full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] New Vulnerability agai

Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions

From: Dr. Neal Krawetz PhD <neal_at_nospam>
Date: Wed May 30 2007 - 18:12:44 GMT
To: Joey Mengele <joey.mengele@hushmail.com>, full-disclosure@lists.grok.org.uk


Gobbles aka n3td3v,

Please stop harassing aspiring young PhD students on this list.

I speak for everyone in this community when I say that we are all tired of your shenanigans and that it is time for you to grow up. Clearly you do not have a PhD, and to the best of my knowledge you are not actively pursuing one, and therefor have no voice in computer security.

To my fans: I have just finished reading Niels Provos' work from 2001, and plan on presenting a summary of these dated works at Blackhat 2007 this summer. I look forward to seeing you all there!

Dr. Neal Krawetz, PhD

http://www.hackerfactor.com/
http://www.krawetz.org/

On Wed, May 30, 2007 at 11:57:59AM -0400, Joey Mengele wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello List,
>
> >
> >------------------------------------
> >Frequently Asked Questions
> >------------------------------------
> >
> >Q: Who is at risk?
> >
> >A: Anyone who has installed the Firefox Web Browser and one or
> >more
> >vulnerable extensions. These include, but are not limited to:
> >Google
> >Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us
> >Extension,
> >Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser
> >Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker.
> >
>
> Don't you mean anyone who has these installed and is using a rogue
> or compromised DNS server?
>
> >Q: How many people are at risk?
> >
> >A: Millions. Exact numbers for each toolbar/extension are not
> >released
> >by the vendors. Google Toolbar, which is one of the most popular
> >of
> >the vulnerable extensions, is installed as part of the download
> >process with WinZip, RealNetworks' Real Player and Adobe's
> >Shockwave.
> >Google publicly pays website publishers $1 for each copy of
> >Firefox +
> >Google Toolbar that customers download and install through a
> >publisher's website.
> >
> >Google confirmed in 2005 that their toolbar product's user base
> >was
> >"in the millions". Given the number of distribution deals that
> >have
> >been signed, the number of users can only have grown in size
> >since.
> >
>
> Oh stop being such a drama queen. Are you suggesting "millions"
> have their DNS compromised and their home routers owned? Isn't this
> bug rather inconsequential for these people anyway?
>
> >Q: When am I at risk?
> >
> >A: When you use a public wireless network, an untrusted Internet
> >connection, or a wireless home router with the default password
> >set.
> >
>
> Duh. You don't need to be running some silly toolbar to be at risk
> in this scenario.
>
> >Q: What can I do to reduce my risk?
> >
> >A: Users with wireless home routers should change their password
> >to
> >something other than the default.
> >
>
> Are you really suggesting wide scale wireless home router
> compromise? Is there an army of hacker dudes driving around
> compromising unprotected wireless routers in the millions that I am
> not aware of? Surely the Security Focus PharmConMeter(TM) would
> have alerted me if this were the case!
>
> >
> >Q: Why is this attack possible?
> >
> >A: The problem stems from design flaws, false assumptions, and a
> >lack
> >of solid developer documentation instructing extension authors on
> >the
> >best way to secure their code.
> >
>
> See also "because your DNS server is owned"
>
> >----------------------------------
> >Description Of Vulnerability
> >----------------------------------
> >
>
> Blabla, you are a technical genius. Let's move on Dr. Chris.
>
> >
> >-----------------------------------
> >When Are Users Vulnerable
> >-----------------------------------
> >
> >Users are most vulnerable to this attack when they cannot trust
> >their
> >domain name server. Examples of such a situation include:
> >
> > * Using a public or unencrypted wireless network.
> >
> > * Using a network router (wireless or wired) at home that has
> >been
> >infected/hacked through a drive by pharming attack. This
> >particular
> >risk can be heavily reduced by changing the default password on
> >your
> >home router.
> >
>
> Hahahahahahha. Drive by pharming. What a fucking joke. This
> industry is the best.
>
> >
> >------------------------
> >Fixing The Problem
> >------------------------
> >
> >
> >The number of vulnerable extensions is more lengthy than those
> >listed
> >in this document. Until vendors have fixed the problems, users
> >should
> >remove/disable all Firefox extensions except those that they are
> >sure
> >they have downloaded from the official Firefox Add-ons website
> >(https://addons.mozilla.org). If in doubt, delete the extension,
> >and
> >then download it again from a safe place.
> >
>
> No way dude, use The Internet Explorer!
>
>
> >---------------------------------------------------------
> >Self Disclosure/Conflict of Interest Statement
> >---------------------------------------------------------
> >
> >
> >Christopher Soghoian is a PhD student in the School of Informatics
> >at
> >Indiana University. He is a member of the Stop Phishing Research
> >Group. His research is focused in the areas of phishing, click-
> >fraud,
> >search privacy and airport security. He has worked an intern with
> >Google, Apple, IBM and Cybertrust. He is the co-inventor of
> >several
> >pending patents in the areas of mobile authentication, anti-
> >phishing,
> >and virtual machine defense against viruses. His website is
> >http://www.dubfire.net/chris/ and he blogs regularly at
> >http://paranoia.dubfire.net
> >
>
> Impressive. The scholarly source Wikipedia [1] says you are also
> that guy that made boarding passes for Al Qaeda? Kudos.
>
> >
> >Information on this vulnerability was disclosed for free to the
> >above
> >listed vendors.
> >
>
> Oi! Such a deal.
>
> _Joey
>
> [1] http://en.wikipedia.org/wiki/Christopher_Soghoian
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.5
>
> wpwEAQECAAYFAkZdngYACgkQbnLzJSXnVjORJgP/e8QL9VRf4EsTEbkg91b8+J86wf1P
> 3eYeDo7toYMiT7dV/mKgMSzO3XNVmgKrlrBafiieGxbaOFL1Spu5wKiz04G8DiQs5D7y
> vbWeQe6o68NYwCikyE4Ed5Hs7EWJFz+6R86x0KfQ3Nn+P3L/tnssUhkmMXHeGCOLZgVi
> CVVCzxM=
> =Zd4G
> -----END PGP SIGNATURE-----
>
> --
> Click for free info on business schools and make $150K/ year
> http://tagline.hushmail.com/fc/CAaCXv1I6ylOR9cWSogD0jO1TmrlUWwa/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/