HTML Frames Considered Harmful

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

Frames are evil, anyway

Since when was this news?!

Frames are evil. Frames supposedly make the webdesigners job easier, but they cause an increased maintenance overhead. Frames supposedly creates a better interface to a website for the end-user, but they cause severe usability problems.

Its common to see frames abused by newbies in implementing a left-hand menu and top banner layout with the mistaken belief its easier to maintain and makes downloading quicker. There are numerous problems this implementation raises typically related to the paradox it creates.

To make-up for the usability deficiencies, many framed websites use some client-side techniques which cause further maintenance nightmares. There is a definite usability versus maintenance trade-off with frames, which make it a difficult technology to manage well. The alternatives available have none of these drawbacks, thus frames are a sub-optimal, and typically backward solution.

Most of this "usability"-hacking of framed websites results in a complete dependancy on Javascript - another evil. Considering the on-going problems related to Windows lax security model (in the OS, Outlook and Internet Explorer) and the exponential growth of scripted worms and viruses (Melissa, Love Bug, Kornikova, SirCam, Code Red, Code Red II, Code Blue, Nimda), this convinces a greater number of surfers switching off Javascript entirely, which in turn causes a framed and scripted site to die a rather horrible death in the browser.

Re:Frames are evil, anyway

[ericspinder]

the mistaken belief its easier to maintain and makes downloading quicker.

It does make downloading successive pages quicker, but I don't know anybody at 14.4K, so it doesn't make anywhere near the difference that it used to. It helps download speed, if you have rollover image based navigation (really a mistake, but sometimes you don't have a choice). Also, before the ubiquiness of the Application server it was either use JavaScript Objects kept in a hidden frame (or what was later called a 'pop-under') or roll you own CGI session mgmt.

However, you are right bout the need for usuability hacks with frames, just getting the back button to work right is a real pain. But, I disagree about JavaScript being 'Evil', it's a tool which is particularly well suited for client side actions. I have used JavaScript recently to re-order a list rather than redoing the query, it's much faster than any of the alternatives. If you want to surf the net with JavaScipt turned off, that's your business. Now I avoid frames, unless I am told that is how it will be, but JavaScript is still very useful, especially combined with CSS (aka DHTML)

The "lax" windows security model and the viruses you mention may be issues, but they have nothing to do with this issue. It's like saying: "Becuase of the war in Iraq, and the growth of fungus, You should only have salad at McDonalds', because it's better for you, QED."

Re:Frames are evil, anyway

[lphuberdeau]

I have to agree that in common websites, frames are quite useless and ugly. All they really do is make nagivation a hell, but there are situations where frames are useful. I work on internally-used applications which sometimes have a web interface, and the users actually asked to have frames available in some cases. Frames can fill the gap between the usability of a standalone application and flexibility of the web.

It might seem useless, but the simple fact that frames can be resized does suit most needs. Users can decide which section of the content is most useful to them. A common usage is when the users actually need to compare documents. Having both side by side can be nice.

Just imagine Java's documentation without the frameset, it would really be a pain to search in. The class list is very long to load, and I'm quite happy they didn't simply include it in all pages.

Frames are not evil, neither is JavaScript, it just depends on how it's used. Using frames for a menu is not a good thing, and using frames for a banner is simply worst. Those kind of usage really gave frames a bad reputation because they simply reduce the amount of usable space on the monitor. JavaScript used for pop-ups or ugly 'eye-candy' stuff really also is an error, but JavaScript can enable some real dynamism in a form and actually allow to save a lot of time in the processing. Isn't filling country, state and city automatically nice when a user enters a zip code?

There used to be problems with JavaScript and browser compatibility, but it's not that bad anymore. Of course, IE simply won't support everything, but there are always workarounds.

Really, those things are only evil if you're a designer. When you need to build an application that people will actually use and need to be productive, you need to look over those things to see if they could make the entire application better. Just don't abuse.

Re:Frames are evil, anyway

[DLWormwood]

Since when was this news?!

Frames are evil.

Of course, but I think the notion that a "trusted" security site finds technology from the last millenium to be "newsworthy" to be newsworthy itself, if for no other reason than for /.'ers to ruthlessly mock them.

Seriously, though, I posted this because I was starting to notice this meme drifting through the Mac websphere (of all places!) about the non-IE version of the flaw. I wanted to "out" the fact that this affected/effected/qffected IE as well before the Microsoft apologists started to gloat.

Wow, my first news submission, and it passes. Just what has /. turned into lately? (-;

Re:Frames are evil, anyway

with the mistaken belief ...[it] makes downloading quicker

Umm, that's not a mistaken belief. In fact, you'd have to try really REALLY hard to make it not true. I get sick of sites wiping the entire screen only to reload the exact same HTML for their "menu" every time you open a different option. Frames are not evil unless the user is an idiot, and a huge portion of internet users are still using 56k or slower modems.

I get really sick of this, actually. One usability expert says frames are bad because they confuse a few people, and everyone just repeats it as if it were gospel, not bothering to think about the benefits that can apply. Frames are 100% non-evil when used well.

What's evil is including 20k of "menu code" on every fucking page.

Re:Frames are evil, anyway

[AShocka]

If you want a frame like interface use absolute positioning of the menu content in CSS.

Re:Frames are evil, anyway

[almightyjustin]

Well, sure, you can do that, but then you have to include the menu on every page. Guess what happens when you want to change one of the links on the menu?

And don't just say "use PHP"; there are lots of situations in which PHP is not a practical option.

Re:Frames are evil, anyway

[AShocka]

There are all sorts of ways to manage this in a practical fashion. I'm not saying there are no down sides to this approach, but using frames has far more downsides and maintenance issues.

Re:Frames are evil, anyway

[Romeozulu]

>>Isn't filling country, state and city automatically nice when a user enters a zip code?

Show me a site that does this via JavaScript? The Zipcode database is HUGE, and I doubt anyone is downloading the whole thing on pageload just to auto fill in City/State via Zip.

Don't get me wrong, I love JavaScipt (used right), and I think it really gets a bad wrap because of the pop-up issue.

Re:Frames are evil, anyway

[lphuberdeau]

Depends on what the scope is, and you don't need to load everything in the first place anyway.

I'll just use an example from Frank Boumphrey (Source: http://conf.phpquebec.org/main.php/en/cdrom2004/se ssion#3), this system was used for an hospital, only the local/frequent zip codes were sent to the client in the first place. Once again, this was for an internal application, but it can really apply anywhere.

If sending the entire list is not an option, it's still possible to get the page to go fetch the information directly using Mozilla's XMLHttpRequest class or IE's HTTPREQUEST ActiveX component. (Well explained here: http://www.phppatterns.com/index.php/article/artic leview/82/1/2/).

Those features are quite obscur but have been around for quite a while now (years). Most browsers actually support it. And for the other ones, they can still type the entire thing.

I hope these details answered your questions.

Re:Frames are evil, anyway

Umm, that's not a mistaken belief.

It is and it isn't. Downloading a framed page will be slower than downloading a non-framed page. You have to request the frameset, parse it, and then request each individual page. Compared with simply requesting a single page, it's slower.

Having said that, once you get somebody surfing through a website, it's not so slow, as they don't have to reload some of the frames. However, if you are doing frames as best you can, you'll be creating a frameset for each individual set of pages and using target="_top", so you still have the overhead of requesting and parsing the frameset. In situations where persistent connections or 304 responses are not present, the additional requests needed can really slow things down.

I get sick of sites wiping the entire screen only to reload the exact same HTML for their "menu" every time you open a different option.

The exact same? Most websites alter the menu to highlight where a visitor is in the website - it helps them build up a mental map of the website. You can't do this reliably with framesets without throwing away the advantage you've just described.

