The Firefox Extension Guru’s Blog

Friday, September 14, 2007

Well this is rather disturbing…

Filed under: Blogs, CyberNet, Microsoft, Vista, Windows — El Guru @ 3:41 PM

It seems Microsoft (M$) pushed (as in not telling/notifying anyone) a ’stealth’ update of the Windows Update. This happened back on August 23rd or in my case (any many others running XP) July 30th. Further even if you told M$ you didn’t want their stinkin’ updates, you got updated. To see if your Windows Updates files were secretly updated find your windows/system32 folder and look for these files and see if they were updated to version 7.0.6000.381 (right click on the file, select properties then click the versions tab):

Vista:

  • wuapi.dll
  • wuapp.exe
  • wuauclt.exe
  • wuaueng.dll
  • wucltux.dll
  • wudriver.dll
  • wups.dll
  • wups2.dll
  • wuwebv.dll

XP:

  • cdm.dll
  • wuapi.dll
  • wuauclt.exe
  • wuaucpl.cpl
  • wuaueng.dll
  • wucltui.dll
  • wups.dll
  • wups2.dll
  • wuweb.dll

M$ is trying to justify this by saying it is needed to keep the Windows Update Application updated. Okay fine, but why do it so secretly? It would have been fine to say it was a mandatory update in order to keep getting updates. Which brings me to another interesting point, as a Win XP SP1 (yes SP1, never could get SP2 to work correctly) user I thought I couldn’t get anymore updates as M$ claims they no longer support Win XP SP1. So why would I need an updated updater if I can’t update until I update to SP2?

There is quite a trail of comments over on Todd Bishop’s Microsoft Blog as well as The CyberNet Blog.

Come join the discussion on the FF Extension Guru’s Forum 

QuickTime Vulnerability

Filed under: Blogs, CyberNet, Firefox, Fx 1.5, Fx 2.0, Fx 3.0, IE, Mozilla News, Windows — El Guru @ 1:09 PM

From Mozilla Links

GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.

The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.

To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.

To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.

The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.

The article goes on to recommend the removal of QuickTime from your system. However for me that is not something I really want to do. Oddly enough I do use QuickTime quite frequently. A blog I frequent uses QuickTime videos and my internet based answering service uses QuickTime for the messages (although I could choose to download them as MP3). Further it is important to understand that is a QuickTime issue and it is NOT just isolated to Firefox and Windows. It also affects IE (but not as severely) and even the immortal Macs.

While bug 395942 was caught early enough that it could be patched in Firefox 2.0.0.7, what is one suppose to do in the mean time? You can go thru the process of removing QuickTime wait for new versions of Firefox and QuickTime and then reinstall. But there is a batter option, thanks to our friends on the CyberNet Forum. Turns out the NoScript extension will protect your from this vulnerability.

News Sources:

Review: NoScript

Filed under: Add-ons, Firefox, Fx 1.5, Fx 2.0, Fx 3.0 — El Guru @ 1:08 PM

NoScript can be described as a firewall for your Firefox.  However much like a firewall, NoScript is going to require some configuration as you go.  The extension blocks Java Script, Java and other executable content except from trusted domains you allow.  Example on the Get Firefox Download (http://getfirefox.com) page, Mozilla has a script in place that automatically starts the download once you click on the Download Firefox – Free link from the green box.  With NoScript enabled, until you allow mozilla.com the green download box won’t even appear.  NoScript keeps an icon in your status bar which will inform you about the current domain (site/page) you are on:

  • All scripts on this page are currently forbidden
  • Some scripts on this page are allow/forbidden
  • All scripts on this page are allowed

Again, NoScript is going to take some configuration and the first few days using it are going to be a little rough.  If you tend to visit the same sites on a regular basis it won’t be so bad.  For first time users once installed go into the options (right click on the icon in the status bar and select Options…) and under the Notifications tab make sure Show message about blocked scripts is checked.  Since most Firefox alerts are generally below the tab bar I would not check the option Place message at the bottom.  However, I do recommend un-checking the option Hide after 5 seconds just so you don’t have to rush to click on the Options… button before the alert disappears.  Once you have become more comfortable with NoScript (or get annoyed with the messages) you can turn off the messages.  When you come to a site/page with blocked scripts click the Options… button (if messages are displayed) or right click on the NoScript icon in the status bar.  When you do this, you will see all (yes most of the time there are going to be more than one)  the scripts that are currently running on that page.  Simply select the allow option for the script you wish to run. Never select the option Allow Scripts Globally.

Until you start using this extension you really have no way of knowing what kind of (or for that matter how many) scripts are running in the background unbeknown to you.  Claus Valca on Grand Strand Dreams has raved about the NoScript in his blog several times.

NoScript works on the follow Gecko Based browsers

  • Firefox  1.5-3.0a8 or 3.0m8
  • Flock
  • Netscape Navigator 9.0 (beta)

Blog at WordPress.com.