| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 May 2007 11:57:59 -0400 From: "Joey Mengele" <joey.mengele@...hmail.com> To: <full-disclosure@...ts.grok.org.uk>,<csoghoian@...il.com> Subject: Re: New Vulnerability against Firefox/ Major Extensions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, > >------------------------------------ >Frequently Asked Questions >------------------------------------ > >Q: Who is at risk? > >A: Anyone who has installed the Firefox Web Browser and one or >more >vulnerable extensions. These include, but are not limited to: >Google >Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us >Extension, >Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser >Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker. > Don't you mean anyone who has these installed and is using a rogue or compromised DNS server? >Q: How many people are at risk? > >A: Millions. Exact numbers for each toolbar/extension are not >released >by the vendors. Google Toolbar, which is one of the most popular >of >the vulnerable extensions, is installed as part of the download >process with WinZip, RealNetworks' Real Player and Adobe's >Shockwave. >Google publicly pays website publishers $1 for each copy of >Firefox + >Google Toolbar that customers download and install through a >publisher's website. > >Google confirmed in 2005 that their toolbar product's user base >was >"in the millions". Given the number of distribution deals that >have >been signed, the number of users can only have grown in size >since. > Oh stop being such a drama queen. Are you suggesting "millions" have their DNS compromised and their home routers owned? Isn't this bug rather inconsequential for these people anyway? >Q: When am I at risk? > >A: When you use a public wireless network, an untrusted Internet >connection, or a wireless home router with the default password >set. > Duh. You don't need to be running some silly toolbar to be at risk in this scenario. >Q: What can I do to reduce my risk? > >A: Users with wireless home routers should change their password >to >something other than the default. > Are you really suggesting wide scale wireless home router compromise? Is there an army of hacker dudes driving around compromising unprotected wireless routers in the millions that I am not aware of? Surely the Security Focus PharmConMeter(TM) would have alerted me if this were the case! > >Q: Why is this attack possible? > >A: The problem stems from design flaws, false assumptions, and a >lack >of solid developer documentation instructing extension authors on >the >best way to secure their code. > See also "because your DNS server is owned" >---------------------------------- >Description Of Vulnerability >---------------------------------- > Blabla, you are a technical genius. Let's move on Dr. Chris. > >----------------------------------- >When Are Users Vulnerable >----------------------------------- > >Users are most vulnerable to this attack when they cannot trust >their >domain name server. Examples of such a situation include: > > * Using a public or unencrypted wireless network. > > * Using a network router (wireless or wired) at home that has >been >infected/hacked through a drive by pharming attack. This >particular >risk can be heavily reduced by changing the default password on >your >home router. > Hahahahahahha. Drive by pharming. What a fucking joke. This industry is the best. > >------------------------ >Fixing The Problem >------------------------ > > >The number of vulnerable extensions is more lengthy than those >listed >in this document. Until vendors have fixed the problems, users >should >remove/disable all Firefox extensions except those that they are >sure >they have downloaded from the official Firefox Add-ons website >(https://addons.mozilla.org). If in doubt, delete the extension, >and >then download it again from a safe place. > No way dude, use The Internet Explorer! >--------------------------------------------------------- >Self Disclosure/Conflict of Interest Statement >--------------------------------------------------------- > > >Christopher Soghoian is a PhD student in the School of Informatics >at >Indiana University. He is a member of the Stop Phishing Research >Group. His research is focused in the areas of phishing, click- >fraud, >search privacy and airport security. He has worked an intern with >Google, Apple, IBM and Cybertrust. He is the co-inventor of >several >pending patents in the areas of mobile authentication, anti- >phishing, >and virtual machine defense against viruses. His website is >http://www.dubfire.net/chris/ and he blogs regularly at >http://paranoia.dubfire.net > Impressive. The scholarly source Wikipedia [1] says you are also that guy that made boarding passes for Al Qaeda? Kudos. > >Information on this vulnerability was disclosed for free to the >above >listed vendors. > Oi! Such a deal. _Joey [1] http://en.wikipedia.org/wiki/Christopher_Soghoian -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkZdngYACgkQbnLzJSXnVjORJgP/e8QL9VRf4EsTEbkg91b8+J86wf1P 3eYeDo7toYMiT7dV/mKgMSzO3XNVmgKrlrBafiieGxbaOFL1Spu5wKiz04G8DiQs5D7y vbWeQe6o68NYwCikyE4Ed5Hs7EWJFz+6R86x0KfQ3Nn+P3L/tnssUhkmMXHeGCOLZgVi CVVCzxM= =Zd4G -----END PGP SIGNATURE----- -- Click for free info on business schools and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1I6ylOR9cWSogD0jO1TmrlUWwa/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists