Bugs or bad programming practices may leak information like passwords or history to web and Wi-Fi attackers. The developers provide two examples of how extensions can be exploited by attackers. The two extensions mentioned, Open Attribute and Silver Bird, have since been fixed by their development teams.

The Open Attribute extension helps users read the Creative Commons (CC) licenses of web sites. In the typical use case, a user clicks on the extension’s browser action to see a web site’s attribution information. Open Attribute embeds the site’s CC license in the extension’s popup window, using innerHTML. A malicious web site could serve a fake CC license that includes inline scripts, or a WiFi attacker could insert inline scripts into a license provided by a legitimate web site like Wikipedia. The inserted code then runs in the extension’s popup window with the extension’s privileges. This bug was fixed in Open Attribute 0.7 by setting a Content Security Policy for the extension.

Example 2: Silver Bird 1.9.7.9
Silver Bird allows users to post and read Twitter messages without navigating to twitter.com, and it currently has over 200,000 users. The extension makes an XHR to Twitter using either HTTP or HTTPS, based on the user’s settings. It displays the retrieved messages in the core extension, using innerHTML in several places. If a user were to specify an HTTP URI, a WiFi attacker could insert inline scripts into the XHR response. Luckily, Twitter prevents its users from launching this attack by sanitizing user messages. This bug was fixed in version 1.9.8.4 by replacing innerHTML with innerText.

The two other extensions that have been named in the article are Last Pass and XMarks, which were both protected against those kinds of attacks.

Interestingly enough vulnerabilities were split more or less evenly between popular and random samples, as Adrienne Porter Felt points out.

Probably the most interesting aspect here is that the vulnerability count would drop from 51 vulnerabilities to 2 (a reduction of 96%) if the extension developers would have followed Google Chrome’s Content Security Policies. Implementing those security guidelines will block attempts by an attacker to “take over an extension by injecting malicious JavaScript into the core extension”.

The researchers have decided to not publish the full list of vulnerable and protected extensions at this time to give extension developers ample time to protect their extensions from these kind of attacks.

The developers are not aware of attacks exploiting those vulnerabilities at this point and note that nearly all important extensions with vulnerabilities have updated their extensions already.

The full security paper will be released at the beginning of November. (via)

Last years leader, Oracle, dropped to second spot while Microsoft managed to retain the third spot firmly in the last five years.

Adobe made their first appearance in the top ten in 2008, and managed to climb to position five in this report. Lastly, Google is now ranking on position nine in the listing, displacing Mozilla, which now ranks on ten.

security vulnerabilities

To gain more insight into the security ecosystem we identify the group of the ten vendors with the most vulnerabilities (in all their products) in any given year. Since 2005 these Top-10 vendors are responsible for about 38% of the total vulnerabilities representing 16% of the Secunia Advisories per year. The composition of the Top-10 group varied only slightly in this period; seven of the Top-10 vendors with the highest vulnerability counts in 2005 are still in the Top-10 group in 2010.

The total amount of security vulnerabilities was used to create the report, with severity ratings playing no role in the rankings. This means that software from a company with more vulnerabilities does not necessarily have to be more insecure. The trend however is obvious. The graph shows a clear jump in rankings for Adobe, a company that is struggling to keep up with patching security vulnerabilities in its flagship products Adobe Reader and Adobe Flash.

Attackers have noticeable shifted attacks from operating systems to third party software, and Apple, along with Adobe and Oracle, happens to produce several popular programs, including iTunes, Quicktime and the Safari browser.

Speaking of Safari, an Autofill vulnerability has just been uncovered that allows websites to uncover private information.

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

Attack vectors have been analysed by Secunia as well. Remote attacks are still on the rise while local network and system attacks slowly declining.

We observe that “From remote” is consistently and by far the most prevalent attack vector (81% in average), compared to “Local system” with 9.8% and “Local network” with 8.2% in average over the last five years. Thus, most of the vulnerabilities expose the user of the software to remote attacks. Based on the data available by mid 2010 we do not expect a change by the end of the year.

In every report, Secunia analyses a typical Windows PC environment (both Vista and XP) with a top-50 software portfolio consisting of 26 Microsoft and 24 non-Microsoft programs.

The analysis confirms the growing trend of exploiting third party software.

The vulnerabilities breakdown shows an overall increase in vulnerabilities on both systems. The vulnerabilities disclosed in Microsoft programs rose by about 50%, from 85 in 2009 to now 62 in the first half of 2010, with a projection to end at about 120 vulnerabilities.

