JaBbA's Hut

There's been a lot of uproar over a presentation at Toorcon where a pair of "Security Researchers" (which is what they would be called if they used responsible disclosure) / "Hackers" (which is the term almost universally used in press accounts) claimed to have found a bug in Firefox which they used to build a botnet.

This understandably concerned the Mozilla team, and a member of the Mozilla security team joined the presentation. Turns out they were "joking". I'm not sure how the announcement of the creation of a botnet based on a non-existent security flaw constitutes a "joke" - and I'm a geek. I "get" some pretty esoteric jokes. They wanted to tweak the "Firefox fanboys". Mischa later apologized:

he main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Nevertheless, there apparently is a little bit of fire in all that smoke - a flaw in Firefox that can apparently be used for a Denial of service. Of course, I didn't say too much about the IE setslice vulnerability on Thursday because it, too, was a DoS bug - until Friday night, when suddenly a remote code execution exploit was released and caused enough havoc to prompt the ISC to go to yellow alert. So be aware, if I hear of this escalating to an exploit I'll post asap.

The most important thing - Mozilla immediately reacted, is concerned with finding the truth, not maintaining a corporate image, and is taking this very seriously.

JaBbA says: Open Source means more than just source code.

There's been a lot of talk in the online media about how Firefox's "honeymoon" is over. Articles showing that Firefox has more vulnerabilities than IE have been cropping up frequently.

Most of the articles cite Secunia for the list of vulnerabilities. But dig into the numbers, and a different picture emerges. Secunia lays out all the numbers (see the upper right hand corner of their webpage). But they summarize it:

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

Opera 8.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Not critical

More graphs and charts from Secunia below:

A new firefox extension is a simple and effective addition to the Anti-Fraud arsenal.

The Petname Extension simply allows you to assign a descriptive name to any SSL-enabled website, then displays that name whenever it sees that same SSL certificate.

Any browser tricks or redirections will become obvious when you "Pet Name" for the website isn't displayed.

JaBbA recommends.

UPDATE I probably should have pointed out - this is a very small implementation of a new idea called a "Security Skin". See Bruce Schneier and this paper (PDF).

The Netcraft Toolbar has been an effective anti-phishing tool for IE for some time. There have been Firefox extensions that had the same idea, but without Netcraft's information and history.

Now, it's available for Firefox. Advantage: No special permissions needed, even if you're not a power user you can use this tool.

Hmm. I'm categorized as "Club Software & Computerware". Interesting...

Update That's not a category, that's the owner of my netblock.

My Rank is even more interesting...I'm 2 steps below "Tai Whore Sex" but 2 above "nudism.com"

Another update : From Infoworld:

The free toolbar, released Tuesday, was downloaded more than 60,000 times within hours of its release, according to Netcraft Internet Services Developer Paul Mutton. By comparison, the company's antiphishing toolbar for Microsoft's (Profile, Products, Articles) Internet Explorer (IE) browser has been downloaded around 100,000 times since its release earlier this year, he said.

"This seems to indicate that the Firefox community is more interested in security," Mutton said.

AND ONE MORE TIME :

I found a brand new phishing email, clicked the link and got:


And then:

Just noticed the upgrade arrow on my Firefox 1.0.1.

Sure enough, 3 more security fixes in 1.0.2.

Apparently, at least one is pretty exploitable, having to do with GIF file processing. Go ahead and get the upgrade.

Microsoft is reversing strategy and is now demonstraing a new Beta for IE7, coming out long before the next OS release. Previously, they had tied it closely to the OS releases, and any updates were going to be IE6 patches.

I think they're worried. It's about time. Reading that article brought back painful memories of the IBM OS/2 debacle. shudder

I received an important email today. Apparently, my eBay account had an old credit card associated with it. eBay attempted to verify the card and it was declined. I better go sign in.

It looks legit. The email link says https://billing.ebay.com, and the status bar on my Thunderbird says http://billing.ebay.com. Must be OK.

Except look at the right side of the email's status bar.

When I click on the link I have my computer configured with FireFox as my default browser. It seems to think there's something odd about the web page I'm going to. It pops up this warning - something about authenticating to the website.

Well, I'm going to eBay, and I'm going to authenticate, so it must be OK.

So I get to the website, things flash for a second, and I get a blank screen - and Firefox tells me the website is trying to open a popup.

Darn popup blockers! I disable it for the website, and then the screen flashes again.

Darn it, eBay wants me to use IE! I knew those darn FireFox guys would get something wrong!

Well, luckily Microsoft makes sure that IE is on every windows computer. I fire up IE, cut and paste the address (luckily, I'm a very smart computer user) and I get this screen. See? The address bar says https://billing.ebay.com, and the lock on the bottom of my screen assures me that I'm encrypted and that I really am connecting to eBay.

Except that's not a status bar on the bottom of the screen - it's an image sent by the malicious website to my browser that LOOKS like an IE status bar. And it's using javascript to overlay the address bar with another address.

Nasty.