I get really sick of this, actually. One usability expert says frames are bad because they confuse a few people, and everyone just repeats it as if it were gospel, not bothering to think about the benefits that can apply. Frames are 100% non-evil when used well.

Bullshit. There are loads of different reasons why framesets are a nasty hack that don't work well. These aren't new arguments, they've been around ages, and I have yet to find anybody that can address them all. As a starting point, try this document.

What's evil is including 20k of "menu code" on every fucking page.

20k of menu code is not the alternative, or even common. 2k is more like it.

Re:Frames are evil, anyway

[ozbon]

Fair enough, you don't have to use PHP, but SSIs in general work nicely instead of using a frameset.

Personally, I use either a PHP include file, or an ASP one, depending on the set-up of the webserver - but a simple SSI in a .shtml file will work just the same.

Re:Frames are evil, anyway

[metamatic]

Well, if you really care about download speed, you skip the images and use CSS. That'll give you a much better improvement than frames.

Re:Frames are evil, anyway

every fucking page

I know what kind of sites you're looking at.

Re:Frames are evil, anyway

Or you can still use both images and CSS at the same time...

http://www.alistapart.com/articles/slidingdoors2 /

no posts, already slashdotted

[danguyf]

I clicked "Vulnerabilities" in Secunia's menu frame and now the site won't come up... Which is the greater danger, frames or the slashdot effect?

Parent-child window links

[0x0d0a]

Really, it sucks that there's no visual association between child and parent windows (like a string attaching them, or something). If a dialog comes up from a Javascript, how are you to know what frame it belongs to?

The idea up throwing up dialogs really predates the need to provide a trusted interface to the user.

Re:Parent-child window links

[gl4ss]

well, do you often get popup dialogs while browsing the web that aren't 'harmful'?

Re:Parent-child window links

[0x0d0a]

Password dialogs.

Well, not often, but I should be able to get trusted password dialogs.

Re:Parent-child window links

[ZigMonty]

This is exactly what Apple fixed with "Sheets": a child window slides down from the title bar of the parent and remains attached.

Not a bug, a feature

[Twirlip+of+the+Mists]

It seems to me that the whole premise behind this so-called vulnerability is wrong. Frames and windows don't have owners, so there's nothing for the browser to verify.

So yeah, I think the "a specified design feature of frames" thing is pretty close to the truth.

Re:Not a bug, a feature

[eddy+the+lip]

Yeah, I'd hardly call this a vulnerability. Maybe a "feature that can be used to trick users." Of course a parent window can modify content in it's child windows. This isn't exactly news. News would be "a child window can modify content in it's parent window", something that's supposed to require a signed script.

You could do something similar without even bothering with frames, by, say, registering 'microssoft.com' and then linking to "http://msdn.microssoft.com/library/default.asp." How many peole will notice the extra 's' in their addressbar? Is that a "vulnerability"?

Sounds like someone wanted to publish a "six year old vulnerability" to hawk their product.

Re:Not a bug, a feature

[WolfWithoutAClause]

I think the problem might be if you have a window open- like a banking site up, or ebay, amazon etc. etc., and you open another website; or somebody sends you spam with html attachment or something.

As soon as it gets executed javascript replaces the real page with a fake one. If you don't notice the switch then the 'fun' ensues as you try to 'log back in'.

Re:Not a bug, a feature

[happyfrogcow]

Yeah, I'd hardly call this a vulnerability.

wrong. the Subject line of the parent could be correct, but your statement is wrong. It very well could be a design issue, thus it's not a bug. A correctly implemented design issue is not a bug. However a properly (or improperly) implemented design decision can very well lead to a vulnerability. I see no difference between a vulnerability and "Maybe a 'feature that can be used to trick users.'"

Re:Not a bug, a feature

[bentcd]

It doesn't rely on Javascript; as far as I can tell it uses straight HTML tags to do its thing. This means that even the paranoid ones such as myself are vulnerable to this sort of attack. I tend to find that interesting in and of itself :-)

Re:Not a bug, a feature

[Matthew+Weigel]

Parent window? Child window?

