This week was one of the ones that my colleague Ryan Naraine often refers to as a Patchapalooza, with each day bringing a new set of fixes for Firefox, Opera, the iPhone or some other device or application. And it didn’t even include Microsoft or Adobe. Go figure. The week also included the revelation of a major flaw in Firefox and the approval of a new cybersecurity bill in Washington. Read on for the full week in review.
Perhaps the most interesting development this week was the disclosure by researcher Michal Zalewski of a serious new vulnerability in Mozilla Firefox. The flaw is an intriguing one in that it involves a familiar attack vector–URL spoofing–but has some additional twists and turns that make it more dangerous than typical URL spoofing vulnerabilities. The weakness essentially allows an attacker to inject code into a new browser tab or window in Firefox after a user clicks on a link.
“Alas, this design decision creates an interesting vulnerability in
Firefox: the about:blank
document actually displayed in
that window while the page is loading is considered to be same
origin with the opener; the attacker can
inject any content there –
and still keep his made up URL in the address bar,” Zalewski wrote in his explanation of the bug.
Zalewski, who has been posting a series of browser bugs in recent weeks as vendors have developed fixes for them, posted his disclosure of the Firefox bug on Tuesday and mentioned that Mozilla had addressed the flaw with a fix in Firefox 3.6.4. At that point, 3.6.4 was still in beta. But, as if on cue, within a few hours of Zalewski’s post, Mozilla released the final version of the new browser, which included fixes for a whopping 225 bugs.
Apple decided to join the patch parade as well this week, when it released version 4 of the iPhone OS, which it is now calling iOS. The OS update included fixes for 65 vulnerabilities, several of which could lead to arbitrary code execution. The update only was issued for the two most recent models of the iPhone, the 3G and 3GS, and the iPod Touch. The new iPhone 4, which was released this week as well, has iOS 4.
On Thursday, a Senate committee approved a much-discussed bill that gives the Department of Homeland Security strong power over networks both in the government and the private sector. This provision hasn’t drawn nearly as much criticism, for whatever reason, as the one that would supposedly give the president the authority to shut down portions of the Internet under certain circumstances. It’s a power that the president already has, in fact.
“The bill, co-sponsored by Sens. Joe Lieberman (I-Conn.), Susan Collins
(R-Maine) and Tom Carper (D-Del.) would make the Department of Homeland
Security responsible for protecting civilian networks in the government
and private sector. The bill will now head to the full Senate for a
vote, where it will
likely be merged with other competing pieces of cybersecurity
legislation,” Gautham Nagesh wrote on The Hill.
Finally, yesterday I wrote a column laying out my thoughts on why the un-killable disclosure debate doesn’t really matter very much these days. You can read the full column, but here’s the key point:
The old model, in which attackers used worms or other commodity code
to exploit one or maybe two vulnerabilities on as many machines as
possible, is certainly still in use for things such as drive-by
downloads. And people certainly still are getting owned that way,
especially with the glut of browser-based exploits available these days.
But the major worry for enterprises, government agencies and
other organizations trying to defend their networks is the dedicated,
patient attacker who has the time and resources to find the one exploit
that will work against a specific target. If his goal is to compromise a
machine inside one given network, the odds are with the attacker.
It’s not that zero-days don’t matter, because when some organizations are paying six figures for them, they clearly do. The point is that regardless of whether researchers wait for patches or disclose their finds whenever they feel like it with full exploit code, today’s browsers, PCs and networks are so complex that attackers can almost always find a way in if they look hard enough, even without 0-day.