Week 29 2013

In our Security Disaster of the Week, H. Marco and Ismael Ripoll found out that all applications statically linked and compiled via glibc since 2006 have their pointers protected by being XORed with zero. Exploit mitigation at its finest.

My favorite type of browser vulnerability remains the good old Same-Origin Policy (SOP) bypass: Usually the SOP enforces a virtual boundary in which web sites are allowed to include content from other domains (scripts, displaying images) but prevented from accessing the actual content. If the SOP is bypassed, your gmail inbox leaks. A good example is Armin Razmdjou's finding: Attackers can abuse a playlist API in the Windows Media Player browser plugin to read contents from arbitrary web pages. Specifying a URL within the same origin that redirects to the interesting site will satisfy WMP's SOP. Reading the playlist's content then reveals the HTML source code. Tada!

Zane Lackey and Omar Ahmed of the Etsy Security Team analysed SSL traffic to see which CAs are actually required in their day to day business. Their data could be used to reduce the set of trusted CAs to a minimum.

Matt Wobensmith of Mozilla's QA started submitting code to the Content Security Policy (CSP) test suite for the W3C Web Application Security Working Group, Thanks!

Other posts

  1. logging with MOZ_LOG on the try server
  2. Challenge Write-up: Subresource Integrity in Service Workers
  3. Finding the SqueezeBox Radio Default SSH Passwort
  4. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`)
  5. Firefox OS apps and beyond
  6. Teacher's Pinboard Write-up
  7. A CDN that can not XSS you: Using Subresource Integrity
  8. The Twitter Gazebo
  9. German Firefox 1.0 ad (OCR)
  10. My thoughts on Tor appliances
  11. Subresource Integrity
  12. Revoke App Permissions on Firefox OS
  13. (Self) XSS at Mozilla's internal Phonebook
  14. Tales of Python's Encoding
  15. On the X-Frame-Options Security Header
  16. html2dom
  17. Security Review: HTML sanitizer in Thunderbird
  18. Week 29 2013
  19. The First Post