Firefox 3.5.1 Bug

In the past couple of days, following the release of Firefox 3.5.1 to correct the JavaScript JIT vulnerability, there have been some reports circulating, notably on Slashdot, that there is a serious security flaw in the new version, related to the handling of very long Unicode strings.  (Unicode is a text encoding standard that allows the use of writing systems other than the Roman alphabet.)

Mozilla has now posted a notice on their Security Blog about this.  According to their analysis, although there is a bug, it is not exploitable in the sense that it would enable an attacker to execute code.   The attack consists, essentially, of passing a very long Unicode string to the browser.  On Windows, the effect apparently is that the browser session is terminated, with an “out of memory” indication.  On the Macintosh, the situation is slightly more complicated:

On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X.

So it appears that this flaw can be used to create a Denial-of-Service attack, by crashing the browser, but it does not seem that more serious exploits are possible.

Incidentally, a report from the SANS Institute suggests that other browsers, and in particular Internet Explorer 8, may also be affected:

Also, one of our readers points out that “…the PoC in Internet Explorer 8 throws a script exception stating that there is ‘not enough storage to complete this operation’…”

At this point, this does not seem to be a particularly serious problem.   I will, of course, post updated information as I discover it.

Spam Again

Anyone who has had an E-mail account for longer than a  few hours is probably familiar with the problem of spam, the electronic equivalent of junk mail.  Unlike postal junk mail, for which the sender has to pay something for postage, the marginal cost to the sender of sending a spam message is effectively zero.  So there is a lot of it: financial opportunities in Nigeria, pharmaceuticals that claim to produce anatomically improbable effects, PhD degrees from Nocturnal Aviation University, and so on:

The problem of unwanted e-mail messages, or spam, continues to vex computer users and security professionals. Currently, more than 90 percent of the e-mail messages traversing the Internet appear to be spam, according to the information released in June by the e-mail security firm MessageLabs.

This quote is taken from an article in the Technology Review, published by MIT, reporting on some recent research on the methods used by spamming low-lifes to harvest E-mail addresses, and to send their messages without being caught.

One of the conclusions from the research is that spammers are most likely to harvest E-mail addresses posted on public forums, discussion groups, and blogs.  Getting spam as a result of registering at a legitimate Web site is relatively rare.  One technique to frustrate spammers that has been around for years is, somewhat surprisingly, still effective: the obfuscation of mail addresses with unconventional notation (‘fred *at* foobar -dot- com’).  The studies also found that the “crawlers”, programs that harvest addresses from the Web, tend to share some common characteristics:

The researchers also found that the programs that crawl the Web looking for e-mail addresses–dubbed spamming crawlers–have characteristics that could make it easier to detect them. For example, the parts of a network from which a crawler operates tend to be a good predictor of whether it is a legitimate crawler, such as those used by Google or other search engines, or a spamming crawler.

Other research focused on the techniques used to deliver spam.  One of the prime malicious uses of end-user PCs hijacked by malware is to relay spam:

… nearly 95,000 machines used by spammers were end-user computers that relayed messages and not mail servers, a third of which were in the United States and a quarter in Taiwan.

These networked machines are often referred to as zombies, or collectively as a botnet.  Keeping your machine secure and free of viruses and other nasties is not only good for you, it also makes you a better Internet neighbor.

Despite Bill Gates’s (in)famous prediction in 2004, at the World Economic Forum in Davos, Switzerland, that the spam problem would be solved in two years, it is still very much with us.