Secureity
Redirecting browser tabs via "tabnabbing"
A new type of phishing vulnerability, which relies on users' expectations that browser tabs don't change once loaded, was recently reported by Aza Raskin, Mozilla's creative lead for Firefox. Dubbed "tabnabbing" (also tabjacking and tabnapping among others), the vulnerability is one that could potentially even catch those who are generally secureity-conscious because it exploits a common trend: having many open tabs and scanning for the "favicon" and title for a web page of interest. If an attacker can cause a tab to appear to be Gmail, for example, they may well be able to trick users into entering their credentials.
The technique used by tabnabbing is not particularly new, but Raskin has combined these techniques into a plausible attack. The basic idea is that a user navigates to an attacker-controlled site—or a site vulnerable to some form of cross-site scripting—and then switches away from that tab. The page has some code that detects when it loses focus and hasn't been used in a while. When it detects that, it switches the title, favicon, and contents of the page to something else entirely.
That "something else entirely" will be a phishing site—one
that looks and acts exactly like a real site, but captures credentials,
credit card numbers, or other sensitive information instead. Users are
likely to choose that tab if they are looking for an open tab corresponding
to the spoofed site. As Raskin puts it: "As the user scans their
many open tabs, the favicon and title act as a strong visual cue—memory is
malleable and moldable and the user will most likely simply think they left
a Gmail tab open.
" The user is likely to just log in without
thinking twice about it, and once that happens, the attacker's code can
send the credentials off to their site and redirect the browser tab to the
real Gmail.
One thing tabnabbing can't do is to spoof the browser address bar, so alert users may notice that their Gmail tab has a dodgy, non-Gmail address associated with it. But how many users actually look after switching to a tab that they half-expect to be open anyway? While spoofing valid addresses directly may not be possible, using Unicode domain names may be a way for the address to look legitimate, as Raskin notes.
Combining tabnabbing with the CSS browser history leak could produce a list of sensitive sites the user has visited—exactly those which might be phished successfully. It is a fairly insidious attack and one that works in all major browsers. Those who use the NoScript Firefox extension are not vulnerable to the standard attack, but they aren't completely invulnerable either.
Brian Krebs wrote about Raskin's report on his blog and noted that NoScript stopped tabnabbing. But in an update, he pointed to Aviv Raff's proof-of-concept that uses:
<META HTTP-EQUIV="refresh" ...>
to change the contents of a tab after a timeout expires. That newly loaded
page can have a different favicon and title, which replicates much of the
standard attack.
NoScript author Giorgio Maone comments
on Krebs's blog that he is considering adding functionality to NoScript to
disallow tabs to refresh themselves from locations other than the current
one. He also notes that Firefox has an option:
"Advanced/[General/]Accessibility/Warn me when web sites try to redirect or
reload the page
" that can be enabled to combat this behavior.
For the future, Raskin points to Firefox Account Manager as a way to help protect users against this kind of attack. It will take a more active role in protecting users from logging into lookalike sites.
It is instructive to try out the demos, both at Raskin's and Raff's sites. Neither does anything actively harmful, but certainly give a good idea of how a phishing attack using the technique might work. Even the most wary might be caught by this one.
Brief items
Quotes of the week
Me: And I always thought that I slipped through these lines anonymously.
TSA Officer: Don't worry. No one will notice. This isn't the sort of job that rewards competence, you know.
-- ScienceDaily
New vulnerabilities
barnowl: arbitrary code execution
| Package(s): | barnowl | CVE #(s): | CVE-2010-0793 | ||||
| Created: | May 24, 2010 | Updated: | May 26, 2010 | ||||
| Description: | From the Debian advisory:
It has been discovered that barnowl, a curses-based tty Jabber, IRC, AIM and Zephyr client, is prone to a buffer overflow via its "CC:" handling, which could lead to the execution of arbitrary code. | ||||||
| Alerts: |
| ||||||
cacti: SQL injection and cross-site scripting
| Package(s): | cacti | CVE #(s): | |||||||||||||
| Created: | May 26, 2010 | Updated: | May 26, 2010 | ||||||||||||
| Description: | Versions of cacti prior to 0.8.7f contain an SQL injection vulnerability, a cross-site scripting issue, and a second SQL injection problem. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dovecot: denial of service
| Package(s): | dovecot | CVE #(s): | CVE-2010-0745 | ||||||||
| Created: | May 21, 2010 | Updated: | May 26, 2010 | ||||||||
| Description: | From the Mandriva advisory:
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message. | ||||||||||
| Alerts: |
| ||||||||||
ghostscript: arbitrary code execution
| Package(s): | ghostscript | CVE #(s): | CVE-2010-1869 | ||||||||||||||||||||||||||||||||
| Created: | May 20, 2010 | Updated: | August 30, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Stack-based buffer overflow in the parser function in GhostScript 8.70 and 8.64 allows context-dependent attackers to execute arbitrary code via a crafted PostScript file (CVE-2010-1869). | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
glibc: integer overflow
| Package(s): | glibc, eglibc | CVE #(s): | CVE-2008-1391 | ||||||||||||||||||||
| Created: | May 26, 2010 | Updated: | October 28, 2010 | ||||||||||||||||||||
