On the 10th July a patch was checked in for bug 384384 which is a bug that needs both Firefox and IE to be exploited. The command injection vulnerability affected users of Internet Explorer who browsed to a malicious page assuming that they had Firefox installed but not running. Opinions vary as to whether this was a Windows vulnerability or a Firefox one. In my opinion both had some degree of responsibility for this.
Asa Dotzler mentions the Heise Security article about Opera 9.10 which was released in December. The release notes fail to mention two fairly critical security problems that were fixed in 9.10 but were present in the previous version 9.02. The main features listed in 9.10 were the online fraud protection and some stability updates.
The main concern being raised is that by not mentioning the security updates is that people may just choose to skip this release if none of the new features appeal to them but they would be more likely to upgrade if they knew that it fixes security issues.
This could be Opera trying to hide security problems from their users to appear more secure in their minds or it may just be an omission that should have made it but didn’t through a breakdown in internal communication.
Brian Krebs of the Washington Post has looked back over a year of IE6 vulnerabilities and came to the conclusion that a fully patched IE6 installation would have been unsafe for 284 days in the year.
The flaw in Google’s webapps that affected Gmail (aka Google Mail in UK and Germany for legal reasons) appears to have been fixed by Google. The JavaScript page that used to list your contacts now returns the following empty list:
google ({
Success: false,
Errors: []
})
This means that the problem reported yesterday is no longer an issue. However, this demonstrates the importance of security in web applications is just as important as security in the browser.
As Slashdot still didn’t update their article, despite numerous comments, I will stress again that this is not a Firefox issue. It is a bug in the site and therefore will show in all browsers.
UPDATE: it seems although that particular issue has been fixed it’s still possible to access the contact list as an XML file, it’ll take a bit more coding for people to steal your contact list but may still be relatively easy. I will keep this site updated with any further news. But for the moment follow the advice in my previous post.
UPDATE 2: it appears that the contact list being accessible via an XML file is not a security risk as standard browser security should not allow JavaScript hosted on one site to process XML from a different domain. Therefore I was not able to create any steps to exploit this and there appears nothing out there in the wild either. Therefore I’m changing the title of this article back to ‘Google Fixes Contact List Flaw’. I thought it was best to err on the side of caution until I could verify if the problem was fixed.
There appears to be a cross site scripting vulnerability with Gmail that affects IE, Firefox and Opera. It’s to do with the way Gmail stores the contact list when you’re logged in. The website that supposedly demonstrates the vulnerability is currently down stating ‘Causing too much trouble already… I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.‘ I will see if I can find out more about this within the next few hours.
UPDATE: I’ve checked and this vulnerability does affect all browsers on my system with JavaScript enabled. That’s because the bug is not with the browser, it’s just some badly designed coding from Google. The problem is caused by the fact that the contacts are stored as a plain JavaScript file and this file can be included in a HTML file and manipulated. This functionality has legitimate uses - Google Analytics and Adsense both load external JavaScript files from Googles servers, so browsers shouldn’t remove this functionality, in this instance it’s up to the application developers to consider security in their design.
Slashdot, as usual, have put up a story about this without reading the linked to article. According to Slashdot only Firefox is affected which is not true as it’s a webapp issue not a browser issue.
If you trust this site you can see an example of this vulnerability here. If you don’t trust this site then make sure you’re logged out of Gmail before visiting the page - you will see nothing in this case but selecting ‘view source’ will show you how easy accessing this data is.
As reported in Slashdot there’s a flaw in the password managers of Firefox and to a certain extent IE. It’s reported to Mozilla as bug 360493, the severity of the bug depends on your usage of passwords and the password manager.
Take a look at aigars.co.uk, at first appearance it looks quite legitimate, but as some investigation shows this site is just one in a large number of long running scams. The way they work is by using a payment method such as Western Union money transfer to send the cash to one of their ’sales representatives’, who will use fake identity documents to collect the money without being traced. Although the site lists a London address, they’re not based at the address, but they did make the effort to make it a valid address.
Although these sites don’t fit in with the typical definition of phishing they’re still scam sites and so I’d like to see browsers phishing detectors flag these sites, once aigars.co.uk disappears a similar site with a different domain will appear and the fun will start all again. Currently it’s not picked up in either the IE or Firefox filters, I have submitted the site but as it looks genuine on the surface then they may not flag it.
Secuna has discovered a weakness in one of IE7’s anti-phishing features that makes it possible for a site to spoof the URL in the address bar. In order to reduce the potential for phishing attacks IE7 displays the address bar in all popups (smaller than the regular address bar so it’s less obtrusive), however this vulnerability means that it’s possible to display a spoofed URL meaning that what’s contained in the address bar cannot currently be trusted. Unfortuantely, this could have the potential to give the user a false sense of security.
At the moment there is no comment on this issue on the IE Blog but I expect that they will react to this issue in a timely manner.
If you’re running IE7 you can run the test to see if it’s vulnerable. Firefox and Opera are not vulnerable to this, although both IE and Firefox have suffered similar flaws in the past. In Firefox it’s still possible to hide the address bar in popup windows but it shows the correct domain in the titlebar.
When running Windows there’s always the risk of installing adware, spyware and viruses (known collectively as malware). The risk is significantly lower for users of Apple’s Mac OS X or Linux because it’s harder for malicious programs to run without user intervention.
On any platform it’s important to not install software that you do not trust as some less honest software makers get paid for bundling spyware with their applications.
On Windows you should take the following additional steps: