Archive of UserLand's first discussion group, started October 5, 1998.

Third Voice security hole -- kiss of death

Author:Jacob Levy
Posted:7/9/1999; 8:58:44 AM
Topic:Third Voice security hole -- kiss of death
Msg #:8361
Prev/Next:8360 / 8362

I am still able to reproduce the security attack with the old version of the Third Voice software. The new version indeed does not allow the security attack. I find this "solution" totally inadequate, however. See below.

Based on the small amount of information given in the report here is my limited (take-with-a-rock-of-salt) analysis:

* The old Third Voice client software allows a user to post sticky notes with (potentially malicious) JavaScript embedded in them. * The newer Third Voice client does not allow this or does some checking that eliminates (some of? all of?) the dangerous uses of Javascript in a postit-note. * When a note is received that contains Javascript, the embedded Javascript is executed. I'm not sure whether the newer client software does any additional checking on the Javascript it receives and executes. * The Maltan hackers who reproduced the original bug with a new copy of the Third Voice client probably simply disabled the additional checks (presumably by binary editing).

It doesnt seem adequate to release fixed client software. As long as there is even one copy of the old (or newly compromised) client in use somewhere, malicious users can post notes with malicious Javascript in the note and client software everywhere will execute the embedded code.

I'm pretty sure Third Voice people are aware of the real solution -- filter all Javascript on the server and do not rely on client software to be bona fida. I dont even have to use a client released by Third Voice to post a note, since its a simple network protocol. Therefore implementing security through releases of new client software is ridiculous. The statement by Third Voice claiming that the Maltan hackers did not compromise Third Voice security because they didnt use the original Third Voice client exactly proves my point.

Third Voice probably depends on the ability of clients to execute Javascript for some of its functionality. Therefore it is caught in a bind. They can't disable Javascript and at the same time they must because of the security issues.




This page was archived on 6/13/2001; 4:51:21 PM.

© Copyright 1998-2001 UserLand Software, Inc.