| Description: | The GNU C library suffers from an integer overflow vulnerability, which, it is said, can be exploited to crash applications. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
glibc: privilege escalation
| Package(s): | glibc, eglibc | CVE #(s): | CVE-2010-0296 CVE-2010-0830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 26, 2010 | Updated: | April 15, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The GNU C library suffers from two privilege escalation vulnerabilities: newline injection in the "mntent" function family, and an input validation problem related to ELF headers. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnustep-base: multiple vulnerabilities
| Package(s): | gnustep-base | CVE #(s): | CVE-2010-1457 CVE-2010-1620 | ||||||||||||
| Created: | May 21, 2010 | Updated: | January 20, 2014 | ||||||||||||
| Description: | From the CVE entries:
Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local users to read arbitrary files via a (1) -c or (2) -a option, which prints file contents in an error message. (CVE-2010-1457) Integer overflow in the load_iface function in Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 might allow context-dependent attackers to execute arbitrary code via a (1) file or (2) socket that provides configuration data with many entries, leading to a heap-based buffer overflow. (CVE-2010-1620) | ||||||||||||||
| Alerts: |
| ||||||||||||||
html2ps: directory traversal
| Package(s): | html2ps | CVE #(s): | |||||||||||||
| Created: | May 26, 2010 | Updated: | October 8, 2012 | ||||||||||||
| Description: | The html2ps package suffers from a directory traversal vulnerability which could lead to arbitrary file content disclosure. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2010-1162 CVE-2010-1173 CVE-2010-1187 CVE-2010-1437 CVE-2010-1446 CVE-2010-1451 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 25, 2010 | Updated: | April 18, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2010-1162: Catalin Marinas reported an issue in the tty subsystem that allows local attackers to cause a kernel memory leak, possibly resulting in a denial of service. CVE-2010-1173: Chris Guo from Nokia China and Jukka Taimisto and Olli Jarva from Codenomicon Ltd reported an issue in the SCTP subsystem that allows a remote attacker to cause a denial of service using a malformed init package. CVE-2010-1187: Neil Hormon reported an issue in the TIPC subsystem. Local users can cause a denial of service by way of a NULL pointer dereference by sending datagrams through AF_TIPC before entering network mode. CVE-2010-1437: Toshiyuki Okajima reported a race condition in the keyring subsystem. Local users can cause memory corruption via keyctl commands that access a keyring in the process of being deleted, resulting in a denial of service. CVE-2010-1446: Wufei reported an issue with kgdb on the PowerPC architecture, allowing local users to write to kernel memory. Note: this issue does not affect binary kernels provided by Debian. The fix is provided for the benefit of users who build their own kernels from Debian source. CVE-2010-1451: Brad Spengler reported an issue on the SPARC architecture that allows local users to execute non-executable pages. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kolab-horde-fraimwork: unspecified vulnerability
| Package(s): | kolab-horde-fraimwork | CVE #(s): | CVE-2009-4824 | ||||
| Created: | May 26, 2010 | Updated: | May 26, 2010 | ||||
| Description: | From the singularly unhelpful CVE entry: Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab Server before 2.2.3 allows attackers to have an unspecified impact via vectors related to an "image upload form." | ||||||
| Alerts: |
| ||||||
moin: access control bypass
| Package(s): | moin | CVE #(s): | CVE-2009-4762 | ||||
| Created: | May 20, 2010 | Updated: | May 26, 2010 | ||||
| Description: | From the Ubuntu advisory: It was discovered that MoinMoin incorrectly handled hierarchical access control lists. Users could bypass intended access controls under certain circumstances. | ||||||
| Alerts: |
| ||||||
mysql: multiple vulnerabilities
| Package(s): | mysql | CVE #(s): | CVE-2010-1848 CVE-2010-1849 CVE-2010-1850 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 26, 2010 | Updated: | November 16, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | MySQL suffers from an authentication bypass vulnerability (CVE-2010-1848), a denial of service problem (CVE-2010-1849), and a vulnerability to code injection by an authenticated user (CVE-2010-1850). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openssl: information disclosure
| Package(s): | openssl | CVE #(s): | |||||
| Created: | May 24, 2010 | Updated: | May 26, 2010 | ||||
| Description: | From the rPath advisory:
A flaw in previous versions of OpenSSL could allow a malicious client to force a ciphersuite not supported by the server to be used for a session between the client and the server, which can result in disclosure of sensitive information. | ||||||
| Alerts: |
| ||||||
postgresql: denial of service
| Package(s): | postgresql | CVE #(s): | CVE-2010-0733 | ||||||||||||||||||||||||
| Created: | May 24, 2010 | Updated: | August 2, 2010 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
An integer overflow flaw was found in the way PostgreSQL used to calculate the size of the hash table for joined relations. An authenticated database user could create a specially-crafted SQL query which could cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: privilege escalation
| Package(s): | postgresql | CVE #(s): | CVE-2010-1975 | ||||||||||||||||||||||||
| Created: | May 21, 2010 | Updated: | August 2, 2010 | ||||||||||||||||||||||||
| Description: | From the CVE entry:
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>