pseudo-flaw.net

According to this Bugzilla entry, Bug 424923 - Remove Cross-Site XHR, the Cross-Site XMLHttpRequest (XHR) support has been removed from Mozilla Firefox 3. Mike Shaver made brief mention of this in his latest blog post.

I think this is good news overall. It just didn't seem that the whole concept of cross-site XHR was fully baked. Given the prevalence of cross-domain web attacks, waiting for the specification to settle is probably an excellent idea.

Mozilla Firefox 2.0.0.13 has been released. See the release notes for more information.

There are security fixes for a couple of vulnerabilities that I was involved with:

• MFSA 2008-18: Java socket connection to any local port via LiveConnect
• MFSA 2008-16: HTTP Referrer spoofing with malformed URLs

I'll be posting some more information about these in the future.

Tor and EFF are once again taking part in Google's Summer of Code (GSOC). See The Tor Project is in Google Summer of Code 2008! post or Work on Tor this summer, get paid by Google.

The volunteer projects page has some great ideas. And the deadline is rapidly approaching (March 31, 2008 at 5pm Pacific Time).

I've always been fascinated by client-side attacks that use the web-browser as a launching pad. Although the networking aspect of anonymity is interesting (and critically important!), the application level attacks seem more practical from a high-level point of view. There is an extremely low barrier entry for an adversary to configure a Tor exit node and start injecting malicious traffic.

Currently, Torbutton is the preferred Firefox plugin for enabling and disabling the use of Tor from within the browser. There has been a large amount of work going into improving the anonymity profile for Firefox users. Ideally, an adversary should not be able to unmask a user by profiling browser attributes or forcing plugins to make direct network connections.

To this end, I've set up a Torbutton testing page that lists several possible attacks. Many of these are fixed in the latest development version of Torbutton. Unfortunately, some require changes in the Firefox browser to achieve the more complete anonymity that many users desire.

Note: this is primarily a resource for developers or researchers.

So, if you are a student who enjoys Firefox, JavaScript and plugin hacking, the "Testing integration of Tor with web browsers for our end users" topic many be a good project to look at. There is still a large amount of research to be done, especially focused on the soon to be released Firefox 3 web-browser.

I've been a big fan of Attrition.org's Errata: (DLDOS: Data Loss Database - Open Source) data set for a long time. When I first started working with it, I wanted something more friendly than just the straight CSV file to crunch. As a result, I created a very simple MySQL schema to hold it and wrote some simple bash scripts to get the data imported. It got more complicated following an aborted Ruby on Rails project due to the addition of reference tables for id values and data type checks.

I noticed that there still doesn't appear to be any publically available scripts to import the 'dataloss.csv' into a MySQL database, so I went ahead and bundled up what I had. These scripts are pretty rough and the documentation is limited, so you'll want to look at the source to answer any questions.

You can download the package directly: dldos-db-mysql-0.1.tar.gz (sig). See the README for more information.

Eventually, I'd like to consolidate the scripts into a single utility that could handle the entire import process. Hopefully, what I've posted will be of use to someone.

I've posted the first part of the demonstrations for the Mozilla Firefox file stealing vulnerabilities discussed in MFSA 2008-02: Multiple file input focus stealing vulnerabilities.

The page is available from here.

These demonstrations are currently available in Bugzilla, but I wanted to tie them together with some of the other file stealing vulnerabilities. There is quite of list of other Bugzilla entries detailing possible file stealing attacks, some of which reach all the way back to the year 2000.

I find the two demos very fascinating, because they represent failures to fully address a vulnerability. The original vulnerability was related to using the 'focus()' method to set the focus on a label. Unfortunately, not all of the code paths were examined and it was possible to redirect the focus by clicking on a nested label or by programmatically creating and sending a "click" MouseEvent.

• Nested label stealing: Firefox Focus Bug - File Stealing - DEMO (Bug #404391)
• MouseEvent "click" stealing: Firefox Focus Bug - File Stealing - DEMO (Bug #404391)

I will post the second part after I confirm that the other "spoofing" vulnerabilities were fully addressed in Opera.

Sun recently released Java SE 6 Update 5: Java SE Downloads (Release Notes).

Included are several important security fixes:

• #233321: Two Security Vulnerabilities in the Java Runtime Environment Virtual Machine
• #233322: Security Vulnerability in the Java Runtime Environment With the Processing of XSLT Transformations
• #233323: Multiple Security Vulnerabilities in Java Web Start May Allow an Untrusted Application to Elevate Privileges
• #233324: A Security Vulnerability in the Java Plug-in May Allow an Untrusted Applet to Elevate Privileges
• #233325: Vulnerabilities in the Java Runtime Environment image Parsing Library
• #233326: Security Vulnerability in the Java Runtime Environment May Allow Untrusted JavaScript Code to Elevate Privileges Through Java APIs
• #233327: Buffer Overflow Vulnerability in Java Web Start May Allow an Untrusted Application to Elevate its Privileges

I'll followup with some additional information on the JavaScript privilege elevation (#233326) after I can do some more testing.