Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected: http://secunia.com/advisories/14820/ An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here: http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/ A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably? -- Anthony Edwards anthony.edwards@uk.easynet.net
On Mon, Apr 04, 2005 at 10:01:25PM +0100, Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
Of course we will provide the now biweekly Firefox security update *sigh* Might take some days. Ciao, Marcus
Of course we will provide the now biweekly Firefox security update *sigh*
Might take some days.
Not forgetting Mozilla - that's exploitable as well. Nasty bug, too. -- --- Derek Fountain, on the web here : <a href="http://www.derekfountain.org">Derek Fountain</a>
On Tue, Apr 05, 2005 at 03:36:55PM +0800, Derek Fountain wrote:
Of course we will provide the now biweekly Firefox security update *sigh*
Might take some days.
Not forgetting Mozilla - that's exploitable as well. Nasty bug, too.
Sure. Ciao, Marcus
On Tue, Apr 05, 2005 at 09:24:22AM +0200, Marcus Meissner wrote:
On Mon, Apr 04, 2005 at 10:01:25PM +0100, Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
Of course we will provide the now biweekly Firefox security update *sigh*
Novell should make their own browser. That would Pwn. :) Then again browsers are a pain to get going. Has anyone seen this vuln used much outside of some dork trying to prove it COULD happen? Lol, maybe some of those Win kids were right? "Well if Linux was on top of the market and used as much as Windows there would be lots of security holes in it too!". Marcus, I know things like this must get annoying as crap, but I still think you have an awesome job. When security flaws get on your nerves, relax with some BOFH stories :) (If you've never read them just type BOFH in a google search, they rock and there are translations for non English).
Might take some days.
Ciao, Marcus
-Allen / Das Blut.
On Tue, Apr 05, 2005 at 03:52:32AM -0400, Allen wrote:
On Tue, Apr 05, 2005 at 09:24:22AM +0200, Marcus Meissner wrote:
On Mon, Apr 04, 2005 at 10:01:25PM +0100, Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
Of course we will provide the now biweekly Firefox security update *sigh*
Novell should make their own browser. That would Pwn. :) Then again browsers are a pain to get going. Has anyone seen this vuln used much outside of some dork trying to prove it COULD happen?
Well, most browsers are so complex and so massive that problems cannot be avoided. I invite to take a look at konqueror, it up to now never showed up on buffer overflows or memory leaks ... (But it did show up for logical problems with Tabs and similar, so it is not safe either.)
Lol, maybe some of those Win kids were right? "Well if Linux was on top of the market and used as much as Windows there would be lots of security holes in it too!".
Marcus, I know things like this must get annoying as crap, but I still think you have an awesome job. When security flaws get on your nerves, relax with some BOFH stories :) (If you've never read them just type BOFH in a google search, they rock and there are translations for non English).
Hey, thanks :) I read the BOFH texts long time ago and remember them, but this attitude is unfortunately not really called for business Linux versions ;) "In the new SUSE Linux release we are now standardizing on the 'netcat' browser. It is fully costumable to your viewing experience." ;) Ciao, Marcus
On Tue, Apr 05, 2005 at 09:57:26AM +0200, Marcus Meissner wrote:
On Tue, Apr 05, 2005 at 03:52:32AM -0400, Allen wrote:
On Tue, Apr 05, 2005 at 09:24:22AM +0200, Marcus Meissner wrote:
On Mon, Apr 04, 2005 at 10:01:25PM +0100, Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
Of course we will provide the now biweekly Firefox security update *sigh*
Novell should make their own browser. That would Pwn. :) Then again browsers are a pain to get going. Has anyone seen this vuln used much outside of some dork trying to prove it COULD happen?
Well, most browsers are so complex and so massive that problems cannot be avoided.
I invite to take a look at konqueror, it up to now never showed up on buffer overflows or memory leaks ... (But it did show up for logical problems with Tabs and similar, so it is not safe either.)
I have been using that a little more often lately. I never really used it but when I bought SUSE 9.2 I loaded it to check it out and I was quite happy with the progress it's made. I made a full write up of SUSE 9.2 on antionline.com which is a security web site and I usually give one for SUSE, as I'm known as the SUSE dude there, so a lot of people read my articles when I make them. Heh, I've probably gotten more than 100 people to switch over to SUSE, and an article / tutorial I wrote on some basic security precautions in SUSE was actually published by the admins which own internet.net and Enterprise IT planet which was cool because then corporate people read it and see how easy it is to get it decently locked down. I did a follow up not long ago on setting up an FTP / SSH server on SUSE and had it kind of go together with the first one. Between that I have now almost every person in my Network Analysis and design class running SUSE on their Laptops. I got one guy to try and after he bought it and installed it he said "Yup he was right this is great" so the rest bought it. I was so proud. Like Woot, they didn't get RedHat. (Nothing against them but I want to make SUSE as much money as I possibly can to make sure Novell knows people care.)
