LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-02-2006, 05:27 PM   #31
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743

How can you prevent a "local privilage escalation exploit?"
By lowering chances. Like staying current with updates. Host hardening can help.


Is there certain software you dl or do you need to play around with your OS settings?
Wha?


Or is it more complicated than the "do not run as root" argument?
Yes. Say there is a problem within the running kernel. Say the problem can be triggered by anyone who has a valid and accessable account on the machine. Then you only need two steps (get the code on the system and have it run) to get what you want (a root shell). I was thinking of the kernel 2.4 series do_mremap() exploits. The patches where available but a lot of people just did not care to patch when the fix was out so a lot of boxen got hit. As for host hardening: at the time (2004-ish) the only people who where safe (IIRC and I don't know if it was for all mremap exploits) where those who ran OpenWall or Grsecurity patched kernels, BTW.
 
Old 10-03-2006, 11:10 AM   #32
the_darkside_986
Member
 
Registered: Feb 2006
Distribution: Ubuntu Feisty (7.04)
Posts: 106

Rep: Reputation: 15
I have a question about email address security. I was using firefox in Suse Linux to look at apple's line of systems just out of curiosity and then the next day a spam message about a free apple notebook was in my main inbox of yahoo mail. (Btw, I use gnome.) I get that crap all the time but it is usually in bulk mail. Was that a coincident or perhaps an exploit? Or do attackers have a non-hacking way to read cookies that might store my e-mail address? I then upgraded to firefox 1.5.07 from 1.5.02. Maybe I should use Konqueror or something.
 
Old 10-03-2006, 11:36 AM   #33
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by the_darkside_986
I have a question about email address security. I was using firefox in Suse Linux to look at apple's line of systems just out of curiosity and then the next day a spam message about a free apple notebook was in my main inbox of yahoo mail. (Btw, I use gnome.) I get that crap all the time but it is usually in bulk mail. Was that a coincident or perhaps an exploit? Or do attackers have a non-hacking way to read cookies that might store my e-mail address? I then upgraded to firefox 1.5.07 from 1.5.02. Maybe I should use Konqueror or something.
there really isn't any way to know for sure what happened... might have been a coincidence, or it might have not... either way, it's a good idea to always run the latest firefox version whenever possible... and use noscript if you can...

if you're concerned about some site having taken advantage of a vulnerability in your old firefox version, i would suggest backing-up your documents and then deleting your home folder's contents and starting a new account from scratch... keep in mind this won't help if you got rooted, but it will take care of any user-level malware that you might have gotten hit with... at the very least, it'll give you a little more peace of mind...

just my ...
 
Old 10-03-2006, 06:08 PM   #34
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Ubuntu / Windows dual boot (for now)
Posts: 515

Rep: Reputation: 30
Easy fix ?

For Win32, unSpawn, and anyone else reading:

I noticed the article about the recent Firefox problem (I posted the article link earlier) seems to focus on Java.

When I go to Firefox "preferences" then "content" I notice two (2) Java related options:

1) Enable Java
2) Enable Javascript

My questions:

a) What is the difference between these two options
b) If I simply "uncheck" one (1) or both of those boxes, and the firefox flaw is indeed Java related, then wouldn't this just be an easy fix? Then all I would have to do is check the box(s) if I run into a website requiring Java. Or is it more complicated than that?

Thanks!
 
Old 10-03-2006, 06:55 PM   #35
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by MBA Whore
For Win32, unSpawn, and anyone else reading:

I noticed the article about the recent Firefox problem (I posted the article link earlier) seems to focus on Java.
no, it focuses on javascript, which is totally different...

Quote:
When I go to Firefox "preferences" then "content" I notice two (2) Java related options:

1) Enable Java
2) Enable Javascript

My questions:

a) What is the difference between these two options
on is for java, one is for javascript...

Java: http://en.wikipedia.org/wiki/Java_programming_language

JavaScript: http://en.wikipedia.org/wiki/JavaScript

Quote:
b) If I simply "uncheck" one (1) or both of those boxes, and the firefox flaw is indeed Java related, then wouldn't this just be an easy fix? Then all I would have to do is check the box(s) if I run into a website requiring Java. Or is it more complicated than that?

Thanks!
disabling javascript MIGHT be a work-around... but as has been stated by unSpawn, firefox has some javascript security issues even with javascript disabled...

instead of using the firefox configuration to enable/disable javascript as needed, i would suggest installing the noscript extension, which will let you whitelist sites you wish to allow javascript for (among other things)...

keep in mind that if the firefox code is indeed as messed-up as those two crackers say it is, then none of these approaches is likely to be a *true* workaround - we'll probably just need to wait for the code to get patched...

Last edited by win32sux; 10-03-2006 at 06:58 PM.
 
Old 10-04-2006, 11:42 AM   #36
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
Technology News: Security: Reported Firefox JavaScript Flaws Just a Joke, Hackers Admit
Quote:
A pair of presenters at the ToorCon conference in San Diego over the weekend claimed to have knowledge of a series of Javascript vulnerabilities in the open source Firefox browser. On Tuesday, however, the duo admitted that their claims were untrue and meant to be humorous. "I think it's an attempt on their part to grab some of the limelight," said IT-Harvest Chief Research Analyst Richard Stiennon.
So much for Javascript being messed up in Firefox.
 
