Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Web Security Books, SecWeb – Designing Security for the Web

Filed under
Security

  • Security updates for Friday

    Security updates have been issued by Fedora (curl, LibRaw, python-pillow, and python36), Mageia (coturn, samba, and vino), openSUSE (opera), and Ubuntu (openssl).

  • Comparing 3 Great Web Security Books

    I thought about using a clickbait title like “Is this the best web security book?”, but I just couldn’t do that to you all. Instead, I want to compare and contrast 3 books, all of which I consider great books about web security. I won’t declare any single book “the best” because that’s too subjective. Best depends on where you’re coming from and what you’re trying to achieve.

  • Hardening Firefox against Injection Attacks – The Technical Details

    In a recent academic publication titled Hardening Firefox against Injection Attacks (to appear at SecWeb – Designing Security for the Web) we describe techniques which we have incorporated into Firefox to provide defense in depth against code injection attacks. Within this blogpost we are going to provide insights into the described hardening techniques at a technical level with pointers to the actual code implementing it. Note that links to source code are perma-linked to a recent revision as of this blog post. More recent changes may have changed the location of the code in question.

    [...]

    Firefox ships with a variety of built-in pages, commonly referred to as about: pages. Such about: pages allow the user to view internal browser information or change settings.

    If one were able to inject script into a privileged about: page it would represent a complete browser takeover in many cases. To reduce this injection attack surface, we apply a strong Content Security Policy (CSP) of default-src chrome: to all about: pages. The applied CSP restricts script to only JavaScript files bundled and shipped with the browser and accessible only via the Firefox internal chrome:// protocol. Whenever loading any kind of JavaScript, Firefox internally consults its CSP implementation by calling the function ShouldLoad() for external resources, or GetAllowsInline() for inline scripts. If the script to be executed is not allow-listed by the added CSP then Firefox will block the script execution, rendering the code injection attack obsolete.

    Further, we verify that any newly added about: page within Firefox exposes a strong CSP by consulting the function AssertAboutPageHasCSP(). This function basically acts as a commit guard to our codebase and ensures that no about: page makes it into the Firefox codebase without a strong CSP.

    Before we started to protect about: pages with a CSP we faced a bug where text and markup controlled by a web application was reused in a permission prompt, which led to a Universal Cross-Site Scripting (UXSS) attack in the browser interface (CVE-2018-5124). These scripts run with elevated privileges that get access to internal APIs and can result in a full system compromise. What raises the severity of such bugs is the high-level nature of the vulnerability and the highly deterministic nature of the exploit code which allowed comparably trivial exploitation.

More in Tux Machines

Announcing the release of Spacewalk 2.10 for Oracle Linux

Oracle is pleased to announce the release of Spacewalk 2.10 Server for Oracle Linux 7 along with updated Spacewalk 2.10 Client for Oracle Linux 7 and Oracle Linux 8. Client support is also provided for Oracle Linux 6 and Oracle Linux 5 (for extended support customers only). In addition to numerous fixes and other small enhancements, the Spacewalk 2.10 release includes the following significant features... Read more

Android Leftovers

Pantheon Desktop Review: A Beautiful Alternative to macOS

The Pantheon Desktop is designed specifically for elementaryOS and is considered one of the most visually appealing desktops around. It clearly draws a lot of inspiration from macOS, which makes it a great alternative for those who are looking to make the switch or who have always wanted to master that workflow. In this Pantheon Desktop review, I take a look at user experience and performance, as well as some notable features, and deciding who should use the Pantheon desktop. Read more

Linux 5.9: Checkpoint/Restore and Scheduler Improvements

  • Checkpoint/Restore Of Unprivileged Processes Sent In For Linux 5.9

    Linux 5.9 is bringing another feature that's long been baking and of interest to a growing number of stakeholders... checkpoint/restore functionality of unprivileged processes. With Linux 5.9 all the pieces should be in place for allowing checkpoint/restore of processes not running as root. This saving and restoring of processes can be used for functionality like container migration, moving workloads in HPC environments, or for the Java JVM to speed-up startup time. The Linux kernel has supported checkpoint/restore of processes but only as root until now.

  • Linux 5.9 Continues Working On A Variety Of Scheduler Improvements

    Among the many pull requests sent in for the Linux 5.9 merge window by longtime developer Ingo Molnar are the usual assortment of scheduler improvements. [...] - The deadline scheduler is now capacity-aware and has seen other improvements too. - UClamp performance improvements for this utilization clamping functionality. - Cleanups to the energy/power-aware scheduling.