Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
Dr. Neal Krawetz PhD wrote: > Gobbles aka n3td3v, > > Please stop harassing aspiring young PhD students on this list. > > I speak for everyone in this community when I say that we are all tired > of your shenanigans and that it is time for you to grow up. Clearly > you do not have a PhD, and to the best of my knowledge you are not > actively pursuing one, and therefor have no voice in computer security. I agree, don't you know that these young PhD students had to rack up tons of debt and/or get their parents to shell out enough cash to feed a small town in a third world country in order to get a piece of paper that will apparently allow them to post on a public listserv? Give them a break, they've got enough worries. and to Dr. Neal Krawetz - Stop being an elitist tool. -tx -- -tx [at] lowtechlive.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
On 5/30/07, Dr. Neal Krawetz PhD <[EMAIL PROTECTED]> wrote: > Gobbles aka n3td3v, first this was funny.. then it got old. now it's funny again! behold: a philosopher's mind at work! > you do not have a PhD, and to the best of my knowledge you are not > actively pursuing one, and therefor have no voice in computer security. how telling that you favor credentials over capabilities. moats and beams and all that... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
Dude did you get your PhD at K-Mart or are you just retarded? It seems like maybe Dr. Chris and Dr. Neal are the real trolls in this joke of an 'industry'... _Joey Qualifications (in order of descending worthlessness): Certified Drive by Pharming Expert / CISSP / PhD On Wed, 30 May 2007 14:12:44 -0400 "Dr. Neal Krawetz PhD" <[EMAIL PROTECTED]> wrote: >Gobbles aka n3td3v, > >Please stop harassing aspiring young PhD students on this list. > >I speak for everyone in this community when I say that we are all >tired >of your shenanigans and that it is time for you to grow up. >Clearly >you do not have a PhD, and to the best of my knowledge you are not >actively pursuing one, and therefor have no voice in computer >security. > >To my fans: I have just finished reading Niels Provos' work from >2001, >and plan on presenting a summary of these dated works at Blackhat >2007 >this summer. I look forward to seeing you all there! > >Dr. Neal Krawetz, PhD > >http://www.hackerfactor.com/ >http://www.krawetz.org/ > > >On Wed, May 30, 2007 at 11:57:59AM -0400, Joey Mengele wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hello List, >> >> > >> > >> >Frequently Asked Questions >> > >> > >> >Q: Who is at risk? >> > >> >A: Anyone who has installed the Firefox Web Browser and one or >> >more >> >vulnerable extensions. These include, but are not limited to: >> >Google >> >Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us >> >Extension, >> >Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn >Browser >> >Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker. >> > >> >> Don't you mean anyone who has these installed and is using a >rogue >> or compromised DNS server? >> >> >Q: How many people are at risk? >> > >> >A: Millions. Exact numbers for each toolbar/extension are not >> >released >> >by the vendors. Google Toolbar, which is one of the most >popular >> >of >> >the vulnerable extensions, is installed as part of the download >> >process with WinZip, RealNetworks' Real Player and Adobe's >> >Shockwave. >> >Google publicly pays website publishers $1 for each copy of >> >Firefox + >> >Google Toolbar that customers download and install through a >> >publisher's website. >> > >> >Google confirmed in 2005 that their toolbar product's user base >> >was >> >"in the millions". Given the number of distribution deals that >> >have >> >been signed, the number of users can only have grown in size >> >since. >> > >> >> Oh stop being such a drama queen. Are you suggesting "millions" >> have their DNS compromised and their home routers owned? Isn't >this >> bug rather inconsequential for these people anyway? >> >> >Q: When am I at risk? >> > >> >A: When you use a public wireless network, an untrusted >Internet >> >connection, or a wireless home router with the default password >> >set. >> > >> >> Duh. You don't need to be running some silly toolbar to be at >risk >> in this scenario. >> >> >Q: What can I do to reduce my risk? >> > >> >A: Users with wireless home routers should change their >password >> >to >> >something other than the default. >> > >> >> Are you really suggesting wide scale wireless home router >> compromise? Is there an army of hacker dudes driving around >> compromising unprotected wireless routers in the millions that I >am >> not aware of? Surely the Security Focus PharmConMeter(TM) would >> have alerted me if this were the