Different windows. Open a new copy of your browser, doesn't matter how...

This is a vulnerability because no matter how separate the user tries to keep two windows (for instance, using a bookmark to open ImportantBanking.com rather than clicking on a link to ImportantBanking.com from an untrusted external website), an untrusted external website can change the content in a frame of the ImportantBanking.com window.

Re:Not a bug, a feature

[eddy+the+lip]

Ah, that explains the rabid "this is crazy serious" comments. I RTFA, just not TFC. I thought this was just doing the obvious thing, and using javascript to manipulate a browser window that had been opened by the parent. Thanks for the clarification.

(Canada Day involves heat and beer. Mea culpa).

Re:Not a bug, a feature

[Matthew+Weigel]

Actually, the article is not entirely clear on this matter. I went ahead and verified (in IE, can't verify that that's the problem in every browser ;-) that it was more serious than that before I considered it serious, too.

Re:Not a bug, a feature

Even if you do consider it to be a bug, you can have an http proxy rewrite the link so it's just a normal link. I do this already with privoxy, and the test page fails to work for me. In other words, the links all just work like links, they don't open new windows or do funny stuff in some other window which may or may not be open. I always considered this to be annoying, hence why I turned it off. I don't think you could get away with doing this for a large number of users though, as some of them may actually enjoy being annoyed.

Re:Not a bug, a feature

Top Ten Things Sucky Parts of the Web, using the Web-is-like-a-library analogy

• Resize/maximize browser window from JS. When you're reading a book, does it latch on to your face with claws, preventing you from seeing anything else?
  
• Pop-up ads and dialogue boxes. When you open a book, do other books fly off of the shelf and at you, flinging themselves open in the process?
  
• Pop-under ads. When you finish reading a book and close it, does it fling itself back open to a different page?
  
• target=_new. How about those books that hop from table to table, requiring you to chase them?
  
• Bloat. Are books 30-40 lbs. each, having pages measuring several yards across?
  
• Sites relying on nonstandard features. How about those books printed in a five-ink process (four-colors and black, and are only legible if you can distinguish all of those) for those women who have four types of cone cells? Or the books where letters are randomly either red or green, since the author was red/green color-blind?
  
• Rapid-flashing animated images. Epileptics aren't permitted in libraries, after all.
  
• Unexpected animation and interaction (read: abuse of Java and Flash). After all, we're all looking to go to the arcade when we visit the library, right?
  
• Disabled right-click menus. What if some books pounced on you and bit you if you brought them anywhere near a Xerox machine?
  
• Mis-use of the footer-space (where destination of URLs is shown while hovering). Suppose that a large reference book didn't have an index! (I know, this one's a stretch.)
  

I mean, it's obvious that the Web is not identical to a physical library, but it's purported to (at times) be the digital equivalent of one. Additionally, books and libraries have gradually evolved to be fairly efficient (within the constraints of the world around them); it's usually better to try to build off of an existing known working solution than not to (and, yes, I realized the Web has evolved from it's hypertext document origins, but to some extent, page designers are ignoring existing wisdom).

Re:Not a bug, a feature

[DerWulf]

the web is not only a library. Its a themepark, a post office, a news stand, a porno rental, a bookstore, a flee market, a bank and tons of other things. A web as library would be quite boring. Also regarding target=_new the correct analogy does translate perfectly into a library. When wanting to access a reference (link) found in the book, the new book doesn't replace the old one. Instead it is usualy open alongside the first.

CSS

[Joe+the+Lesser]

My IT professors beat into my brain that all formatting that even remotely resembles frames should be done with CSS(Cascading Style Sheets) positioning.

Re:CSS

[NutscrapeSucks]

This is true for the most part. However sometimes you want content to stay on the page without doing a reload (perhaps there's a long database query or something). In that case frames/iframes are pretty much your only choice.

Re:CSS

[bofkentucky]

or tags to include staticly generated content without aditional load on the server.

