Maximum PC URI RSS Feed

Leaky Addons Make for Big Security Risks for Firefox Users

MarkSoper — Wed, 30 Jan 2008 16:23:52 -0600

Hacking Firefox? It's Easy When There's No JAR to Open

ZDnet's Security Blog reports that Firefox extensions that are not stored in JAR archive files (.JAR) leave users vulnerable to a vulnerability called a chrome URL handling directory transversal attack by hostile JavaScript files (Chrome URIs use extensions stored in the user's Chrome folder).

How big a deal is this? According to Gerry Eisenhaur of hiredhacker.com, who discovered the vulnerability earlier this month, merely opening a website that contains JavaScript aimed at this vulnerability could make Firefox display your preferences file (all.js) or find out what you've been doing by displaying the sessionstore.js file, just to name two examples (see his posting for demos).

Who's Vulnerable?

Mozilla is ranking this vulnerability as 'High Severity' because it can be exploited if you have any of over 600 add-ons installed, ranging from A (allcookies) to Z (Zipedia).

Who to Blame?

According to Mozilla Security Chief Window Snyder, don't blame Firefox; blame the developers that don't use .jar packaging for the add-ons. If you're a web developer (or play one on TV), you might want to review the debate at Bugzilla over this bug (number 413250). If you develop Firefox extensions, switching to JAR packaging might be a really good idea.

Firefox 2.0.0.12 to the Rescue - Real Soon Now

However, just as Microsoft initially blamed others for an Internet Explorer 7 URI vulnerability we discussed last fall, then decided to fix the problem at the operating system level, Mozilla will block this vulnerability with Firefox 2.0.0.12 (current version is 2.0.0.11). Watch for an update, or if you're impatient, visit the Firefox download page frequently.

In The Meantime, Protect Yourself Two Ways

So-called 'Proof of Concept' bugs discovered by the good guys have a nasty habit of being used for actual attacks, so you shouldn't wait for a Firefox update. Here's what you can do today:

1. Install Noscript immediately. Noscript uses preemptive script blocking on a site-by-site basis to stop this and similar script-based vulnerabilities, including XSS vulnerabilities.
2. Install updated versions of your favorite add-ons. A quick review of the list of affected add-ons shows that some affected add-ons are older versions; updated versions might not be affected.

Microsoft Stops URI Threats to Windows XP - Protect Yourself Today!

Mark Soper — Wed, 14 Nov 2007 13:19:10 -0600

URI Vulnerabilities Running Wild

In October, we warned you about a dangerous vulnerability on systems running Windows XP, Internet Explorer 7, and Adobe Acrobat or Reader. The URI protocol handler, which runs email, IM or other applications when you click on a web link, could be used to attack your system. According to Symantec, the problem isn't just with Adobe Acrobat or Reader either: some versions of Mozilla Firefox, Skype, as well as Netscape 7.1, mIRC, and the Miranda 0.7 IM client can also be used to attack systems running Windows XP or Windows Server 2003 via URIs. Since URIs show up in email, web pages, PDF files, IMs and lots of other places, your PC is a "target-rich environment," to say the least.

What Makes URI Attacks Dangerous?

A URI that calls a program in Windows actually asks the Windows Shell32 program to do its bidding. Shell32 uses the ShellExecute function to start the other program. The trouble is that Shell32's a trusting sort, not asking any questions about what the URI is up to. As a result, a bad URI can do anything it wants.

Microsoft Steps Up to Stop URI Attacks via Windows XP, Windows Server 2003

Adobe fixed the problem for Acrobat and Reader 8.x users right away, but, as Symantec's list of other affected applications suggests, the real place to stop the problem is at the operating system level. And, with the release of security bulletin MS07-061, Microsoft is on the job. Tuesday, Microsoft rolled out the URI vulnerability fix for Windows XP and Windows Server 2003 as part of "Patch Tuesday," so it will be showing up in your system's Windows Update offerings shortly. But why wait? You can grab the update for Windows XP right now (Windows Vista users aren't affected). It's a 3MB download, so it won't take long to download and install it. Microsoft identifies this vulnerability as "critical" - and given the omnipresence of URIs, that's putting it mildly.

Can MS07-061 Break Your Favorite Application?

Changing how Shell32 works is not trivial - it's one of the most important components in Windows. Unfortunately, it's possible that the security changes in this new update might cause some programs to no longer work properly. If that happens, you will need to whip out Regedit and make changes to the Registry that will exempt that program from the security update. For details, see Microsoft Knowledge Base article 943460.

-------------------------------------------------------------

Mark Soper and tech legend Leo Laporte have teamed up to solve Windows XP woes with Leo Laporte's PC Help Desk. Grab a copy for yourself or give PC peace of mind to friends and family. It's available at Amazon.com and other fine bookstores.

Got Adobe Acrobat or Reader 8.1? The "Fix" Is In

Mark 'Marcus Soperus' Soper — Mon, 22 Oct 2007 22:55:31 -0500

Acrobat & Reader 8.1 Users - Adobe to the Rescue!

Earlier this month, we told you that the combination of Adobe Reader or Acrobat with Windows XP and Internet Explorer 7 left users facing a major vulnerability: the "mailto" URI used in web pages and PDF files could be used to download and install malware.

Adobe promised they'd have updates to fix the problem by month-end, and they've outdone themselves: they rolled out a security bulletin today with updates to Adobe Reader 8.1 and Adobe Acrobat 8.1. Reader and Acrobat 8.1 become 8.1.1 after patching.

Acrobat & Reader 7.x Users - Still on the Waiting List

You know how software vendors are always telling you to 'update to the lastest version?' Sometimes, there's a good reason, like being first in line for updates for a security problem. Although lots of PCs still use Acrobat and Reader 7.x, Adobe rolled out the patches for Acrobat and Reader 8.1 first. Are Acrobat 7.x users out of luck? Nope. Adobe says it will roll out updates for Acrobat and Reader 7.x users "at a later date." If for some reason you're still using Acrobat or Reader 6.x or earlier - Fuhgeddaboutit! No patches for you.

Can't Wait for 7.x Updates? Disable Mailto: Now!

If you can't run Acrobat or Reader 8.1, follow the workaround provided in both the original and the new security bulletins to disable the Mailto: URI for Acrobat and Reader.