Lol, maybe some of those Win kids were right? "Well if Linux was on top of the market and used as much as Windows there would be lots of security holes in it too!".
Marcus, I know things like this must get annoying as crap, but I still think you have an awesome job. When security flaws get on your nerves, relax with some BOFH stories :) (If you've never read them just type BOFH in a google search, they rock and there are translations for non English).
Hey, thanks :)
I read the BOFH texts long time ago and remember them, but this attitude is unfortunately not really called for business Linux versions ;)
Simon is the man, heh. I read this all the time and have written a few, I love them. I know they don't go to well with Business, but it's fun for relaxing :)
"In the new SUSE Linux release we are now standardizing on the 'netcat' browser. It is fully costumable to your viewing experience." ;)
Ciao, Marcus
Hehe. I've made Novell some extra sales recently. Someone asked on AntiOnline on setting up some server at their business and they wanted Linux but needed something extra, they were already running Netware, so I recommended SUSE Enterprise Server with some new Netware servers running along side it. They did it and were happy with it :) Ahh, sorry, this went off topic quick, but it's cool to talk with the guys who make this all happen, and do it so well. Heh, I'm such a shameless plugger for SUSE. But you guys work hard and it shows, SUSE is the best distro in the World and YAST2 is the most awesome admin tool I've ever even used. I get a lot of Red Hat users to switch once they see YAST2. I enjoy that, SUSE was the first distro that worked so well on my boxes here, I didn't need to sit for hours finding drivers, and then everything just worked so well for me so I share that with others. Thanks for listening to me go on and on heh, -Allen
On Tue, Apr 05, 2005 at 04:56:38AM -0400, Allen wrote:
I did a follow up not long ago on setting up an FTP / SSH server on SUSE and had it kind of go together with the first one.
One thing I was slightly surprised to discover recently is that root shell SSH login is now enabled by default (in SuSE 9.2 at least) and has to be manually disabled, whereas in previous versions (I am not sure up to which version number) it was previously disabled by default. Presumably this is due to a change in policy by the OpenSSH developers? One thing I have always liked about SuSE's security policy (and that of most open source software developers in general) is that an installed system should be relatively secure by default, and that the user should need to gain at least a degree of technical knowledge in order to relax that policy. The change in root shell SSH login access default policy mentioned above is not in line with that philosophy, it seems to me. -- Anthony Edwards anthony.edwards@uk.easynet.net
On Tue, Apr 05, 2005 at 10:36:30AM +0100, Anthony Edwards wrote:
On Tue, Apr 05, 2005 at 04:56:38AM -0400, Allen wrote:
I did a follow up not long ago on setting up an FTP / SSH server on SUSE and had it kind of go together with the first one.
One thing I was slightly surprised to discover recently is that root shell SSH login is now enabled by default (in SuSE 9.2 at least) and has to be manually disabled, whereas in previous versions (I am not sure up to which version number) it was previously disabled by default.
Heh, at least it isn't telnet ;) Being serious for a second though, SSH is fairly secure as a service in general and is of great help for people like me. And you still have to enable the Firewall to allow SSH in the first place so I don't think it really adds that much of a helping hand to people trying to break in so even though it's there, it's not going to accept connections to the machine on that port, as The SUSE Firewall is enabled by default as well, which I thought was a great touch and the configuration of it can be done before installation has even finished, and so can updates for security patches, which theoretically would have the most secured OS in the World award going to SUSE. Security exploits are half of a battle at times and if you can patch them before you're even booted and the firewall is up and running already too, you have a very good chance of being attack free. Open BSD has nothing on SUSE, they do Code Audits too ;)
Presumably this is due to a change in policy by the OpenSSH developers? One thing I have always liked about SuSE's security policy (and that of most open source software developers in general) is that an installed system should be relatively secure by default, and that the user should need to gain at least a degree of technical knowledge in order to relax that policy.
The change in root shell SSH login access default policy mentioned above is not in line with that philosophy, it seems to me.
Adding to this, it could maybe be added to the security chapter of the SUSE admin guide on editing /etc/securetty and only leaving /dev/tty1 in there, that would prevent ANY log ins except from the keyboard attached to the machine, and even X can't have root log in that way. Hmm, that could be a cool idea there. I do get what you're saying though.
-- Anthony Edwards anthony.edwards@uk.easynet.net
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Anthony Edwards <anthony.edwards@uk.easynet.net> wrote on 05/04/2005 11.36.30:
On Tue, Apr 05, 2005 at 04:56:38AM -0400, Allen wrote:
I did a follow up not long ago on setting up an FTP / SSH server on SUSE and had it kind of go together with the first one.
