מוזילה הודיעה לאחרונה על עוד פרצת אבטחה בדפדפן FireFox והיא ממליצה לכל משתמשי הדפדפן להוריד את העדכון במהירות. פרצת האבטחה מאפשרת להאקרים להריץ קודים זדוניים במסווה של תמונות Animated Gif המאוד פופולריות באינטרנט.
על פי חברת מוזילה, עדכון האבטחה שוחרר לרשת עוד לפני שאוכלוסיית ההאקרים (ימח שמם) הספיקה לגלות את הפרצה. מוזילה שיחררה את הדפדפן החינמי בגרסה 1.02 וכאמור, הפצירה בפני המשתמשים להתקין את העדכון.
על פי דו"ח של חברת סימנטק, בחצי האחרון של שנת 2004 סבל הדפדפן של מוזילה מ-21 פרצות אבטחה, לעומת 13 פרצות בלבד בדפדפן הפופולרי של מיקרוסופט. נראה כאילו עם ההצלחה מגיעה גם הסכנה. ראוי לציין כי מתוך כל הפרצות, רק 7 פרצות בפיירפוקס הוגדרו כ"מסוכנות מאוד" לעומת 9 פרצות מסוג זה באקספלורר.
לינק לגירסא החדשה של הדפדפן FF: http://www.mozilla.org/products/firefox/releases/1.0.2.html
ליותר מידע על הבאג בEweek: http://www.eweek.com/article2/0,1759,1778709,00.asp
26/03/2005 20:28:08
cp77fk4r
אגב, היה נחמד אם חברה היו מגיבים בלינק המקורי על השורה שהכתב כתב:
"לפני שאוכלוסיית ההאקרים (ימח שמם) הספיקה לגלות את הפרצה. "
שאין קשר להאקרים- אלה לקראקרים.
26/03/2005 21:02:50
cp77fk4r
מה שנכתב על הבאג בISS. (http://xforce.iss.net/xforce/alerts/id/191): קוד: Internet Security Systems Protection Advisory March 23, 2005
Mozilla Foundation GIF Overflow
Summary:
ISS has shipped protection for a flaw X-Force has discovered in the GIF image processing library used in software developed by the Mozilla Foundation. This library is used by the Firefox web browser, the Mozilla browser, and Mozilla’s Thunderbird Mail client. By crafting a GIF file in a malicious manner, an attacker is able to trigger a heap overflow within the application viewing the image, leading to arbitrary code execution and remote compromise.
ISS Protection Strategy:
ISS has provided preemptive protection for these vulnerabilities. We recommend that all customers apply applicable ISS product updates.
Network Sensor 7.0, Proventia A and G100, G200, G1200: XPU 24.3 / 3/14/05 Image_GIF_Netscape_Extension_BO
Proventia M and G400, G2000: XPU 1.42 / 3/14/05 Image_GIF_Netscape_Extension_BO
Server Sensor 7.0: XPU 24.3 / 3/14/05 Image_GIF_Netscape_Extension_BO
Desktop Protector 7.0: Version EOB / 3/14/05 Image_GIF_Netscape_Extension_BO
BlackICE Agent for Server 3.6: Version EOB / 3/14/05 Image_GIF_Netscape_Extension_BO
Internet Scanner 7.0: XPU 7.44 / March 10, 2005 VulnerableMozillaProductDetected
These updates are now available from the ISS Download Center at: http://www.iss.net/download.
Business Impact:
Compromise of networks and machines using affected Mozilla products may lead to exposure of confidential information, loss of productivity, and further network compromise. An attacker would be required to cause a user to view a malicious website or email containing a maliciously crafted image. Successful exploitation would grant an attacker the privileges of the user viewing the image, up to and including administrative privileges.
Affected Products:
Firefox – all versions prior to 1.0.2 Mozilla web browser – all versions prior to 1.7.6 Mozilla Thunderbird Mail – all versions prior to 1.0.2
Note: Additional versions may be affected, please contact your vendor for confirmation.
Description:
Graphic Interchange Format (GIF) is a common and established image standard. This image format is widely supported in applications that view images, including web browsers and email clients developed by the Mozilla Foundation.
Mozilla Foundation software makes use of a common image library to render GIF images. This library contains a buffer overflow vulnerability when processing a Netscape-specific extension block in GIF images. Exploitation of this buffer overflow can lead to remote compromise of affected machines with minimal user-interaction.
In order to exploit this vulnerability, an attacker would be required to induce the victim to view a web page or email message containing a maliciously-crafted GIF image.
The ISS X-Press Updates detailed above have the ability to protect against attack attempts targeted at Mozilla products.
Additional Information:
Mozilla Foundation Security Advisory: http://www.mozilla.org/security/announce/mfsa2005-30.html
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0399 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Credit:
This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force.
______
About Internet Security Systems (ISS) Internet Security Systems, Inc. (ISS) is the trusted security expert to global enterprises and world governments, providing products and services that protect against Internet threats. An established world leader in security since 1994, ISS delivers proven cost efficiencies and reduces regulatory and business risk across the enterprise for more than 11,000 customers worldwide. ISS products and services are based on the proactive security intelligence conducted by ISS’ X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. Headquartered in Atlanta, Internet Security Systems has additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
Copyright (c) 2005 Internet Security Systems, Inc. All rights reserved worldwide.
This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email xforce@iss.net for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws.
Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT’s PGP key server and PGP.com’s key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.
26/03/2005 22:52:34
Nameless
אלה לא קראקרים. כשאנשים קראו לפורצי מחשב האקרים (ודרסו את הפירוש הישן של המילה) אנשים ניסו למצוא תחליף למילה אבל דרסו עוד מילה ושינו את המשמעות הישנה שלה, שהמילה הזאת היא "קראקרים". יש איזה ריאיון יפה של עמנואל גולדסטין עם איזה רשת חדשות כלשהי, שמומלץ לקרוא. לא זוכר איפה ראיתי את זה.
27/03/2005 04:17:13
cp77fk4r
Black Hat & White Hat. זה מה שאני מתכוון.
עמודים:
1
