Linux.com weekly security advisory – April 21, 2006

23

Author: Kelley Greenman

This week, Debian, Fedora, FreeBSD, Gentoo, Red Hat, and Ubuntu released updates to address security problems with Firefox, Cacti, the Mozilla Suite, the GNOME Display Manager (GDM) and several others.

Several vendors issues updates for packages that were affected by vulnerabilities in the popular Web browser, Mozilla Firefox. On April 13, Mozilla released an update addressing several critical vulnerabilities, particularly JavaScript bugs which affect not only Firefox, but packages such as Mozilla’s Thunderbird email client which may use JavaScript if the user has altered the default settings.

The majority of the vulnerabilities are considered critical, which Mozilla defines as vulnerabilities that “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

Mozilla’s update addresses the following problems:

Critical-Risk Vulnerabilities

  • Security check of js_ValueToFunctionObject() can be circumvented
  • Privilege escalation through Print Preview
  • Privilege escalation using crypto.generateCRMFRequest
  • CSS Letter-Spacing Heap Overflow Vulnerability
  • Crashes with evidence of memory corruption (rv:1.8.0.2)
  • Accessing XBL compilation scope via valueOf.call()
  • Privilege escalation using a JavaScript function’s cloned parent
  • Mozilla Firefox Tag Order Vulnerability
  • Privilege escalation via XBL.method.eval
  • Crashes with evidence of memory corruption (rv:1.8)
  • JavaScript garbage-collection hazard audit

High-Risk Vulnerabilities

  • Cross-site scripting using .valueOf.call()
  • Cross-site JavaScript injection using event handlers
  • Cross-site scripting through window.controllers
  • File stealing by changing input type

Moderate-Risk Vulnerabilities

  • Spoofing with translucent windows
  • Downloading executables with “Save Image As…”

Low-Risk Vulnerabilities

  • Mail Multiple Information Disclosure
  • Secure-site spoof (requires security warning dialog)

Vendors released updates addressing these issues for the following distributions and packages: Fedora Firefox, Red Hat Firefox and Mozilla Suite, Ubuntu Firefox and Mozilla-Firefox, SUSE Mozilla Firefox and Mozilla Suite.

Many of the vulnerabilities addressed relate to the way Firefox handles malicious JavaScript. For example, moz_bug_r_a4 discovered a problem with the compilation scope of privileged built-in XBL: they are insufficiently protected from Web content. Thus, the XBL bindings could be accessed when valueOf.call() and valueOf.apply() are called with no arguments on the method of that binding. The call returns the Object class prototype instead of the caller’s global window object.

The problem in the XBL bindings leaves Firefox vulnerable to cross-site scripting (XSS) attacks. An attacker could inject script into another window in order to steal sensitive information such as passwords and cookies. The attacker could trick an unsuspecting user into visiting a malicious Web site or downloading malicious files, allowing the attacker to gain the privileges of the targeted user or alter the content of another window.

The updates also fixed several other JavaScript vulnerabilities discovered by shutdown. First, it is possible to use the Object.watch() method in order to access an internal function object, the “clone parent.” An attacker could exploit the problem in order to run arbitrary JavaScript code and install malware on a targeted machine.

Second, it is possible to call the XBL.method.eval() method to create JavaScript functions that compile with incorrect privileges. An attacker could create a malicious Web site in order to execute arbitrary JavaScript code with the permissions of a targeted user.

Third, it is possible to use modal alert to suspend an event handler while a new page is loading. An attacker could exploit the vulnerability in order to inject running JavaScript code into another Web site. Thus, the attacker could log in to another site with the privileges of the targeted user or gain access to sensitive information such as passwords and cookies.

Georgi Guninsk found that an attacker could use scripts in an XBL control in order to gain “chrome” privileges when a page is viewed with Print Preview. The vulnerability can be exploited even when JavaScript is turned off. The problem could allow an attacker to create a malicious Web page, executing arbitrary JavaScript instructions with the permissions of “chrome.” Consequently, an attacker could steal sensitive data or install malware on the targeted browser.

Claus Jørgensen reported a bug in the way Firefox allows JavaScript input form elements. According to Jørgensen, a text input box can be pre-loaded with a file name and turned into a file-upload control, leaving the content intact. An attacker could create a malicious Web site, tricking users into submitting information to a form. If the user submits the form, arbitrary files could be uploaded from the targeted machine to the malicious Web site.

Finally, Igor Bukanov found that the JavaScript engine does not correctly protect temporary variables. An attacker could exploit the vulnerability in order to execute arbitrary code with the privileges of the targeted user.

The Firefox updates also addressed several other vulnerabilities, including two security problems an attacker could use to trick users into compromising their machines or revealing sensitive information. For example, Tristor found a vulnerability in the way Firefox indicates that a site is secure. When Firefox is set to display the “Entering secure site” modal warning dialog, an attacker could change the window location while the dialog is displayed.

The attacker simply loads the targeted secure site into a pop-up window, changing the location to a different, insecure site. Consequently, a user believes the site is secure since it displays the padlock icon, the site name in the URL bar, and the yellow background in the URL bar.

