Greasemonkey fix is released

Greasemonkey fix is released

The developers of Greasemonkey, a popular “extension” for the Firefox browser and other Mozilla Foundation software, released on July 30 a new version that corrects a serious security flaw. I warned about this risk in a brief news update on July 21, 2005.

The add-in enables users to redefine how Web sites look and behave. Unfortunately, older Greasemonkey versions, such as 0.3.4, allow hacker sites to read the names and contents of any files on users’ hard disks.

According to Aaron Boodman, one of Greasemonkey’s developers, the new beta version 0.5 closes the worst security holes. Other developers who’ve looked at the new code agree. Some glitches exist with the beta release, however. Although 0.5 makes it difficult for a rogue Web site to read the source code of a Greasemonkey script, it’s not impossible, the team says.

Boodman recommends that people who don’t want to watch out for these gotchas use version 0.3.5 of Greasemonkey instead. That version was released on July 19 and also eliminates the security flaws.

Because of the possibility that a Web site might be able to read the contents of a script you’re running, you should never hard-code a password into such a script. In addition, some sloppily-coded Greasemonkey scripts that work under Firefox 1.0.x will not work under Deer Park, the code name for Firefox 1.5, a major release that’s expected later this year.

For information on the 0.5 beta, including several caveats, see Boodman’s entry in the project’s Greaseblog. For comments by other developers and users, see the entry at Mozillazine.

Wallpaper bug bites Firefox

The Greasemonkey problem was not a weakness in Firefox per se. The open-source browser supports hundreds of extensions, any of which may have bugs. In a separate issue, however, a weakness in Firefox 1.0.x itself was recently discovered. This flaw allows a hacked wallpaper file to silently install a virus if the Desktop image is loaded via the browser’s Set as wallpaper context menu item.

What to do: I’m not aware of a workaround for this, so don’t use Firefox to set your wallpaper until a new version fixing the problem is released. Meanwhile, you should update Firefox to version 1.0.6 to protect against other risks, using the procedure I described on July 21. Exploit code for the wallpaper flaw was posted by the French Security Incident Response Team (FrSIRT) on July 12.

Despite the existence of irritations such as the ones mentioned above, Firefox continues to rank as a much more secure browser than Microsoft’s Internet Explorer 6.0. Mozilla-based browsers had security patches available for all known security issues in calendar year 2004 before a single threat made it “into the wild,” according to a timeline by European security firm Scanit.be.

By contrast, IE 6 currently suffers from 20 unpatched security holes, according to a Secunia advisory. The most serious are rated “highly critical,” which is the security service’s second-most-severe warning level. Secunia says Microsoft has never patched the two holes that pose the worst dangers to users, in spite of being notified about the problems in April 2004 and August 2003.

Time to update your Cisco routers

Headlines rocketed around the world last week when security analyst Michael Lynn quit his job at Internet Security Systems (ISS) rather than obey an order to cancel a presentation ISS and Cisco had earlier asked him to make on July 27 at Black Hat Briefings, an annual Las Vegas computer conference.

Lynn showed attendees a PowerPoint slide show suggesting that vulnerable Cisco routers could allow a rogue insider to repeatedly reboot them, run any desired program, or even permanently disable the equipment. Unlike copies of this slide show that are now available on the Web, such as a PDF file at Security.nnov.ru, Lynn’s presentation responsibly blacked out some crucial code and omitted ISS’s trademarked logo from the slides. Lynn on July 28 settled a lawsuit filed against him by Cisco and ISS, agreeing not to discuss or disclose the presentation again.

According to reports in Wired News and elsewhere, Cisco released in April a patch for its router software, the so-called Infrastructure Operating System (IOS), and stopped offering the older version on its site. Many owners of these routers have not updated their firmware, however.

Cisco also released on July 29 a separate security advisory about related weaknesses that affect routers configured to process Internet Protocol version 6 (IPv6) traffic. This attack, Cisco said, could be carried out only within a local network, not remotely. But Lynn noted in his slides that upcoming versions of IOS would make such attacks easier.

What to do: If you own Cisco routers, study the company’s July 29 advisory and also its list of all security notices that might affect you. Then install the latest upgrades or use the workarounds that are suggested. And, if you’re so inclined, ask Cisco about the "virtual processes" in future IOS versions that Lynn said would make its routers more hackable.

For more information, the best roundup I’ve seen is from O’Reilly Radar. This site’s article is largely a critique of a previous, inaccurate article at BusinessWeek.com but also provides links to many authoritative resources.

Windows validation easily circumvented

Microsoft last week made validation of its operating system mandatory for all Windows XP and 2000 users. As of July 26, downloading software via Windows Update, the new Microsoft Update, or the Microsoft Download Center requires a PC to pass a real-time test for an authorized, licensed OS. (The Redmond company is making exceptions for patches it labels "critical" for security.) The validation test had been optional since late last year, when Microsoft initiated its "Windows Genuine Advantage" program to reduce piracy.

It took only one day for programmers to demonstrate that the new testing mechanism was poorly implemented. The BoingBoing.net tech blog reported on July 28 that entering a single line of JavaScript into a browser’s address bar bypasses the validation routine. Using a different approach, Rafael Rivera of Extended64.com released similar methods that involve installing small user scripts.

Shortly thereafter, Ryan Foley published on his Technomyst blog an even simpler trick. Users receive a Windows Genuine Advantage ActiveX component when downloading software for the first time under the new regime. After closing and restarting Internet Explorer, users can then click Tools, Internet Options, Programs, Manage Add-Ons. Merely clearing the check box next to Windows Genuine Advantage prevents the test from taking place.

Another easy method was also published by Sinhack Research Labs. As explained in a posting to the Full Disclosure discussion list, downloading Microsoft’s own GenuineCheck.exe program, and configuring it to run in "Windows 2000 compatibility mode," makes the test always succeed in Windows XP.

I don’t advocate pirating software, and in fact I recommend that you take advantage of Microsoft’s Genuine Windows Offer if you find that you somehow purchased a counterfeit Windows CD. The Redmond company will send you a licensed copy of Windows XP for free if you submit a piracy report and the disc. Those with a bogus OS but without a black-market CD can get XP for the discounted price of $99 USD (XP Home) or $149 (XP Pro).

Microsoft announced that the flaws would be corrected. They may even have been fixed by the time you read this.

But the weak stress testing that the software giant obviously conducted on Genuine Advantage — an initiative it knew would be high profile — is disturbing. If Microsoft allows such elementary weaknesses to ship in its most visible campaigns, how many holes still exist in Windows’ less-well-known software components?

Re-release near for W2K update rollup

Microsoft announced this morning (Aug. 4) that its recent "update rollup" for Windows 2000 Service Pack 4 will be re-released soon to correct more than half a dozen incompatibilities. The company recommends that anyone affected by these problems not install Update Rollup 1 (UR1) until fixes for the specific issues are released or the new rollup becomes available.

The most common issue is that Microsoft Office programs cannot save files to floppy disks in some cases after UR1 is installed. Other issues involve Microsoft Exchange 5.5 and software from Citrix, Sophos, and Internet Security Systems (ISS). Windows dynamic disks are also affected, displaying two system drives instead of one and alternating drive letters after each reboot.

W2K SP4 was released on June 26, 2003, after which UR1 was released on June 28, 2005. For information on currently suggested workarounds and the availability of hotfixes, see Microsoft Knowledge Base article 891861, which has been frequently updated with known problems. To obtain W2K SP4, see article 260910.

——————
To send us more information on the above topics, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.