The third part programs increase is earth shattering. From 286 vulnerabilities in 2009, to 275 in the first half of 2010 and a projected total of 550 at year end. That’s a 100% increase, and more than four times as many vulnerabilities as in Microsoft programs.

vulnerabilities

The next figure visualizes the increase in third party software vulnerabilities.

third party software

Mozilla Firefox tops the vulnerability listing with 96 reported vulnerabilities, followed by Safari with 84, Java and Google Chrome with 70, Adobe Reader with 69, Adobe Flash Player and Adobe AIR with 51, Apple iTunes with 48 and Mozilla Thunderbird with 36.

The top Microsoft programs are Internet Explorer with 49, Excel Viewer with 37 and Excel with 30.

Typically, a user can patch 35% of the vulnerabilities with one update mechanism (Microsoft’s), and needs to master another 13 or more different update-mechanisms to patch 65% of the 3rd party program vulnerabilities.

Interested users can access the full PDF report over at the Secunia website.

Adobe on the other hand plans to release security patches for its popular PDF reader Adobe Reader that are also rated critical. The updates will all be released tomorrow and system administrators will certainly their hands full updating the computer systems that run the software and operating systems.

A closer look at the Microsoft Patch Day reveals eight critical security vulnerabilities and five important vulnerabilities that will get fixed with the patches that are released tomorrow. The majority of vulnerabilities affects the Windows operating system but it does also include one critical Internet Explorer vulnerability.

System administrators and Windows users are encouraged to visit the two websites linked above for further information. These websites will also contain the links to patch the security vulnerabilities. Windows users can also use Windows Update, Microsoft Update or Automatic Updates to update their operating system.

The easiest way to download and install the patches is by pointing the Internet Explorer web browser to Microsoft Update which will automatically detect and install the available patches for the computer system. Other possibilities include downloading the security patches from Microsoft Download Center from where they are available as well.

Six vulnerabilities have been rated as critical, three as important and one as moderate. Critical security vulnerabilities can usually be exploited for remote code execution meaning it is essential to fix these vulnerabilities quickly. You can follow the links below for additional information about each vulnerability.

• MS09-018 – Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
• MS09-019 – Cumulative Security Update for Internet Explorer (969897)
• MS09-020 – Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
• MS09-021 – Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
• MS09-022 – Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
• MS09-023 – Vulnerability in Windows Search Could Allow Information Disclosure (963093)
• MS09-024 – Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
• MS09-025 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
• MS09-026 – Vulnerability in RPC Could Allow Elevation of Privilege (970238)
• MS09-027 – Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)

A total of 13 security vulnerabilities are fixed by the Java update. Attackers can use those vulnerabilities for various attacks on a computer system that can lead to privilege escalations.

Probably the easiest way to uninstall old versions of Java and to install the latest secure update is by using the third party software Java RA. Java RA can uninstall old versions of Java. Users should download the latest JRE directly from Sun and install it on their systems. Java Ra should be run after the installation as it will remove all old versions of Java while keeping the latest version installed.

List of vulnerabilities:

• The Java Runtime Environment Creates Temporary Files That Have “Guessable” File Names
• Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts

May

• Allow Applets or Java Web Start Applications to Elevate Their Privileges
• Multiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege Escalation
• The Java Runtime Environment (JRE) “Java Update” Mechanism Does Not Check the Digital Signature of the JRE that it Downloads
• A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated
• A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated
• The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input
• Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User’s Home Directory
• Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys
• A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)
• Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated
• A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations
• A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost

Users who cannot install the Java update immediately should disable Java for the time being to protect their computer system from the exploits.

The vulnerability rated as critical could allow remote code execution in the in Microsoft XML Core Services while the vulnerability rated important could allow remote code execution in Microsoft Server Message Block (SMB) Protocol.

Both security vulnerabilities can be fixed by using Windows Update or by downloading the security updates directly from the Microsoft Download website by following the two links given above in this article.

Microsoft released a batch of eleven security patches for various operating systems and products yesterday which are available by visiting Windows Update or Microsoft Technet which contains in depths information about the affected products and the security vulnerabilities.

The patches fix four critical, six important and 1 moderate security vulnerability:

• Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
• Cumulative Security Update for Internet Explorer (956390)
• Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
• Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)

• Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
• Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
• Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
• Vulnerability in SMB Could Allow Remote Code Execution (957095)
• Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
• Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

• Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)

It is highly recommended to update the products as soon as possible to protect the system from this attacks.

Use the following links to open the Security Bulletins directly: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution [link], Vulnerability in Microsoft Publisher Could Allow Remote Code Execution [link], Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution [link] and Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service [link].

It is as always advised to update the system as soon as possible. The first two patches have to be applied to users of Microsoft Office, the third by almost everyone and the fourth by users who use Microsoft Malware protection applications.

The Cumulative Security Update for Internet Explorer patches Internet Explorer 6 and newer versions of Internet Explorer. If the user visits a specially prepared website an attacker can gain the same rights on the Windows system as the user who is currently logged into the system. While this does not affect other browsers and to a lesser extent users who do not use administrative accounts it is still recommended to update the software immediately.

