Archive for the Advisories Category

In a twisted reverse April fool, Mozilla decided to anticipate the release from April the 1st: it's today, folks.

As you may already know, it fixes:

  1. the mysterious flaw exploited by "Nils" at the CanSecWest Pwn2Own contest, at the speed of light (the IE8 and Safari vulnerabilities revealed the same day are still unpatched);
  2. the XLST processing bug which I wrote about yesterday.

Current NoScript stable version (1.9.1.4) prevents the XSLT crash from be exploited for malicious purposes, by defeating heap spray attempts which require JavaScript, Java or Flash. That's very good, but not enough: a crash is still annoying even if it cannot install malware, notwithstanding session restore.

Since we can (un)safely assume this is not the only potentially exploitable XSLT parser bug hanging around, today I released the NoScript 1.9.1.5 development build, featuring specific XSLT protection: XSL stylesheets won't be processed unless they're from a trusted source and their parent document is trusted as well. This countermeasure effectively prevents malicious sites from crashing (or, worse, compromising) your browser through this or any other XSLT bug discovered in future. As NoScript's motto says, defeating "exploitation of security vulnerabilities, known and even not known yet!" :)

A Firefox 3.0.8 "high-priority fire drill security update" is on its way, likely to be released by the middle of next week (April the 1st at most, jokes aside). The reason is an emergency patch for a critical vulnerability irresponsibly disclosed by Guido Landi. I feel a bit guilty about it because Mr. Landi is Italian like me -- not that here in Italy we lack reasons for being ashamed...

Beware the PoC: it will crash Firefox on Windows, Linux and Mac OS X even if you've got NoScript. However this crashing bug, like the vast majority of them, is not exploitable if you've got JavaScript and other active content disabled on the attacker site, because reliable exploitation requires scripting to "spray the heap", i.e. to inject the malicious payload at the right places of your memory for execution.
Therefore you can easily survive until the automatic update kicks in, if you don't mind the possibility of an annoying but not dangerous crash (thanks, session restore!) ;)

On a side note, it's time to update Java as well: yet another bunch of critical vulnerabilities, several of them exploitable in your browser. Business as usual...

Important updates here.

Microsoft's "clarification" on the various workarounds for the recent Internet Explorer security debacle.

Blue or red
Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:

  • The hole is in data binding, and not in XML processing like many (me too) reported initially.
  • Increasing the security level of the Internet Zone to "High" and disabling active scripting does not suffice to protect you, even if it makes attacker's life slightly harder. Not harder than yours, though, since Microsoft's "Security Zones" have nothing of NoScript's usability...

The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.

So, do you really want to keep inflicting yourself that blue "e"? Or are you ready for a red panda?

Yesterday Symantec elevated its ThreatCon rating as a response to an infection involving about 20,000 web pages (250,000 according to other sources), and probably still actively spreading through an automated SQL injection.

The main news is that this time an apparently unpatched vulnerability affecting Adobe Flash Player is being exploited, making the attack on end-users effectively cross-browser and potentially cross-platform:

The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox.

The Adobe Product Security Incident Response Team reports of being aware of this problem and cooperating with the antivirus company for a precise assessment.

In the meanwhile, according to Symantec, you should:

Avoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed.

Additional notes for NoScript users

Since the offending SWF files are served from external ad-hoc Chinese domains, (wuqing17173.cn, woai117.cn and dota11.cn at this moment,very unlikely to be in your whitelist), even if a trusted site was infected you should still be protected.

However, if you want maximum protection, it's a good time to check NoScript Options|Plugins|Apply these restrictions to trusted sites as well.
This option turns NoScript in an effective security-oriented replacement of the FlashBlock extension, working also with Java, Silverlight and other potentially vulnerable plugins such as QuickTime.
All the active embedded content pieces, no matter where they come from, will be blocked preemptively and you will be able to load them selectively by clicking on visual placeholders.

Update

(from PSIRT's blog):

This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0. We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

Since the currently exploited vulnerability appears to be patched, but the attacking vector explicitly tests for the 9.0.124.0 player and can perform dynamic redirects, I'd obviously upgrade but still stay on the cautious side, deploying preemptive countermeasures just in case they're saving the real zero-day for a second weave...

Bad Behavior has blocked 576 access attempts in the last 7 days.