Re:CSS

[NutscrapeSucks]

How does that work exactly? I've never seen used with HTML content.

Re:CSS

[The+Mayor]

In addition to using the tag, which is available only to IE users, you can also use tags and issuing requests to a hidden iframe that posts the results back to the parent window. Using the div tag approach, of course, still requires an iframe, but at least it's cross platform.

Re:CSS

[bofkentucky]

Actually it is the reverse, NS7 and Moz1.8a1 render the object tag, which is valid HTML4.0 strict/XHTML1.0 strict perfectly

NS4.80 does what it should when you can't render an object, render the content that the object surrounds

IE6sp1 fails to render the object or the alternative, see for yourself here.

Re:CSS

[bofkentucky]

See here for an example of rendering one XHTML page inside of another.

Re:CSS

[darkpurpleblob]

Um, the object element is part of the HTML 4.01 specification.

Didn't work on me

[MachDelta]

Meh, didn't work on me. I've got Firefox set up to open links in new tabs, so all that happened was the supposed "frame" from Secunia appeared in its own tab. The only way for a link to open within an existing tab is if A) I tell it so, and B) it originates from the same tab. So nyeh!

Re:Didn't work on me

[Ratbert42]

Me neither. Firefox 0.9 with nothing very special as far as configuration.

Re:Didn't work on me

[erykjj]

I'll second that...

Re:Didn't work on me

[CableModemSniper]

Worked on Firefox 0.8 for me

Re:Didn't work on me

[nelsonal]

I was a bit befuddeld by my lack of anything unusual until I realized I was clicking on my open page in new tab button.

Re:Didn't work on me

[Ianoo]

Not sure whether it's the Slashdot effect or something genuine in FireFox 0.9, but the demo doesn't work for me.

Re:Didn't work on me

Mozilla 1.3b, same thing (tabs are good)

Re:Didn't work on me

If you RTFA, you'd see that Firefox 0.9 and above are specifically listed as not vulnerable to this, along with Mozilla 1.7.

Re:Didn't work on me

[TulioSerpio]

The site says Firefox 0.9 is not affected.

Re:Didn't work on me

[Too+Much+Noise]

Actually, on 0.8 it works for links opened in a new window and it doesn't for links opened in a new frame (the secunia injected frame gets its own window/tab).

Fortunately, not every browser...

Those of use using the Contiki web browser as our primary browser are still safe! Phew!

Re:Fortunately, not every browser...

[kwench]

What about links? Is it affected? ;-)

Lynx at least isn't - no frames -> no exploit!

Re: MOD PARENT DOWN (FRAUD ALERT)

See title.

Wasted time.

[BrookHarty]

I'm sitting here trying to get this to work on IE, Mozilla and Firefox then I read the bottom of the page.


The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux


All my browsers are allready patched! Even IE was patched.

Re:Wasted time.

[stienman]

It worked on my Mozilla 1.7
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514

-Adam

The report

[k4_pacific]

Type: Spoofing
Exploit: Local
Effects: All browsers

Description:
A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.

Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.

Solution:
Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.

Re:The report

[new_confused_mind]

Great post! LedMAO :)

No Kidding!

[blunte]

Here I am feeling like a loser because I can't make the bug work.

"Damnit! Even the stupid bugs and exploits don't work on this crappy machine!"

Re:No Kidding!

[Mr.+Moose]

Here's why: In the description it says that You should open a trusted website and opens MSDN as an example. If you don't trust Microsoft, then the site isn't trusted and the bug doesn't apply to you. Try with some Linux site instead.

IE with proper security settings not affected.

[bentfork]

This is the same problem that is being exploited by banner ads setting cookies across domains.

If you go to security settings in IE ( I've checked IE 6.x ) click custom level, and set "Navigate sub-frames across different domains" to prompt. You will get a nice little pop up warning.

Now I can visit unsafe websites like microsoft.con

Re:IE with proper security settings not affected.