case! >> >> > >> >Q: Why is this attack possible? >> > >> >A: The problem stems from design flaws, false assumptions, and >a >> >lack >> >of solid developer documentation instructing extension authors >on >> >the >> >best way to secure their code. >> > >> >> See also "because your DNS server is owned" >> >> >-- >> >Description Of Vulnerability >> >-- >> > >> >> Blabla, you are a technical genius. Let's move on Dr. Chris. >> >> > >> >--- >> >When Are Users Vulnerable >> >--- >> > >> >Users are most vulnerable to this attack when they cannot trust >> >their >> >domain name server. Examples of such a situation include: >> > >> >* Using a public or unencrypted wireless network. >> > >> >* Using a network router (wireless or wired) at home that >has >> >been >> >infected/hacked through a drive by pharming attack. This >> >particular >> >risk can be heavily reduced by changing the default password on >> >your >> >home router. >> > >> >> Hahahahahahha. Drive by pharming. What a fucking joke. This >> industry is the best. >> >> > >> > >> >Fixing The Problem >> > >> > >> > >> >The number of vulnerable extensions is more lengthy than those >> >listed >> >in this document. Until vendors have fixed the problems, users >> >should >> >remove/disable all Firefox extensions except those th
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
Gobbles aka n3td3v, Please stop harassing aspiring young PhD students on this list. I speak for everyone in this community when I say that we are all tired of your shenanigans and that it is time for you to grow up. Clearly you do not have a PhD, and to the best of my knowledge you are not actively pursuing one, and therefor have no voice in computer security. To my fans: I have just finished reading Niels Provos' work from 2001, and plan on presenting a summary of these dated works at Blackhat 2007 this summer. I look forward to seeing you all there! Dr. Neal Krawetz, PhD http://www.hackerfactor.com/ http://www.krawetz.org/ On Wed, May 30, 2007 at 11:57:59AM -0400, Joey Mengele wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello List, > > > > > > >Frequently Asked Questions > > > > > >Q: Who is at risk? > > > >A: Anyone who has installed the Firefox Web Browser and one or > >more > >vulnerable extensions. These include, but are not limited to: > >Google > >Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us > >Extension, > >Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser > >Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker. > > > > Don't you mean anyone who has these installed and is using a rogue > or compromised DNS server? > > >Q: How many people are at risk? > > > >A: Millions. Exact numbers for each toolbar/extension are not > >released > >by the vendors. Google Toolbar, which is one of the most popular > >of > >the vulnerable extensions, is installed as part of the download > >process with WinZip, RealNetworks' Real Player and Adobe's > >Shockwave. > >Google publicly pays website publishers $1 for each copy of > >Firefox + > >Google Toolbar that customers download and install through a > >publisher's website. > > > >Google confirmed in 2005 that their toolbar product's user base > >was > >"in the millions". Given the number of distribution deals that > >have > >been signed, the number of users can only have grown in size > >since. > > > > Oh stop being such a drama queen. Are you suggesting "millions" > have their DNS compromised and their home routers owned? Isn't this > bug rather inconsequential for these people anyway? > > >Q: When am I at risk? > > > >A: When you use a public wireless network, an untrusted Internet > >connection, or a wireless home router with the default password > >set. > > > > Duh. You don't need to be running some silly toolbar to be at risk > in this scenario. > > >Q: What can I do to reduce my risk? > > > >A: Users with wireless home routers should change their password > >to > >something other than the default. > > > > Are you really suggesting wide scale wireless home router > compromise? Is there an army of hacker dudes driving around > compromising unprotected wireless routers in the millions that I am > not aware of? Surely the Security Focus PharmConMeter(TM) would > have alerted me if this were the case! > > > > >Q: Why is this attack possible? > > > >A: The problem stems from design flaws, false assumptions, and a > >lack > >of solid developer documentation instructing extension authors on > >the > >best way to secure their code. > > > > See also "because your DNS server is owned" > > >-- > >Description Of Vulnerability > >-- > > > > Blabla, you are a technical genius. Let's move on Dr. Chris. > > > > >--- > >When Are Users Vulnerable > >--- > > > >Users are most vulnerable to this attack when they