Security Bytes: Firefox flaw could expose sensitive data |
 |
By SearchSecurity.com Staff
31 Jan 2006 | SearchSecurity.com |
|
|
Attackers could access sensitive data via Firefox flaw
Attackers could use a malicious Web page to access sensitive Web site data via a new security hole in Mozilla Firefox, Cupertino, Calif.-based AV giant Symantec Corp. said Monday. In an e-mail to customers of its DeepSight Threat Management System, Symantec warned that Firefox is vulnerable to a flaw that could allow a Web page to "execute malicious script code in the context of an arbitrary domain." This could lead to a variety of attacks, "including theft of cookie-based authentication credentials," Symantec said.
"The issue affects the '-moz-binding' property that is used to attach extensible binding language (XBL) to elements through cascading style sheets (CSS)," Symantec said. "Due to an origin validation error, arbitrary script code included with XBL may be executed in the context of another domain. The cause of this issue is that the browser's same origin policy is not enforced on this property."
This could allow a malicious site to access the properties of a trusted site and facilitate various attacks including disclosure of sensitive information, Symantec said.
Exploit code is publicly available for this flaw, which affects Firefox 1.0.0 running with Gentoo Linux 1.0.0, S.u.S.E. Linux Personal 1.0.0 and Slackware Linux 1.0.0; Firefox 1.0.1 running with RedHat Fedora 1.0.1; Firefox 1.0.2 running with MandrakeSoft Linux Mandrake 1.0.2, RedHat Desktop 1.0.2 and RedHat Enterprise Linux 1.0.2; Firefox 1.0.3 running with Gentoo Linux 1.0.3; and Firefox versions 1.0.4 through 1.5.0 beta 2 running on all operating systems.
Symantec said it isn't aware of any available patches for the flaw. To mitigate the potential impact, the firm recommended users:
- Run all client software as a non-privileged user with minimal access rights;
- Perform non-administrative tasks like Web browsing and e-mail reading as an unprivileged user with minimal access rights;
- Do not follow links provided by unknown or untrusted sources;
- Avoid visiting Web sites of questionable integrity or following links provided by an unfamiliar or untrusted source;
- Set Web browser security to disable the execution of JavaScript; and
- Disable support for scripting and active content, which may limit exposure to this and other vulnerabilities.
MIT researchers warn of attacks exploiting Skype
Internet calling applications like Skype could provide malicious people with the ideal disguise for launching attacks, researchers from Cambridge University and the Massachusetts Institute of Technology (MIT) warn. The Communications Research Network (CRN), a communications advocacy group supported by both universities, said no attacks have been seen yet, but "it is only a matter of time before the technique becomes mainstream," Reuters reported late last week.
Luxembourg-based Skype, whose VoIP application of the same name has been downloaded on 242 million computers around the world and was acquired by eBay last year, was not immediately available to comment, Reuters said, adding that the CRN's working group on Internet security discovered that VoIP applications could provide excellent cover for launching denial-of-service attacks.
"In such attacks computers are being hijacked by hackers and turned into so-called 'zombies' in order to bombard a Web site or e-mail server with page requests or e-mails," the Reuters report said. "The aim of the attack is that the site or entire network collapses under the pressure. VoIP cuts a voice conversation into digital bits and hackers can use those data streams for cover, making it almost impossible to trace the source of an attack."
It is more difficult to trace VoIP traffic, which often uses proprietary software with secret code to make sure that Internet phone calls will not be blocked by Internet service providers or firewalls, the article noted. The researchers said the loophole could be resolved "if VoIP providers were to publish their routing specifications or switch over to open standards."
Man gets 2-year prison term for selling Microsoft source code
A man who sold Microsoft source code online will spend the next two years in prison and get three years of supervised probation after he's released. InternetNews.com reported that William Genovese Jr., 29, of Meriden, Conn., was charged with one count of unlawfully distributing a trade secret in violation of the 1996 Economic Espionage Act. Federal prosecutors said Microsoft discovered significant portions of the source code for both Windows NT 4.0 and Windows 2000 were stolen and released on the Internet on or about Feb. 12, 2004. That same day, Genovese posted a message on his Web site, illmob.org, announcing he had obtained a copy of the stolen source code and was offering the code for sale, InternetNews.com reported. Over the course of several e-mail exchanges, an investigator hired by Microsoft and an undercover FBI agent bought the code for $20. Genovese was arrested Nov. 9, 2004 and eventually pleaded guilty last August. His prison term begins March 14.
Fortinet, Trend Micro settle dispute
A long-running patent dispute between Sunnyvale, Calif.-based Fortinet Inc. and Tokyo-based Trend Micro Inc. has been settled, CNET News.com reported Monday. Fortinet said both companies have agreed to urge the U.S. International Trade Commission to dismiss its consideration of the dispute regarding Trend Micro's U.S. Patent 5,623,600. In August, the ITC ordered Fortinet to stop selling its Fortigate products in the United States. At the time, Fortinet said it would work on revamping its products to avoid any infringement on Trend Micro's patent, and estimated it would do that within three months, the CNET News.com report noted. Trend Micro sued Fortinet last year and also filed a complaint with the ITC. Under the deal, the report said, the companies will move to have a pending patent infringement suit in U.S. District Court for the Northern District of California dismissed and to also have an appeal lodged against an ITC decision dismissed. The terms of the settlement were not disclosed, CNET News.com said.
|
|
|
|