[new_confused_mind]

> Now I can visit unsafe websites like microsoft.con

Hmm, great idea for a new TLD. My nigerians friends will love it! :)

Never heard of Secunia till today.

Frames-based cross-browser security vulnerability, or self-promotional alarmist press release by heretofore unknown consultancy?

Re:Never heard of Secunia till today.

[Crudely_Indecent]

Frames have their purpose. I've built sites that utilize this 'security flaw' to achieve desired results. I agree with your opinion that this is a ploy to get a new consultancy in the public eye.

lets see how accurate that is.....
Record last updated 05-06-2004 01:07:26 AM
Record expires on 08-16-2004
Record created on 08-16-2002

They've been around for almost 2 years...but if it's taken them this long to get in the news (even for such a trivial vulnerability as this), they're most likely trying to cash in on the attention that all of the other legitimate flaws have generated in recent weeks.

Do not browse

Note their official "advice": "Do not visit or follow links from untrusted websites."

I can't find that anywhere on the story link (I think it's the story link). What I found says this, "Do not browse untrusted sites while browsing trusted sites." Which is very different.

Untrusted sites?

[jpsowin]

Do not visit or follow links from untrusted websites.

Is Slashdot considered "trusted" or "untrusted." You just never know what you are going to get when you click on some of these links.

Re:Untrusted sites?

> > Do not visit or follow links from untrusted websites.

> Is Slashdot considered "trusted" or "untrusted."?

Untrusted, I think.

;)

"discovery" after fix!?

[Xtifr]

So, basically, they "discovered" this vulnerability after the major browser vendors had already fixed it!?! Wow, that is an amazing "discovery!" How do they do it? Y'know, next, maybe they can discover something really amazing and new, like, say, America! Or F=MA! :)

Re:"discovery" after fix!?

[gl4ss]

basically they just wanted people to notice them by crying out wolf.

well.. they got what they ordered all right.

Re:"discovery" after fix!?

[EvanED]

You know, not everyone upgrades to the latest browser version every time it's released. I'm running Mozilla 1.4 and it suits me fine. I'll probably go to Firefox when it hits 1.0. (Yes, I know it's quite nice now; I run it under FreeBSD. But psychologically I think I want to wait. :-p)

So for people who don't feel like installing a new browser every month to stay on the bleeding edge, this is useful information so we can watch out for it.

Re:"discovery" after fix!?

[jesser]

Several security holes have been fixed since Mozilla 1.4, including an arbitrary code execution hole. Please upgrade to Mozilla 1.7 or Firefox 0.9.

Security holes are discovered and fixed in web browsers often. To be safe with any browser, you should upgrade when a new version is released, regardless of whether the release is accompanied by a security advisory regarding older versions.

Re:"discovery" after fix!?

I thought Mozilla 1.4x was the "supported" version that recieved security updates?

Problem is that some Mozilla releases are buggy and/or change behavior. One shouldn't have to walk on the bleeding edge to avoid security holes. Bad news, especially for corporate installs.

Re:"discovery" after fix!?

[jesser]

I thought Mozilla [1.4.x] was the "supported" version that recieved security updates?

It was, until Mozilla 1.7 was released. Mozilla 1.7 is the new stable branch. Don't expect more 1.4.x releases.

a null issue

[TheSHAD0W]

There really isn't much difference between a transparent frame with a Java app intercepting access to a legitimate web page, and someone's creating a mock-up of the legitimate page; either way, the only real way to tell is the URL displayed in the address bar. Any real solution for one should work for the other.

Fixed in Mozilla 1.7 and Firefox 0.9

[jesser]

Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

Mozilla (bugzilla.mozilla.org 246448) Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17. Opera (bugs.opera.com 145283) No response. Microsoft On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

Re:Fixed in Mozilla 1.7 and Firefox 0.9

[jrumney]

I usually don't get any response from Microsoft when I report security holes to them

You must be reporting them to the wrong place. Unlike other bugs I've tried to report to Microsoft and not even received an acknowledgement for, when I've reported security related bug, I've received a response the same day.