cannot trust > >their > >domain name server. Examples of such a situation include: > > > >* Using a public or unencrypted wireless network. > > > >* Using a network router (wireless or wired) at home that has > >been > >infected/hacked through a drive by pharming attack. This > >particular > >risk can be heavily reduced by changing the default password on > >your > >home router. > > > > Hahahahahahha. Drive by pharming. What a fucking joke. This > industry is the best. > > > > > > >Fixing The Problem > > > > > > > >The number of vulnerable extensions is more lengthy than those > >listed > >in this document. Until vendors have fixed the problems, users > >should > >remove/disable all Firefox extensions except those that they are > >sure > >they have downloaded from the official Firefox Add-ons website > >(https://addons.mozilla.org). If in doubt, delete the extension, > >and > >then download it again from a safe place. > > > > No way dude, use The Internet Explorer! > > > >- > >Self Disclosure/Conflict of Interest Statement > >- > > > > > >Christopher Soghoian is a PhD student in the School of Informatics > >at > >Indiana University
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
On 5/30/07, Steven Adair <[EMAIL PROTECTED]> wrote: > We are also at risk from rogue developers, people that have > hacked/poisoned your trusted DNS provider, those that have modified your > /etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or > related files), people that have hacked the update server and put there > own malicious version there, and the unlocked workstation attack from an > attacker with a USB flash drive with a malicious update that might sit > down at your workstation and -pwn- you. Or, more simply, from a brute-force poisoning attack that doesn't involve compromising the trusted DNS provider at all. It's been known for *at least as long as I've been in this business* that DNS is *not* secure, even when both the DNS server and the requesting client are not compromised. There's no significant authentication of the DNS server's reply, so DNS responses can be trivially spoofed by an attacker who knows a window of time wherein you might request the address of a particular host. An example of such a condition: scheduled automatic updates. That just happens to be exactly what is described here. You do the math. This really should have been articulated in the original advisory, IMO. When applications depend on DNS for trust decisions, virtually *every* internet connection is untrusted. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
We are also at risk from rogue developers, people that have hacked/poisoned your trusted DNS provider, those that have modified your /etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or related files), people that have hacked the update server and put there own malicious version there, and the unlocked workstation attack from an attacker with a USB flash drive with a malicious update that might sit down at your workstation and -pwn- you. Steven > This information also posted (with html link goodness) to > http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html > > -- > Executive Summary > -- > > A vulnerability exists in the upgrade mechanism used by a number of > high profile Firefox extensions. These include Google Toolbar, Google > Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, > AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft > Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, > mainly commercial extensions. > > Users of the Google Pack suite of software are most likely vulnerable, > as this includes the Google Toolbar for Firefox. > > The latest version of all of these listed, and many other extensions > are vulnerable. This is not restricted to a specific version of > Firefox. > > Users are vulnerable and are at risk of an attacker silently > installing malicious software on their computers. This possibility > exists whenever the user cannot trust their domain name server (DNS) > or network connection. Examples of this include public wireless > networks, and users connected to compromised home routers. > > The vast majority of the open source/hobbyist made Firefox extensions > - those that are hosted at https://addons.mozilla.org - are not > vulnerable to this attack. Users of popular Firefox extensions such as > NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about. > > In addition to notifying the Firefox Security Team, some of the most > high-profile vulnerable software vendors (Google, Yahoo, and Facebook) > were notified 45 days ago, although none have yet released a fix. The > number of vulnerable extensions is more lengthy than those listed in > this document. Until vendors have fixed the problems, users