top-level domain in the browser’s address bar. This enhancement might not sound like much, but it is designed to provide a hard-to-miss visual clue that will function like a traffic light. The idea is to enable users to quickly confirm that the Web site they are visiting is the site that they intended to visit.

With Domain Highlighting, the site’s name is presented in a bold, black font, distinct from other characters in the URL, which are colored gray. Many malicious Web sites have intentionally complex URLs that are designed to confuse and mislead users. Domain Highlighting will make it easier for users to know exactly what site they’re visiting.

So should you upgrade to IE 8? Most users won’t upgrade solely to take advantage of the aforementioned new security features. Other browser enhancements, such as WebSlices (a feature that allows users to subscribe to and receive regular updates from different parts of a Web page), Activities (contextual menus on Web pages that can supply additional information via Web services) and possibly even a new user interface are the main focus of attention in IE 8.

Still, the two major security improvements are useful, and they serve to reinforce a product that is much more secure than the one that was offered a mere two versions ago.

Source:  IT Security

Firefox Web Application Testing Tools

March 24, 2008 – 4:52 AM

Exploit-Me is a suite of Firefox web application security testing tools. Exploit-Me tools are designed to be lightweight and easy to use. Instead of using a proxy like many web application testing tools, Exploit-Me integrates directly with Firefox. It currently consists of two tools, one for XSS and one for SQL Injection.

The Exploit-Me series was originally introduced at the SecTor conference in Toronto. The slides for the presentation are available for download [PDF].

Currently in their beta release stage, these open source (GPL v3) FireFox plug-ins search through web applications for vulnerable visible and hidden form fields to perform input validation attacks.

XSS-Me

XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.

The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack.

If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string.

The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.

SQL Inject-Me

SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

The tool work by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.

The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.

The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.

You can get XSS-Me and SQL Inject-Me here:

Download XSS-Me Now!
Download SQL Inject-Me Now!

Source: Security Compass