web application flaws

Mozilla update repairs Firefox buffer overflow vulnerabilities

Repairs fix several critical memory corruption errors and buffer overflow flaws that could cause the browser to crash and leave users vulnerable to attack.

Mozilla issued an update to its popular Firefox browser this week, repairing more than a dozen flaws that could cause the browser to operate erratically and crash or allow remote attackers to target vulnerable users.

The browser maker issued 10 advisories on Tuesday, five critical, fixing memory corruption errors, buffer overflow flaws and an object handling flaw that could enable an attacker to execute malicious code and gain access to sensitive data. Firefox 3.5.4 and 3.0.15 plug 16 holes were addressed in a variety of browser functions.

Mozilla repaired four critical memory corruption errors affecting the browser engine and the JavaScript engine. In its advisory, Mozilla said some of the errors could be targeted by attackers to execute arbitrary code.

The browser maker also updated several third-party libraries used to render media. The corrupted libraries were used by the browser to read Ogg Vorbis encoded media files.

“Some of the bugs discovered could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer,” Mozilla said.

Other serious flaws were repaired. The Mozilla update fixed a heap-based buffer overflow in Mozilla’s string to floating point number conversion routines; A flaw that could enable an attacker to execute malicious JavaScript code with chrome privileges; and an error in Mozilla’s GIF image parser.

Last month, Mozilla released a new feature it said would help get users to update third-party plugins. The changes came in the release of Firefox 3.5.3 and Firefox 3.0.14.

Mozilla pushes out update, provides security suite add-ons

Browser maker provides package of add-ons for security focused Firefox users.

Mozilla pushed out a Firefox security update Friday, repairing nearly a dozen flaws that could enable an attacker to crash the browser or take complete control of a computer.

Firefox 3.0.14 and 3.5.3 fixes several critical vulnerabilities including a dangling pointer flaw reported via TippingPoint’s Zero Day Initiative that could allow an attacker to run malicious code on a victim’s computer. In addition a critical error in FeedWriter could be used by an attacker to run JavaScript code from Web content with elevated privileges, Mozilla said.

In addition Mozilla fixed nine memory corruption errors with the release of Firefox 3.0.14 and 3.5.3. The vulnerabilities resulted in crashes to the browser engine or the JavaScript engine.

Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

New security add-ons package

Mozilla is offering end users what it calls a Full Security Suite. What it has done is collected four security-oriented add-on tools that users can use to protect themselves from Web-based attacks.

• NoScript helps stop a click jacking attack by preventing unauthorized code from running within the browser.
• Better Privacy helps users concerned about their privacy to stop companies from tracking them using a new Flash-based cookie called a Local Shared Object (LSO).
• AddBlock does what the name implies. It blocks those annoying add banners.
• WOT or Web of Trust assigns color coding to more than 20 million websites based on the threat they pose. It can warn if you suddenly browse to a high risk site and even block inappropriate content for children.

The package is a nice start to highlight the tools, which have been available to end users for quite some time. The tools each come with their own unique set of issues. NoScript for example may block some website features and need tweaking from time to time. AddBlock could also pose that problem.

Attackers target PDF, DirectShow flaws with malicious banner ads

Advertising networks DoubleClick, YieldManager and FastClick have supplied a series of malicious banner ads to several popular legitimate websites this week.

Security vendor ScanSafe says it has discovered a series of malicious banner ads appearing on popular websites, including drudgereport.com, horoscope.com and lyrics.com. While the discovery is far from groundbreaking, it supports the recent SANS Institute report showing legitimate websites increasingly being targeted by attackers.

Making it even more difficult for legitimate website owners is the third-party relationship they have with popular advertising networks. Let’s face it, advertising networks is what keeps many websites afloat. Without DoubleClick, YieldManager, FastClick and others many website owners wouldn’t be able to get a snapshot of their audience or provide relevant visitor data to potential advertisers. In this case it appears that the three ad networks I named inadvertently delivered the malicious ads.

From ScanSafe:

The malicious ads delivered PDF and DirectShow exploits engineered to silently install a Trojan downloader. The installed malware attempts to download further malware, intercepts and tampers with Web searches and can redirect the user to sites other than expected – including sites that can lead to further malware infestation.

The malicious ads appeared on the sites between Sept. 19-21. They took advantage of another rising concern highlighted in the SANS report – client applications not being fully patched. In this case, the attackers were targeting PDF and DirectShow flaws – updates that should have been applied to client machines.

Twitter worm attack highlights social network flaws

A worm attack designed by a 17-year-old hoping to promote a rival social network wreaked havoc on Twitter, but also highlighted the importance of finding and repairing Web application flaws.

A 17-year-old hacker claimed responsibility for attacking the Twitter microblogging service, crippling thousands of accounts with a worm designed to promote his social network.

The worm spread via a social engineering technique. The hacker first tricked users into clicking on a link to a rival social network. The link infected machines and exploited a cross-site scripting error to use the victim’s profile list to broadcast the malicious link to other users.

The attack was another example of the threat against social networks, where users post data that could be harvested and potentially valuable on the black market. Users of Facebook, MySpace and other social networks have been targeted by phishing attacks serving up malware designed to steal address books and other sensitive data. Experts say it’s easy to be duped by a malicious link or fall victim to Web application attacks within social networks.

In a message to Twitter users, the company’s co-founder Biz Stone said the attack was similar to the Samy worm, which spread on MySpace. “No passwords, phone numbers, or other sensitive information was compromised as part of these attacks,” Stone wrote in a blog entry.

The attack began at 2 a.m. on Saturday. It spread for about 3.5 hours until Twitter’s security team could identify and eradicate the worm. About 90 accounts were compromised. A second wave compromised another 100 accounts. Attacks continued with another wave on Sunday and again on Monday prompting the security team to delete about 10,000 tweets that could have continued to spread the worm.

“Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future,” Stone said. “We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.”

The attack is a reminder of the need to address Web application errors now, so developers of these applications clean up their poor coding practices. The OWASP Foundation has taken the lead on spreading the word to developers and companies using Web applications about the importance of security. But volunteers can’t do it all on their own. At some point social networks may need to band together to mop up coding errors and guard against attacks in a coordinated manner. They owe it to their customers, who have remained loyal even in the face of ongoing threats.