One thing I was slightly surprised to discover recently is that root shell SSH login is now enabled by default (in SuSE 9.2 at least) and has to be manually disabled, whereas in previous versions (I am not sure up to which version number) it was previously disabled by default.
I don't thing it's something new as it was the same on SuSe 9.0: you had to disable root login in sshd_config (at least for the professional version) Regards Gaël
On Tue, Apr 05, 2005 at 09:24:22AM +0200, Marcus Meissner wrote:
On Mon, Apr 04, 2005 at 10:01:25PM +0100, Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
Of course we will provide the now biweekly Firefox security update *sigh*
Might take some days.
Firefox 1.0.3 has now been released which I believe resolves all currently known security issues: http://www.mozilla.org/products/firefox/releases/1.0.3.html http://www.mozilla.org/projects/security/known-vulnerabilities.html Now available in RPM format at: http://ftp.suse.com/pub/projects/mozilla/firefox/1.0.3/ Installed and running fine here. -- Anthony Edwards anthony.edwards@uk.easynet.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
The exploit is only an error in the javascript code, which leads to the problem. You have to know what to read out ouf memory to get any useful effect as an attacker. If this works on firefox it will work on mozilla as well, as firefox is only the browser-component of mozilla. This means the error depends on mozilla. O.K. this is a big loss in security, as memory can be read out. In comparison to Internet Explorer no malicious code can be executed on the system. This is the benefit against Internet Explorer. If you program a webbrowser many security-related but even content-related features must be implemented for each page to be displayed right. Any found exploits for firefox depend on pishing and xss except the x-server related issue (not a problem of firefox) which was discussed ([suse-security] Firefox invocation allows unintended root access) and this one reading out memory. In the case of the root-problem this was done on a 32-bit-machine starting a x-term on a 64bit-machine. Seems this was related to a bug in xfree within 64-bit as there were much security-related errors within 64-bit-version in linux. So any problems are no real security-holes of firefox (first was a x-free problem, second is a problem of the java-script engine wich both are as I think not the problems of firefox-developers and java-script engine has to be fixed in mozilla and firefox). !!!_AND_!!! No write access to local fs was possible at all which could lead to execution of any code on the machine which accessed a webpage. I would think this is the best thing that possibly could happen: Browser is exploitable, but the security-hole doesn't make the machine intrudeable by a remote website which is the most problem within Windows, as the design-error called IE does allow this and there is no patch against this available, as the IE-team does work on a newer version and doesn't fix the errors it provided by adding more and more interfaces for third-party plugins and trojans and viruses. The more interfaces you provide the more problems you can possibly get, even if it's an integrated plugin, which is the java-script engine. Any loss of control of a system has not been possible right now. Any discussions reguarding problems on linux, after it gets more and more popular don't think about the fact that linux is under continuous developement even if packages are called stable. This means any future problems, even a mechanism to get access on a system can be changed. On other OS you don't have that benefit, as a) the code is too big to get any overview (and making it easy to find errors) and b) the developers only take time to get their software sold - and not to get it secure. So any discussion about that was the question when it would be changed and this doesn't depend on SuSE as they only prodie a distribution and update their packages from the providers of the different software, which is discussed in their security-related mailing-lists. Did anybody send an e-mail to mozilla-security-team to get this problem noticed and fixed asap? After mozilla/firefox-team fix this SuSE will get a newer version not in another way. SuSE provides the best software, which you can get on the net. If there are any problems reguarding config-problems depending on what SuSE did on the rpm's it's their fault. Next plot is, that a thread should sort it's content under the subcet of each mail. The last posts didn't talk about firefox, but ssh, so it would be nice to start a new thread, as all is sorted under firefox-problem. Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQlLdqkNg1DRVIGjBAQJKyQb+PpGq4WV6FljAUvdcPJ319DvCqm9M3PQt Ls1IS9Jpbq5YkdcWDb8lK+dKLzT0C+x0gOijNs4eHaDe3LmYGjj8y1PsOWjkoAAE X4k393tDW31orcuvL4+P5ukyeAlIAr844uXBBNpaSg2HeAQ+3bzl2M2Y8MTf0XEZ pX8hZfag+Qecn1+ba2Gq9vD08mG6u6Wncsp68YnRY/EyHGFPiAF/9uyCCxkd3bdM o0GV2lnCIoq84MaSueexHF8bBJFJPA1IgQCpVfWmBhbXkQNp4TW016FJKqm7quBp 6dgY1L46yb8= =DFiP -----END PGP SIGNATURE-----
participants (6)
-
Allen -
Anthony Edwards -
Derek Fountain -
g.lams@itcilo.org -
Marcus Meissner -
Philippe Vogel