full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] New Vulnerability agai

Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions

From: Joey Mengele <joey.mengele_at_nospam>
Date: Wed May 30 2007 - 15:57:59 GMT
To: <full-disclosure@lists.grok.org.uk>, <csoghoian@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

>
>------------------------------------
>Frequently Asked Questions
>------------------------------------
>
>Q: Who is at risk?
>
>A: Anyone who has installed the Firefox Web Browser and one or
>more
>vulnerable extensions. These include, but are not limited to:
>Google
>Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us
>Extension,
>Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser
>Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker.
>

Don't you mean anyone who has these installed and is using a rogue or compromised DNS server?

>Q: How many people are at risk?
>
>A: Millions. Exact numbers for each toolbar/extension are not
>released
>by the vendors. Google Toolbar, which is one of the most popular
>of
>the vulnerable extensions, is installed as part of the download
>process with WinZip, RealNetworks' Real Player and Adobe's
>Shockwave.
>Google publicly pays website publishers $1 for each copy of
>Firefox +
>Google Toolbar that customers download and install through a
>publisher's website.
>
>Google confirmed in 2005 that their toolbar product's user base
>was
>"in the millions". Given the number of distribution deals that
>have
>been signed, the number of users can only have grown in size
>since.
>

Oh stop being such a drama queen. Are you suggesting "millions" have their DNS compromised and their home routers owned? Isn't this bug rather inconsequential for these people anyway?

>Q: When am I at risk?
>
>A: When you use a public wireless network, an untrusted Internet
>connection, or a wireless home router with the default password
>set.
>

Duh. You don't need to be running some silly toolbar to be at risk in this scenario.

>Q: What can I do to reduce my risk?
>
>A: Users with wireless home routers should change their password
>to
>something other than the default.
>

Are you really suggesting wide scale wireless home router compromise? Is there an army of hacker dudes driving around compromising unprotected wireless routers in the millions that I am not aware of? Surely the Security Focus PharmConMeter(TM) would have alerted me if this were the case!

>
>Q: Why is this attack possible?
>
>A: The problem stems from design flaws, false assumptions, and a
>lack
>of solid developer documentation instructing extension authors on
>the
>best way to secure their code.
>

See also "because your DNS server is owned"

>----------------------------------
>Description Of Vulnerability
>----------------------------------
>

Blabla, you are a technical genius. Let's move on Dr. Chris.

>
>-----------------------------------
>When Are Users Vulnerable
>-----------------------------------
>
>Users are most vulnerable to this attack when they cannot trust
>their
>domain name server. Examples of such a situation include:
>
> * Using a public or unencrypted wireless network.
>
> * Using a network router (wireless or wired) at home that has
>been
>infected/hacked through a drive by pharming attack. This
>particular
>risk can be heavily reduced by changing the default password on
>your
>home router.
>

Hahahahahahha. Drive by pharming. What a fucking joke. This industry is the best.

>
>------------------------
>Fixing The Problem
>------------------------
>
>
>The number of vulnerable extensions is more lengthy than those
>listed
>in this document. Until vendors have fixed the problems, users
>should
>remove/disable all Firefox extensions except those that they are
>sure
>they have downloaded from the official Firefox Add-ons website
>(https://addons.mozilla.org). If in doubt, delete the extension,
>and
>then download it again from a safe place.
>

No way dude, use The Internet Explorer!

>---------------------------------------------------------
>Self Disclosure/Conflict of Interest Statement
>---------------------------------------------------------
>
>
>Christopher Soghoian is a PhD student in the School of Informatics
>at
>Indiana University. He is a member of the Stop Phishing Research
>Group. His research is focused in the areas of phishing, click-
>fraud,
>search privacy and airport security. He has worked an intern with
>Google, Apple, IBM and Cybertrust. He is the co-inventor of
>several
>pending patents in the areas of mobile authentication, anti-
>phishing,
>and virtual machine defense against viruses. His website is
>http://www.dubfire.net/chris/ and he blogs regularly at
>http://paranoia.dubfire.net
>

Impressive. The scholarly source Wikipedia [1] says you are also that guy that made boarding passes for Al Qaeda? Kudos.

>
>Information on this vulnerability was disclosed for free to the
>above
>listed vendors.
>

Oi! Such a deal.

_Joey

[1] http://en.wikipedia.org/wiki/Christopher_Soghoian -----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5

wpwEAQECAAYFAkZdngYACgkQbnLzJSXnVjORJgP/e8QL9VRf4EsTEbkg91b8+J86wf1P 3eYeDo7toYMiT7dV/mKgMSzO3XNVmgKrlrBafiieGxbaOFL1Spu5wKiz04G8DiQs5D7y vbWeQe6o68NYwCikyE4Ed5Hs7EWJFz+6R86x0KfQ3Nn+P3L/tnssUhkmMXHeGCOLZgVi CVVCzxM=
=Zd4G
-----END PGP SIGNATURE----- -- Click for free info on business schools and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1I6ylOR9cWSogD0jO1TmrlUWwa/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/