should > remove/disable all Firefox extensions except those that they are sure > they have downloaded from the official Firefox Add-ons website > (https://addons.mozilla.org). If in doubt, delete the extension, and > then download it again from a safe place. > > In Firefox, this can be done by going to Tools->Add-ons. Select the > individual extensions, and then click on the uninstall button. > > > Frequently Asked Questions > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello List, > > >Frequently Asked Questions > > >Q: Who is at risk? > >A: Anyone who has installed the Firefox Web Browser and one or >more >vulnerable extensions. These include, but are not limited to: >Google >Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us >Extension, >Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser >Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker. > Don't you mean anyone who has these installed and is using a rogue or compromised DNS server? >Q: How many people are at risk? > >A: Millions. Exact numbers for each toolbar/extension are not >released >by the vendors. Google Toolbar, which is one of the most popular >of >the vulnerable extensions, is installed as part of the download >process with WinZip, RealNetworks' Real Player and Adobe's >Shockwave. >Google publicly pays website publishers $1 for each copy of >Firefox + >Google Toolbar that customers download and install through a >publisher's website. > >Google confirmed in 2005 that their toolbar product's user base >was >"in the millions". Given the number of distribution deals that >have >been signed, the number of users can only have grown in size >since. > Oh stop being such a drama queen. Are you suggesting "millions" have their DNS compromised and their home routers owned? Isn't this bug rather inconsequential for these people anyway? >Q: When am I at risk? > >A: When you use a public wireless network, an untrusted Internet >connection, or a wireless home router with the default password >set. > Duh. You don't need to be running some silly toolbar to be at risk in this scenario. >Q: What can I do to reduce my risk? > >A: Users with wireless home routers should change their password >to >something other than the default. > Are you really suggesting wide scale wireless home router compromise? Is there an army of hacker dudes driving around compromising unprotected wireless routers in the millions that I am not aware of? Surely the Security Focus PharmConMeter(TM) would have alerted me if this were the case! > >Q: Why is this attack possible? > >A: The problem stems from design flaws, false assumptions, and a >lack >of solid developer documentation instructing extension authors on >the >best way to secure their code. > See also "because your DNS server is owned" >-- >Description Of Vulnerability >-- > Blabla, you are a technical genius. Let's move on Dr. Chris. > >--- >When Are Users Vulnerable >--- > >Users are most vulnerable to this attack when they cannot trust >their >domain name server. Examples of such a situation include: > >* Using a public or unencrypted wireless network. > >* Using a network router (wireless or wired) at home that has >been >infected/hacked through a drive by pharming attack. This >particular >risk can be heavily reduced by changing the default password on >your >home router. > Hahahahahahha. Drive by pharming. What a fucking joke. This industry is the best. > > >Fixing The Problem > > > >The number of vulnerable extensions is more lengthy than those >listed >in this document. Until vendors have fixed the problems, users >should >remove/disable all Firefox extensions except those that they are >sure >they have downloaded from the official Firefox Add-ons website >(https://addons.mozilla.org). If in doubt, delete the extension, >and >then download it again from a safe place. > No way dude, use The Internet Explorer! >- >Self Disclosure/Conflict of Interest Statement >- > > >Christopher Soghoian is a PhD student in the School of Informatics >at >Indiana University. He is a member of the Stop Phishing Research >Group. His research is focused in the areas of phishing, click- >fraud, >search privacy and airport security. He has worked an intern with >Google, Apple, IBM and Cybertrust. He is the co-inventor of >several >pending patents in the areas of mobile authentication, anti- >phishing, >and virtual machine defense against viruses. His website is >http://www.dubfire.net/chris/ and he blogs regularly at >http://paranoia.dubfire.net > Impressive. The scholarly source Wikipedia [1] says you are also that guy that made boarding passes for Al Qaeda? Kudos. > >Information on this vulnerability was disclosed for free to the >above >listed vendors. > Oi! Such a deal. _Joey [1] http://en.wikipedia.org/wiki/Christopher_Soghoian -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkZdngYACgkQbnLzJSXnVjORJgP/e8QL9VRf4EsTEbkg91b8+J86wf1P 3eYeDo7toYMiT7dV/mKgMSzO3XNVm
