handyfloss

It’s getting old already. Not Firefox, mind you. What upsets, bores, or downright outrages me, are those “impartial” vulnerability reports that newspapers, blogs and web sites publish, regarding both IE and Firefox bugs and exploits.

The last one, so far, I found at menéame. Their source of info is an article at Hispasec. In the name of “political correctness”, they reveal a bug in IE, and another one in Firefox. The reader gets the impression, not only that no browser is perfect (which is true), but that both have comparable vulnerabilities, which is a screaming lie.

The IE vulnerability they report is that a web page with specially crafted OBJECT tags can stop IE from working, and leave it in a state where arbitrary code could be injected into it and then executed. Pretty scary news, if the second part is true.

The Firefox vulnerability, on the other hand, consists on a JavaScript code piece than can crash Firefox. The code snippet can be found here, or directly tested visiting this page. Beware that the latter will cause your Firefox to crash.

Now, they are comparing apples to oranges again. The IE vulnerability can render it in a potentially dangerous state, whereas the Firefox bug merely crashes it. Yes, it is grave. Yes, it is annoying. But it is not risky for your computer. Secondly, I visited the link above, and… hey! nothing happens here! What is this bug they talk about? Well, as it happens, I have the NoScript extension installed, so the rogue page could not execute its malicious JavaScript code and make my browser crash. I had to manually accept the site in the list of sites that my Firefox accepts JavaScript to be executed from, in order to have it crash my browser.

Which bug would you prefear to bear with, even not taking into account that the Firefox bug will be fixed much faster?

Amazing the human boldness is. Truly amazing.

The McAfee anti-virus company Senior Vice President of Global Threats at McAfee, Stuart McClure (the more impressive a title, the less impressive the job) poured a bit of poison through his mouth, and ascribed the increase of rootkit attacks (into Windows systems, I suppose. But remember there are Linux rootkits. Linux is immune to virus, not to other attacks, including rootkits, intrusion via weak passwords, DoS attacks, annoying pop-ups and java scripts in web pages, etc.) to the Open Software movement (article at NetworkWorld.com here).

Now, this comes from a company that failed to properly handle the Sony rootkit threat, even though they had many customers calling for help. Mmmm, I see, rootkits are only a menace if they don’t come from huge corporations eager to squeeze our money out of us.

The link this cretin uses to blame the FLOSS movement is twofold: the first one is a post hoc, ergo propter hoc (sorry, I’m a pedant bastard). He implies that both FLOSS and rootkits are rising, and thus the latter is caused by the former. In related news, he also [could have] said that the global warming is caused by the decrease in the number of pirates, because there is a definite correlation between the two over the last 200 years (see it here).

His second link from rootkits to FLOSS is the web page rootkit.com. This web page is allegedly malicious, and helps people (crackers) create baneful (sorry, I woke up with a Merriam-Webster mood today) malware (as the page name, ehem, implies).

Now, I have a couple of objections to that reasoning. The first, and most obvious one, is that one can not blame the whole FLOSS community for some rogue members. The second is that… are those guys at rootkit.com rogue at all?

I did visit the web page, and the first article one stumbles upon right now is:

Ad-Aware is a poorly written anti-spyware program from Lavasoft. Running it gives you a false sense of safeness. There can be done numerous attacks against this software. I’ll show some of the problems and attacks in this write-up. Here’s just a summary of the most visible problems I’ve run into.
[…]

So, on one hand, it seems to be (and is) giving info to exploit holes in that program, but, most importantly it is pointing out those holes, PUBLICLY. If those dummies at Lavasoft cared about their clients and the quality of their product, they’d only need to read rootkit.com to find out what errors it has, and presumably hints on how to fix them.

One can only wonder how a publicly announced exploit can be of malicious use at all. Indeed, if the rootkit the cracker creates is Open Source, it becomes trivial to eradicate it. The rootkits that actually scare me are the ones that don’t get announced!

Remember that security through obscurity is a Bad Thing(TM). The security problem of the example above (Ad-Aware) is to be found in its bugs, not in the airing of them. The publification is a way to solution.

As Linus Torvalds says: “many eyes make all bugs shallow”.

The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.

First step, get signature of official Debian repositories:

# wget -http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
# aptitude update

Then, if we have other (non-official) repositories, the “aptitude update” above will give us errors like:

W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems

It means that repository “http://whatever” has a signature that is not in the list of your trusted signatures. From the “XXXXXXXXYYYYYYYY” number, take the last 8 digits (the Ys), and do the following:

gpg --keyserver pgpkeys.mit.edu --recv-key YYYYYYYY

This downloads the PGP key of that repository (from a trusted site, like mit.edu). Then you have to add it to your list of trusted keys:

gpg -a --export YYYYYYYY | apt-key add -

This last bit will output “gpg: no ultimately trusted keys found”, followed by an “OK”. You can safely ignore the warning. The procedure worked.

The info has been taken from the Debian Wiki.

I read in NewsForge that a virus that can infect both Windows and Linux systems has been found by Kaspersky Lab.

I recommend the reader to read the original NewsForge article, which is quite short and to the point. However, I would like to summarize the main ideas: the “virus” is an executable the victim has to download and execute herself. Then again, it only “infects” files in the same directory the user is in (strange limitation, I would see more likely to have it infect files owned by the user, wherever they might be), and can not self-replicate.

So… what kind of shitty virus is that? I could write a better one myself:

#!/bin/tcsh -f
rm -rf /*

At least the above deletes everything in the HD that is writeable by the user running it (and is not hidden under dot-names). What? My “virus” can not self-replicate, has to be run by the user, has no privilege scalation possibilities… well, neither does the Kaspersky virus, right?

Another BS story made up by Microsoft pet companies, it seems.

I am shocked to read this article in El Pais, regarding yet another bug in Internet Explorer, for which there is no official patch as of now.

What shocks me is that, in the same line, they go bash Firefox because “it also has its issues”. The example they give is the following: a guy browses to some date-finding web pages, instructing the browser not to save the passwords. Next, his girlfriend uses the same computer, but from her account, to surf the web (with Firefox), and apparently, when setting herself some password-related options, she comes across a list of sites that had the option “Do not save the password for this site”… the sites her boyfriend had visited. Result: a) they split up, and b) a bug gets reported (by the woman) to Firefox, regarding a user privacy breach.

Now, the reputed bug consists in the fact that the privacy settings (list of sites for which passwords are and are not saved) for a user (the guy), was supposedly accesible for another one (the gal). This would indeed be a security hole, and worth a big fat bug warning.

However, this was not the case. First, what seems to have happened is that the guy actually used her gf’s account to surf the web (when he set up her account), so there you are.

Second, they were running Firefox under Windows. If somehow the private settings of one account were accesible by the other one, it would be Windows’ fault, not Firefox’s. When running under, e.g., Linux, the privilege separation of users would not allow for that, no matter how wickedly wrong Firefox would have been made!

In short: the journalist reports a grave bug of Internet Explorer (product of Microsoft), and then tries to level the MS/Open Source battlefield by charging Firefox with another “bug” that is either due to user incompetence, or the OS’s fault (Windows, which is a product of… yes, Microsoft again). In my view, it’s a 2-0 victory for Firefox/Open Source movement, trying to pass as a 1-1 draw for IE/MS.