SECURITY ADVISORY: Please Block favicon.ico in Your Firewall

Posted 18 Aug 2015 at 06:39 UTC by MichaelCrawford Share This

Even if you don't use a firewall you might use a non-filtering proxy. If so you might be able to filter just "/favicon.ico" from every web site.

I discovered a Zero-Day in the wild this morning. It exploits your browser, quite possibly your entire system through the favicon.ico that is placed at the root directory of many web sites:

http://www.example.com/favicon.ico


It is already public knowledge that neither Chrome nor Firefox place size file size on favicons, thus a very large one - even a standards-compliant graphic document - could crash your browser, possibly crash your computer by running it completely out of virtual memory (ie. swap space). Large favicons exploit dialup modem users via the Denial Of Service that results from downloading a very large file without the end-users knowledge or permission.

I am already developing a Firefox and Chrome Add-Ons as well as Safari and Internet Explorer Plug-Ins that will block all favicons in their initial releases; later versions will user a separate process - a sandbox - to validate the document format of each favicon.ico, render its pixels in a memory buffer then display the now-safe image in the browser's address bar.

My Add-Ons and Plug-Ins will warn the user of invalid documents and display Message Boxes - Alerts - if the favicon.ico document actually does contain a Virus, Trojan Horse or Worm.

If you speculate that you already know what I am referring to please don't discuss it in public until Apple, Microsoft, Google and Mozilla have released patches that verifiably fix this. If you want to discuss it in private either mail me at mdcrawford@gmail.com or post to the Mozilla bug report I shall submit this evening then link in a reply to this here article.

Yes there are many other browser vendors but Firefox, Safari, Chrome and Internet Explorer cover the majority of the end-users who would be otherwise unable to protect themselves by configuring their own firewalls.

I will reply with the relevant CERT Incident Number; eventually a CERT Advisory Number will arrive too.

If you think you can write better Add-Ons or Plug-Ins than I can or if you can write them for other browsers than I have experience with, I invite you to Do Yer Worst
Have A Nice Day.

(Soggy Wizards is a new domain and so its web site is still parked. Its web server will be active by tomorrow afternoon, Tuesday, August 18 2015.)

While I will publish my Add-Ons and Plug-Ins under the Affero General Public License version 3 and will supply ready-to-use Add-Ons and Plug-Ins free of charge, you are welcome to facilitate their development with a modest monetary contribution. Please mail a check or money order payable to "Solving the Software Problem" for what you can reasonably part with to:

Michael David Crawford
650 NW Irving St
Portland OR 97209
USA


I do not yet have a BitCoin nor Litecoin wallet but I will set those up then supply them in a reply.

I don't use PayPal; if you would like to contribute via PayPal, donate to your choice of the Free Software Foundation, Creative Commons, Electronic Privacy Information Center, the American Civil Liberties Union or the Leftist organization of your choice.

Have A Nice Day.


Plug-Ins for Recent Safari Releases Require a $99.00 Fee, posted 18 Aug 2015 at 09:39 UTC by MichaelCrawford » (Master)

If I understand correctly that's $99.00 for an unlimited number of Plug-Ins but for just one year.

Safari Plug-Ins must be digitally signed by Apple. That's mostly a good thing but until now I have been reluctant to pay Apple anything at all, for many reasons unrelated to my present security report.

I expect I can implement my Plug-In for older versions of Safari. Apple will release a Security Update if, in its own judgement, Safari exhibits this problem. I don't know yet but I will test it myself.

However Apple's Software Quality Assurance will require some time to validate any such fix. I was once a Senior Engineer at Apple, they have a process for new products and new revisions of old products which is quite good but not as fast as what the independent developer can pull off.

If I find that I must pay the Safari Developer Program fee for you to install my Plug-In, and in my own opinion you should install it, then I will pay the fee. But I will start my Safari work on Mac OS X Tiger 10.4.11 PowerPC and Safari 3.1.1.

If Apple has any objection to my use of the Affero GPLv3 I will post its source code at http://soggywizards.com/code/source/security/browser/safari/ but will not release an executable build that end-users can install directly.

The Irony Of My Own Domain Parking Was Pointed Out To Me., posted 18 Aug 2015 at 14:30 UTC by MichaelCrawford » (Master)

$ curl http://soggywizards.com/favicon.ico
No favicon
$ wget http://soggywizards.com/favicon.ico
--07:24:04-- http://soggywizards.com/favicon.ico
=> `favicon.ico'
Resolving soggywizards.com... 141.8.225.91
Connecting to soggywizards.com|141.8.225.91|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
07:24:05 ERROR 404: Not Found.

The parking website - not just a single page - provided by my domain registrar does not include a favicon, but it does have a custom 404 Error Document that I expect uses Apache Server-Side Includes to produce "No favicon" if one tries to load it.
This yields the should-have-been-obvious insight that plain text favicons, even HTML/CSS/Javascript as well as graphic images that are far larger than 16 by 16 pixels must be handled gracefully by my Add-Ons and Plug-Ins - but only when HTML, CSS, Javascript or large images are found in a page whose HTTP/1.1 Response Code is something other than "200 OK".
I will 200 OK Response Code payload data to consist of standards-compliant graphic documents that are 16 by 16 pixels or - maybe I am as yet uncertain - 16x16 or smaller, but NOT larger.

There is some problem with soggywizard.com's nameservice, posted 21 Aug 2015 at 21:43 UTC by MichaelCrawford » (Master)

I asked a friend to register the domain for me. While he's a smart guy he doesn't know much about the Internet. He had some trouble configuring my nameservice. While I think he eventually did get it configured correctly, there is a delay in the propagation of my server's Internet Protocol address due to the caching that the Domain Name Service uses to lighten the load on nameservers.

There is some possibility that the problem is with the registrar my friend uses, if so that might take a few days to work out.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page