Re:Fixed in Mozilla 1.7 and Firefox 0.9

[jesser]

When you report security bugs to Microsoft, how do you report them? My methods are in http://www.squarefree.com/archives/000374.html and a comment on the same page.

Re:Fixed in Mozilla 1.7 and Firefox 0.9

[jrumney]

The URL at the top is a wishlist, they probably never look at that, and if they do it is the wrong department. The last comment has the email address I used. They do respond quickly on that.

Re:Fixed in Mozilla 1.7 and Firefox 0.9

[jesser]

The URL at the top is a wishlist, they probably never look at that, and if they do it is the wrong department.

I think you're right. But by including a "security" checkbox on the wish form, Microsoft makes it look like they might have received your message.

The last comment has the email address I used. They do respond quickly on that.

I wish it had been easier to find that address. http://www.microsoft.com/security/default.mspx doesn't have "report a vulnerability" anywhere. I found that address by reading a Microsoft blog!

Re:Fixed in Mozilla 1.7 and Firefox 0.9

[TheLink]

The best place to get a response when reporting a security bug is on Bugtraq. :).

I've tried the "wait for vendor to fix it" method before, and the result was they fixed it in the next major release after a _long_ time, and customers who wanted the prob fixed had to pay to upgrade.

slashdot conspiracy

[happyfrogcow]

This should be on the front page, not hidden back in developers, if only to make blind followers of $MY_ALTERNATIVE_BROWSER realize that they too are vulnerable, and not just MS.

and now to complete the troll: Slashdot editors never argued that they were fair and just in reporting, so why should this be on the front page?


The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux


interesting. what about 0.9x for Linux? it's not explicitly listed as confirmed.

Re:slashdot conspiracy

[mldl]

Firefox on Linux is not affected, it won't be on Mac or any other platform. Why do they list Firefox 0.x as affected at the top and then list browsers not affected at the bottom where most people probably won't even get to? Shouldn't the affected browsers say something like 0.x before 0.9?

Re:slashdot conspiracy

[DLWormwood]

This should be on the front page, not hidden back in developers, if only to make blind followers of $MY_ALTERNATIVE_BROWSER realize that they too are vulnerable, and not just MS.

The sectioning was probably due to my choice of wording in the headline...

This may be exploited and is a real threat

[aWalrus]

Although it's true that this is "working as designed", it does present an interesting exploit scenario. Let's assume you visit evilguy's site, supposed to be a financial portal. From there, a list of links direct you to the (framed) pages of banks where you can run your operations.

Now, evilguy's site has javascript code running that will detect when one of the interesting frames is available (frames that contain login info). It means that you're trying to log into your account at one of the bank sites. What it does is serve you a facsimile that looks exactly like the original login screen, except this one sends the info to evilguy's site.

When your login info is in evilguy's database, he just sends it to the bank and replaces the frame again with the content the bank returned. Voila! Successfully executed framejacking to invisibly steal your login info.

This might be serious.

Re:This may be exploited and is a real threat

yay man in the middle attacks! good point, poster.

Re:This may be exploited and is a real threat

[LincolnQ]

Well, people have always been using tricks to get you to go to pages like "http://www.paypal-secure-transfer.com" and type in your password by making the page look just like PayPal's. The whole point of SSL is that the pubkey you're encrypting with is supposed to be signed by a trusted CA so that you know there ISN'T a man-in-the-middle attack.

There's no difference between the scenario the parent describes, and somebody simply mirroring PayPal's front-end while stealing your info on the backend. If the URL doesn't say https://www.paypal.com and you don't have SSL encryption (usually with the little lock icon in the corner) then you have no business entering any info.

To me this is nothing at all.

Re:This may be exploited and is a real threat

[aWalrus]

Except where you can do this with real sites, without the need to spoof a whole site. If the *real* site uses frames in the design, you can just change that frame, not the whole site. The "link list" I suggested was just to increase the likelihood that the sites in question are opened.