This screenshot is a fully patched (as of this morning) XP Sp2 machine. The bar says it's a paypal SSL site. The lock is locked. The certificate is PayPal's certificate. EVERYTHING that the browser reports says that you're looking at Paypal's site. The content is Secunia's test page.

This is VERY VERY BAD. The test is at Secunia's site.

Right now, there are a couple of defenses against this.

#1 - DO NOT USE IE. Firefox won't even allow me to click on the test link. This is an IE vulnerability, unlike last weeks reports which were Windows vulns.

#2 - NEVER, EVER, trust a link sent to you. ALWAYS type the address in your browser or use a bookmark you created. This doesn't work unless you follow a malicious link.

Take a look at the image here. This is a demonstration from Secunia of a Windows injection vulnerability that affects most browsers.

The site loaded was the real Citibank website. There's a button on the site that pops up information about phishing schemes. However, Secunia was able to send me to the Citibank site in such a way that when I clicked on the legitimate button, I got a Secunia page instead.

This would fool anyone. The only way to keep yourself safe from this attack is to make sure you NEVER follow a link.

How does it work? The Citibank site opens the pop-up, as usual. The attacking website looks for the popup window's "handle" to appear, then immediately hijacks the window and displays it's own content - which, of course, could be the exact form you are expecting, but submitting to the attacker instead.

More information here:



There are other demonstrations of similar vulnerabilities on the Secunia site, but this one was the only one that Firefox was COMPLETELY vulnerable to. The other vulnerabilities have to do with stealing information from dialog boxes like the one shown here and even form fields on other websites. Firefox was moderately vulnerable to the dialog box hack - at least it kept switching back to the attacker's website instead of staying on the victim site. I couldn't get the form field hack to work in Firefox.

IE is vulnerable to all 3 attacks.
Opera and Safari are vulnerable to at least 2 of the attacks.
Firefox/Mozilla are vulnerable to 1 completely and 1 somewhat.

The Deepnet Explorer isn't vulnerable to any of them. And believe me, they're telling the world about it.

Thunderbird 1.0 is out. Didn't get as much "buzz" as Firefox, but this is nice software.

Screenshot shows the new 'Grouping' of emails - sort, then group by the sorted column. Very nice.

Another nice feature - Saved Search folders. Instead of moving your emails to a folder, run a search, then save the search. It becomes a 'View' of the Inbox, and new messages that meet the search criteria show up in the view. Why is this important? Well, a message can appear in more than one View, and new messages appear in the view with no filters!

JaBbA says get it at Mozilla.

Firefox 1.0 was released today. According to the BBC:

Firefox, which was originally called Firebird, also has a growing number of vocal net-based fans.

A campaign co-ordinated by the Spread Firefox website attempted to raise the $50,000 needed for a full page advert in the New York Times.

The campaign set itself a target of recruiting 10,000 volunteers. Ten days in to the campaign 25,000 people had signed up and now about $250,000 has been raised.

That's an impressive amount of loyalty and buzz. I've been using Firefox almost exclusively now for about 9 months, and I've found even the betas to be fast, stable and compatible. And I can't live without tabbed browsing now!


Also, version 0.7 of the Serendipity Weblog system has been released. This is the software that runs this website, and 0.7 is a major update - the biggest feature is the anti-spam stuff and nested/multiple categories, but there's a nice list on Evan's blog.

Interesting juxtaposition.

As the release of the first 1.0 Preview Release of the FireFox browser began hitting the news, the Microsoft critical vulnerability for the GDI+/JPG problem also hit the news -- and news.google.com happened to put them up at the same time.

I just installed the 1.0PR. It recognized the extensions I had installed, searched for updated versions, downloaded and installed the one extension that had been updated and informed me that it would keep checking for an update on the other.

JaBbA says check it out.

Another phishing scheme targeting eBay caught today. Fear, Uncertainty and Doubt is rampant - your account has *already been suspended*! Do something *immediately*!

The website: signin_ebay_com_account.PoRnOsIn.CoM:7308

The upper and lowercase letters serve to draw your eye away from that, because it makes it look more like the URL, and all you see is "ebay" and "com".

Note that the Firefox status bar lowercases the URL, making it easier to see. Another instance where Firefox is helpful.

Speaking of which, the new Thunderbird client (0.7.3) and the new Firebird (0.9.3) are AWESOME. Thunderbird now lets you choose to see all your email in plain text format (HOORAY!) and switch back and forth between plain text and HTML with a couple mouse clicks or even a ALT-V-B-H and ALT-V-B-P.

See mozilla.org for more information!

2 advisories in 3 days for IE. Secunia has another IE bug - and this one is 'Highly Critical'.

It's in Active Scripting. Apparently, a malicious website could drop an executable into your startup folder. Next time you reboot, wham! The PoC code requires you to drag-and-drop, but it's thought that it could be coded to work on the click of a link.

And it's confirmed in IE 6 on SP1 and SP2.

According to a report and proof of concept by Secunia, a fully patched XP SP1 system is vulnerable to a nasty phishing scheme.

I'm not sure if "rabid" firefox users are actually rejoicing, but it's another reason to switch to something else.