Michael Krax reported that it is possible to layer a transparent image over a visible image, with the transparently image linked to an executable file. An attacker could exploit the bug by offering a desirable image, tricking visitors into downloading the image by creating a file name with a lot of spaces before the extension. The long file name and spaces hide the extension information from the user, pushing it beyond the boundaries of the file-saving dialog box. Instead of downloading an image, the user actually downloads an executable file.

Since most of the bugs are critical- or high-risk vulnerabilities, if you run Firefox or Mozilla be sure to update your packages as soon as possible.

Red Hat’s security team asks affected users to update their packages to Mozilla version 1.7.13 and Firefox version 1.0.8.

SUSE advises users to update to Firefox 1.0.8 and Mozilla 1.7.13. While the SUSE security team acknowledges that the Mozilla Thunderbird e-mail client is affected by some of the vulnerabilities, updates will be issued later. In the meantime, users can work around most of the problems by turning off JavaScript if they’ve altered the default settings.

Ubuntu users should upgrade the affected packages to the following: 1.0.8-0ubuntu4.10 (for Ubuntu 4.10), 1.0.8-0ubuntu5.04 (for Ubuntu 5.04), or 1.0.8-0ubuntu5.10 (for Ubuntu 5.10). But sure to restart Firefox after the standard system upgrade. Doing so will ensure that the update took effect.


Vulnerabilities affecting several distributions

Package: mozilla, firefox — several vulnerabilities
CVE: CVE-2006-0749, CVE-2006-1724, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742
April 14, 2006

Mozilla.org released a major update addressing multiple critical- and high-risk security issues in the popular Web browser Firefox. Many of the problems involve the way Firefox and the Mozilla Suite process malicious JavaScript.

Affected distributions: Fedora Firefox
(Core 4)(Core 5), RedHat Firefox, RedHat Mozilla, Ubuntu Firefox, Ubuntu Mozilla-Firefox, SUSE Mozilla-Firefox and Mozilla Suite


Vulnerabilities listed by distribution

Debian: horde2 — several vulnerabilities
April 14, 2006

Horde, a Web application framework, contains several vulnerabilities. An attacker could exploit the problems in order to gain access to sensitive information. Debian has issued an update that fixes the following problems:

  • There is a an input validation error in the services/go.php script. Consequently, the URL parameter is not correctly validated before being passed a readfile() call. An attacker could exploit the problem to read via the php:// URI handler.
  • An eval() injection vulnerability could allow a remote attacker to execute arbitrary code by exploiting the weakness in the help viewer.

Debian: fcheck — insecure temporary file
April 15, 2006

The Debian Security Audit project’s Steve Kemp located a problem in FCheck, a host-based Intrusion Detection System (IDS). A cronjob contained in FCheck creates an insecure temporary file, which could enable a remote attacker to create or overwrite arbitrary files and escalate access privileges.


Debian: bsdgames — buffer overflow
April 17, 2006

Sail, a game included in the BSD games 2.17-7 package, contains a buffer overflow vulnerability in pl_main.c A local user could exploit the problem to execute arbitrary code.


Fedora: gdm — update
April 19, 2006

Fedora issued an advisory with numerous fixes and updates for the Fedora Core 5 GNOME Display Manager (GDM). If you run this package please be sure to apply the updates, following recommendations issued by Fedora.


Fedora: kernel — update
April 19, 2006

Fedora has issued a Linux kernel update for version 2.6.16, release 1.2096_FC4. This update includes fixes that address multiple security issues, including several vulnerabilities which local users could exploit to cause a Denial of Service (kernel panic) or to gain escalated privileges.


FreeBSD: sys — vulnerability

April 19, 2006

Jan Beulich discovered a vulnerability in 7th generation and 8th generation AMD processors. According to the update, “the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1.” The vulnerability could be exploited by a local attacker to steal cryptographic keys or other sensitive data.


Gentoo: cacti — multiple vulnerabilities
April 14, 2006

The ADODB database abstraction layer for PHP, libphp-adodb, a library included in Cacti has several vulnerabilities. Debian has released an update to fix the following problems:

  • Andreas Sandblad discovered a remote SQL injection vulnerability. When the MySQL root password is empty, an attacker could exploit the vulnerability in order to access or tamper with data, compromise the application, or obtain access to database vulnerabilities to escalate privileges.
  • A dynamic code evaluation vulnerability could be exploited by an attacker in order to execute arbitrary SQL commands via the do parameter.
  • An SQL injection vulnerability, discovered by Andy Staudacher, is due to insufficient input sanitizing. The problem could allow an attacker to launch arbitrary SQL commands.
  • The GulfTech Security Research team located several cross-site scripting (XSS) vulnerabilities. An attacker could exploit the vulnerabilities to launch arbitrary scripts in a targeted user’s Web browser.

Gentoo: libapreq2 — denial of service vulnerability
April 17, 2006

There is a Denial of Service vulnerability in the the apreq_parse_headers() and apreq_parse_urlencoded() functions of Apache2::Request. An attacker could exploit the vulnerability to launch a Denial of Service by using unknown attack vectors, which could result in quadratic computational complexity.

Category:

  • Security