The Vulnerabilities in .NET Framework Could Allow Remote Code Execution patch fixes three security vulnerabilities. Two of them allow remote code execution and one information disclosure. It is again advised to update the system immediately to fix those security holes.

I discovered the software Windows Vulnerability Scanner at Tech Malaya which scans a Windows NT system, that is Windows 2000, Windows XP, Windows 2003 Server or Windows Vista for security vulnerabilities. It seems to use information from the Microsoft Knowledgebase exclusively and one would assume that a system that downloaded all Windows Updates recently reveal no vulnerabilities. I let the software scan my system and it did find six critical and one important security vulnerability that had not been patched yet.

I’m not sure how this can be but was glad that the application revealed the information to me. It lists the vulnerabilities and provides links to the Microsoft website that contains information about it.

The Knowledgebase article at Microsoft contains a link to the download of the security patch and I did install all the patches one after the other. An improvement would have been if the software would automatically download the patches and install them on the system, or at least those that the user selects. If you have not been to Windows Update for a while I suggest you start there and scan the system again afterwards which should fix most of the security vulnerabilities found during the first scan.

Update: The developer website does not seem to be available anymore. You can download the latest version of Windows Vulnerability Scanner from software repositories such as Freeware Files. Just download the program from there and use it normally. Keep in mind though that it is not clear at this point in time if development has stopped or is still ongoing.

All critical vulnerabilities which affect Microsoft Windows, Microsoft Office and Internet Explorer allow Remote Code Execution. The easiest way to patch these security vulnerabilities is by visiting the Windows Update website with Internet Explorer and let a script check the available updates for your system. Please note that you will be asked if you want to install Service Pack 3 Refresh 2 for Windows XP if you use that operating system. My advise would be to not install this version yet and wait for the release version.

All security updates will be displayed and are selected for immediate download and installation. You could follow the link above which leads to the Microsoft website that explains the vulnerabilities and leads to downloads of the patches. This means that you have to make sure to pick the correct downloads for your operating system and software.

Two security patches have been released this month, they are the critical Microsoft Security Bulletin MS08-001 and the important Microsoft Security Bulletin MS08-002. The critical patch fixes vulnerabilities in Windows TCP/IP that could allow remote code execution while the important patch deals with a vulnerability in LSASS that could allow local elevation of privilege.

Both patches are available through Windows Updates but also as single downloads. Several operating systems need to be patched including Windows Vista (only the critical), Windows 2000 and Windows XP. Downloads are available if you follow the links above.

Every user should head out immediately and use either Windows Updates or browse the Microsoft website manually to download the security patches. I have added the download links to all security patches at the end of the article to make things easier for you.

A quick glance at the security vulnerabilities revealed that five patches have to be downloaded for both Windows XP and Windows Vista. Take a look at the Microsoft Security Bulletin overview site if you are using a different operating system to find out what has been patched for it.

Windows Vista:

Microsoft Security Bulletin MS07-063 – Important (Vulnerability in SMBv2 Could Allow Remote Code Execution (942624))

Microsoft Security Bulletin MS07-064 – Critical (Vulnerabilities in DirectX Could Allow Remote Code Execution (941568))

Microsoft Security Bulletin MS07-066 – Important (Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078))

Microsoft Security Bulletin MS07-068 – Critical (Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275))

Microsoft Security Bulletin MS07-069 – Critical (Cumulative Security Update for Internet Explorer (942615))

Windows XP:

Microsoft Security Bulletin MS07-064 – Critical (Vulnerabilities in DirectX Could Allow Remote Code Execution (941568))

Microsoft Security Bulletin MS07-065 – Important (Vulnerability in Message Queuing Could Allow Remote Code Execution (937894))

Microsoft Security Bulletin MS07-067 – Important (Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653))

Microsoft Security Bulletin MS07-068 – Critical (Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275))

Microsoft Security Bulletin MS07-069 – Critical (Cumulative Security Update for Internet Explorer (942615))

The process requires some faith that the xss worm is really fixing the vulnerabilities but the application itself is easy. About the faith: I have not read negative reviews so far and the worm has been released two days ago which should be enough time for some experts to complain about it.

If you want to secure your blog you simply write a comment on your own blog while you are logged in as the administrator linking to http://mybeni.rootzilla.de/mybeNi/ ; Click on that link from your admin panel afterwards which will lead to the site.

The first page explains what will be done and only if you actively click on “Secure my Blog” the vulnerability scan will be started. It will check three WordPress files for the vulnerabilities and offer to fix them if the vulnerability is found.

The vulnerabilities can only be fixed if the files are writable so make sure they are. An alternative would be to copy the code that will be inserted and add it manually in the files. The complete code of the file is shown and the addition is highlighted.

I suggest to run the worm a second time to make sure that your blog is safe and that the fixes have been applied.