Ethereum Wallet and Mist 0.8.8 - "smashing vulnerabilities"
For this release Mist undergone an Audit by Cure53, which was a very needed endeavour and we are thankful for the great expertise of the Cure53 team.
This audit led to a lot of useful findings that strengthen the security of the Mist browser when interacting with external DApps.
Though we also found certain vulnerabilities in electron, which is what Mist (and others like: Brave, Slack and Gitter) uses that we can't fix fully at the current point in time, without changes on the electron side, which we communicated to them. Luckily their team is very responsive and right on track to fix those as i write.
_For now don't visit untrusted DApps with your Mist browser to reduce risk!!_
We will hopefully in the next release be able to secure the electron vulnerabilities and provide a safe browser experience.
Some of the security issues allowed:
- Execution of simple code in the Mist interface context
- Popping up spoofed alert windows
- Changing the interface by dragging files into it
- Directing to file paths (which is disabled for now, on some occasions)
- File path attacks using HTTP redirects
- UI breaks
We also fixed all issues on the Mist side that allowed to break the interface. We added a new 400 error page for disallowed URLs. We also improved the security of scripts running inside the DApps context and improved overall webview security. We might publish the full list of vulnerabilities at a later point in time.
Big thanks goes to @cure53 and their great team for disassembling Mist and especially its integration of third party content. We will very likely have follow up audits of more aspects of the Mist browser.
This release has major stability improvements on the node connection between tabs and the stability of the sockets, which were freezing Mist at times.
The wallet was also updated and should now have the problem with the confirmation windows solved.
Additionally we fixed the following issues:
- prompts users when there are geth updates and allows them to opt-in to update it
- fixed flickering of icons
- fixed directing of URLs into the browser tab
- fixed removal of wallet tab title
Full change log: https://gist.github.com/evertonfraga/d7a4c998d41463cd2a3a7eea50c61004
Mist-linux32-0-8-8.deb cb15122b02f243afd00abd0abd3dec77a6983870f095cb122cc6feb504f224da Mist-linux32-0-8-8.zip 38d58d55fb00c65503febae243d8eb341867d1b15d8bf0460feea47e69c0b184 Mist-linux64-0-8-8.deb bb1ab148db979e29e179bcbadf9cf626d128e7a140a15c403891ac626b5601a4 Mist-linux64-0-8-8.zip 6b5f28fcdf38ffded3cdc889e567ed44cc760fc04928b8d0704f360dc6e24c0c Mist-macosx-0-8-8.dmg 955b46059c6d65b5f2cdc824a642562eb7ec6442747fc1b5c4aafb6f42a7bad5 Mist-win32-0-8-8.zip 59788f02a825435bbd1d28dc3100f7bc2256a3c740f8641702c5951f823781df Mist-win64-0-8-8.zip 473dc3228e3af7f72cd7d8a8fa17297504ddd6482fa35d6433542512ad5d82dd
Ethereum-Wallet-linux32-0-8-8.deb 3f1def366f9ca69da57bb06cdda53a6cfd44b19ea10b1f7932144850124de06a Ethereum-Wallet-linux32-0-8-8.zip f2d572406abdc6545a953c2aba2316226ab42030f980fc8aa24cfe6b2a330bb2 Ethereum-Wallet-linux64-0-8-8.deb 386abbd14ed1ef28cb1c7d8c6589fa39e3b5b02b563c1e5f720f592206a56d52 Ethereum-Wallet-linux64-0-8-8.zip 9a67c9a84202186907eb0d2c7c648937848195295f99a8804c308233cd86310a Ethereum-Wallet-macosx-0-8-8.dmg 141716aedbf9a94c4aa2051a8ae8ee0a5b65da5d6f788670a298d6de7aad829a Ethereum-Wallet-win32-0-8-8.zip 5af8bb045e8089c7daad5085872648518546375f0594ab9ef7350d85a018420c Ethereum-Wallet-win64-0-8-8.zip 6b4571788dec96b52aff66f6371f7368c2c04457b1b29ec8db2d9db507c40b00