Old 10-04-2006, 03:58 PM   #37
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
holy crap... well, i guess this is good news, no?? wow, what a weird publicity stunt...

here's a few more articles with the story:

http://news.com.com/Hacker+backpedal...3-6122317.html

http://www.cio.com/blog_view.html?CID=25459

http://www.theinquirer.net/default.aspx?article=34836

i don't know what to say about these two guys... =/
 
Old 10-04-2006, 04:03 PM   #38
Ygrex
Member
 
Registered: Nov 2004
Location: Russia (St.Petersburg)
Distribution: Debian
Posts: 657

Rep: Reputation: 66
but mozilla reviews the code, let them work
 
Old 10-04-2006, 07:39 PM   #39
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Ubuntu / Windows dual boot (for now)
Posts: 515

Rep: Reputation: 30
Win32 (and others):

For the sake of argument, let us assume that those vulnerabilities are indeed real (i.e., those two crackers did indeed find serious problems).

Will "no script" work in Linux? I was under the distinct impression that all firefox "add-ons" were only valid in the Windows version of firefox.

Also, it is a bit off topic, but how does Opera compare to Firefox? I have heard conflicting information about it. Some say it is open source, others do not. Wiki wasn't much help either.

Is there a forum for Opera questions on this website?

Regarding these two crackers. . .I personally won't feel comfortable until BOTH come forward and admit a hoax, not just one. If it were a hoax, then I would really like to know how they faked the video showing the flaws (supposedly they had a video showing the firefox flaws).

Regardless, thanks again to all.
 
Old 10-05-2006, 12:22 AM   #40
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by MBA Whore
Will "no script" work in Linux? I was under the distinct impression that all firefox "add-ons" were only valid in the Windows version of firefox.
yes, noscript works on linux, as do a great deal of extensions... when you go to the firefox extensions site, there is an indicator for each extension letting you know what platforms it works on... notice how noscript says:
Quote:
Firefox 1.0 - 3.0a1 ALL
https://addons.mozilla.org/firefox/722/

Quote:
Is there a forum for Opera questions on this website?
you can use the regular software forum...

Last edited by win32sux; 10-05-2006 at 12:24 AM.
 
Old 10-05-2006, 05:05 PM   #41
Caesar Tjalbo
Member
 
Registered: Aug 2006
Location: Enschede, The Netherlands
Distribution: sidux
Posts: 91

Rep: Reputation: 16
Quote:
Originally Posted by craigevil
I haven't heard Mozilla state that their js implementation isn't a mess.


Anyway, if it's a wake-up call to comb through the code again on a bug-hunt I can only be happy with it. Unless new bugs are introduced of course.
 
Old 10-06-2006, 04:02 PM   #42
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Rep: Reputation: 62
Hi all, seem's to me now it's a question of whether or not you believe they did crack it or they did not crack it.

One could theorize they know of cracks, admitted it because firefox is opensource and they were giving a heads up but wanted to make some money for themselves, only to find too much pressure on them from media, or their local government, so to divert attention, said they lied.

IIRC they had Mozilla people there who saw the demonstration and they were convinced that the claims were justifiable based on the info given them.

This really seems shady to me.

Sounds like these guys 'screamed fire in a movie theatre' but still this whole scenario is awefully suspsicious to me. I hope that mozilla really does fully investigate to put closure on this, otherwise it could really be a PR and credibility issue for them.
 
Old 10-06-2006, 07:39 PM   #43
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Ubuntu / Windows dual boot (for now)
Posts: 515

Rep: Reputation: 30
I agree. So far as I know

Old Fogie:

I agree. So far as I know, only one (1) of the two (2) supposed hackers admitted it was a hoax. Why is the other hacker being silent? Who knows why, but it is cause for concern.

Also, I remember the original article stated that a video was used to show the supposed Firefox bugs. Has anyone checked that video for authenticity? If the bugs are a hoax, then the video must also be a hoax.

I hope Mozilla keeps looking, just to be sure. Better to be safe than sorry.
 
Old 11-08-2006, 06:19 AM   #44
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox and SeaMonkey Multiple Vulnerabilities (Highly Critical)

Quote:
Description:
Some vulnerabilities have been reported in Mozilla Firefox and Mozilla SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and potentially compromise a vulnerable system.

1) The bundled Network Security Services (NSS) library contains an incomplete fix for the RSA signature verification vulnerability reported in MFSA 2006-60.

For more information:
SA21903

2) An error exists within the handling of Script objects. This can potentially be exploited to execute arbitrary JavaScript bytecode by modifying already running Script objects.

3) Some unspecified errors in the layout engine and memory corruption errors in the JavaScript engine can be exploited to crash the application and may allow execution of arbitrary code.

4) An unspecified error within XML.prototype.hasOwnProperty can potentially be exploited to execute arbitrary code.

Solution:
Update to Mozilla Firefox 1.5.0.8 and SeaMonkey 1.0.6.
Secunia Advisory
 
Old 12-19-2006, 04:32 PM   #45
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox Multiple Vulnerabilities (Highly Critical)

Quote:
Description:
Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of certain information, conduct cross-site scripting attacks, and potentially compromise a user's system.

[...]

Solution:
Update to version 1.5.0.9 or 2.0.0.1.
Secunia Advisory


NOTE: SeaMonkey and Thunderbird are also affected.

Last edited by win32sux; 12-19-2006 at 09:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Thunderbird to Find New Home as Mozilla Foundation Focuses on Mozilla Firefox LXer Syndicated Linux News 0 07-27-2007 09:16 AM
LXer: Mozilla Firefox 1.5.0.8 and Mozilla Thunderbird 1.5.0.8 Released LXer Syndicated Linux News 0 11-09-2006 05:21 PM
LXer: Mozilla Corporation Signs Mozilla Firefox Distribution Deal with RealNetworks LXer Syndicated Linux News 0 08-03-2006 03:21 PM
LXer: Mozilla Firefox and Mozilla Thunderbird 1.5.0.5 Community Test Day LXer Syndicated Linux News 0 07-14-2006 08:54 AM
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 04:00 AM


All times are GMT -5. The time now is 12:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration