Week 29 2013

In our Security Disaster of the Week, H. Marco and Ismael Ripoll found out that all applications statically linked and compiled via glibc since 2006 have their pointers protected by being XORed with zero. Exploit mitigation at its finest.

My favorite type of browser vulnerability remains the good old Same-Origin Policy (SOP) bypass: Usually the SOP enforces a virtual boundary in which web sites are allowed to include content from other domains (scripts, displaying images) but prevented from accessing the actual content. If the SOP is bypassed, your gmail inbox leaks. A good example is Armin Razmdjou's finding: Attackers can abuse a playlist API in the Windows Media Player browser plugin to read contents from arbitrary web pages. Specifying a URL within the same origin that redirects to the interesting site will satisfy WMP's SOP. Reading the playlist's content then reveals the HTML source code. Tada!

Zane Lackey and Omar Ahmed of the Etsy Security Team analysed SSL traffic to see which CAs are actually required in their day to day business. Their data could be used to reduce the set of trusted CAs to a minimum.

Matt Wobensmith of Mozilla's QA started submitting code to the Content Security Policy (CSP) test suite for the W3C Web Application Security Working Group, Thanks!

Other posts

  1. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs
  2. Remote Code Execution in Firefox beyond memory corruptions
  3. XSS in The Digital #ClimateStrike Widget
  4. Chrome switching the XSSAuditor to filter mode re-enables old attack
  5. Challenge Write-up: Subresource Integrity in Service Workers
  6. Finding the SqueezeBox Radio Default SSH Passwort
  7. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`)
  8. Firefox OS apps and beyond
  9. Teacher's Pinboard Write-up
  10. A CDN that can not XSS you: Using Subresource Integrity
  11. The Twitter Gazebo
  12. German Firefox 1.0 ad (OCR)
  13. My thoughts on Tor appliances
  14. Subresource Integrity
  15. Revoke App Permissions on Firefox OS
  16. (Self) XSS at Mozilla's internal Phonebook
  17. Tales of Python's Encoding
  18. On the X-Frame-Options Security Header
  19. html2dom
  20. Security Review: HTML sanitizer in Thunderbird
  21. Week 29 2013
  22. The First Post