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
> A DNS based man in the middle attack will not work against a SSL > enabled webserver. This is because SSL certificates certify an > association between a specific domain name and an ip address. An > attempted man in the middle attack against a SSL enabled Firefox > update server will result in the browser rejecting the connection to > the masquerading update server, as the ip address in the SSL > certificate, and the ip address returned by the DNS server will not > match. False. SSL certificates do not authenticate DNS/IP associations. They authenticate public key/DNS associations. The difference is likely irrelevant to this issue, but be sure you understand SSL's PKI when you explain such things, lest you confuse crypto noobs. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New Vulnerability against Firefox/ Major Extensions
This information also posted (with html link goodness) to http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html -- Executive Summary -- A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox. The latest version of all of these listed, and many other extensions are vulnerable. This is not restricted to a specific version of Firefox. Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers. The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about. In addition to notifying the Firefox Security Team, some of the most high-profile vulnerable software vendors (Google, Yahoo, and Facebook) were notified 45 days ago, although none have yet released a fix. The number of vulnerable extensions is more lengthy than those listed in this document. Until vendors have fixed the problems, users should remove/disable all Firefox extensions except those that they are sure they have downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, delete the extension, and then download it again from a safe place. In Firefox, this can be done by going to Tools->Add-ons. Select the individual extensions, and then click on the uninstall button. Frequently Asked Questions Q: Who is at risk? A: Anyone who has installed the Firefox Web Browser and one or more vulnerable extensions. These include, but are not limited to: Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker. Q: How many people are at risk? A: Millions. Exact numbers for each toolbar/extension are not released by the vendors. Google Toolbar, which is one of the most popular of the vulnerable extensions, is installed as part of the download process with WinZip, RealNetworks' Real Player and Adobe's Shockwave. Google publicly pays website publishers $1 for each copy of Firefox + Google Toolbar that customers download and install through a publisher's website. Google confirmed in 2005 that their toolbar product's user base was "in the millions". Given the number of distribution deals that have been signed, the number of users can only have grown in size since. Q: When am I at risk? A: When you use a public wireless network, an untrusted Internet connection, or a wireless home router with the default password set. Q: What can happen to me? A: An attacker can covertly install malicious software that will run within your web browser. Such software could spy on the you, hijack e-banking sessions, steal emails, send email spam and a number of other nasty tasks. Q: What can I do to reduce my risk? A: Users with wireless home routers should change their password to something other than the default. Until the vendors release secure updates to their software, users should remove or disable all Firefox extensions and toolbars. Only those that have been downloaded from the official Firefox Add-Ons page are safe. In Firefox, this can be done by going to the Tools menu and choose the Add-ons item. Select the individual extensions, and then click on the uninstall button. Q: Why is this attack possible? A: The problem stems from design flaws, false assumptions, and a lack of solid developer documentation instructing extension authors on the best way to secure their code. The nature of the vulnerability described in this report is technical, but its impact can be limited by appropriate user configuration. This shows the relation between the technical and social aspects of security. For numerous other examples, please see the publications listed at www.stop-phishing.com. It also illustrates the need for good education of typical Internet users. This has been recognized as a difficult problem to tackle, but some recent efforts, e.g., www.SecurityCartoon.com look promising. -- Description Of Vulnerability --