Re:This may be exploited and is a real threat

there are some real world demos for internet explorer constructed, switch off any popup blocking devices to see the effects

http://www.malware.com/punk.html
http://www.malware.com/targutted.html

Re:This may be exploited and is a real threat

[BitterOak]

Ah, but the key difference is that if you spoof someone else's site, you can't spoof their certificate unless you can somehow get ahold of their private key. With this frames approach, even if the user checks the certificate, it still looks good, and he may think he has a secure, encrypted connection to his bank.

True that many users don't check certificates, and to those, this will make little difference, but some people do.

Re:This may be exploited and is a real threat

That wouldn't work as described, because JavaScript from one site cannot access another site in another frame (at least, not in IE). It can't even get the URL.

However, there are other ways to do that sort of thing that does not require JavaScript. Such as screen scraping into ASP pages, for example. But then, that doesn't require frames, or anything suspicious going on in the client (other than a wrong URL).

Summary and fix...

[stienman]

The report simply says that a frame is global to all browser windows, so if I open a site with a frame named "fraRightWindow" and then click on a link in another window that tragets that frame name it'll change that frame even if the sites are completely unrelated.

The obvious vulnerability is that the page exploiting this needs to know the frame name.

If you use dynamic frame names (even just change them statically every day or every few hours) then you have little to worry about.

Unless, of course, your particular browser's DOM allows any window to look at resources in another window. This is something I don't know about, but I suspect that's the only other way to exploit this if you don't already know the name of the frame.

-Adam

Tabbed Browsing

I just checked - indeed - works in Netscape 7.1 and doesn't in Firefox 0.9.1. However, it doesn't work anymore in Netscape if you open the page as a tab instead of another window. Somehow tabs don't work very well with frame names, at least in Netscape.
It's actually implementation issue - for most browsers - letting other pages swap frames in framesets that don't belong to them. Whoever said that frames don't have owners - it's not quite true - frames are hierarchical to some degree, so it's not so difficult to figure out - see Firefox if you need a proof.

Re: MOD PARENT DOWN (FRAUD ALERT)

[gcaseye6677]

Like the Tripod URL wouldn't be a dead giveaway. Anyone who falls for this deserves to lose all their money.

Does not work with firefox .9.1 on SPARC Solaris 8

[crotherm]

The test page did push data to the opened MS window.

Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20040629 Firefox/0.9.1

Nothing to see, move along...

Re:Does not work with firefox .9.1 on SPARC Solari

[crotherm]

The test page did push data to the opened MS window.

Did NOT push data..

Of concern

[oldstrat]

I am curious how long this problem has been around.

I checked and duplicated the problem on Netscape 7.1 and Firefox .8
However the problem does not exist with Netscape Communicator 4.8 and probably never has since I recall the original Netscape documentation containing information on security that frames could only be changed by frames from the same domain.

Anyone running IE with the current help file keylogger problem is asking for worse than spoofing.

Somebody broke something, after the version 4 browsers and the fix is not to get rid of frames, but repair the dom model in the browsers.

It Does not affect FireFox 0.9.1

[freakyfreak]

I just ran their test and it did not work on me. It loaded the page in a new tab instead of the MSN frame. I have Tabbed Browser Extensions installed with nearly everything set to open in a new tab.

I'm not sure what setting it is. I've done everything but disable the extension and it still opens in a new tab instead of the frame. So looks like they did not do very extensive testing.

I also tried it on a Windows 98 computer with a fresh install of FireFox 0.9.1 with no extensions installed and it doesn't work again. When I click on the link to open the test page it just does nothing. I tried it with the msn site opened in a new window, a new tab and a new tab in a seperate window. Still nada.

It looks like FireFox 0.9.1 is not affected. Can anyone else reproduce my results?

Frames, new fangled rubbish

[DrSkwid]

You insensitive clods, my web browser doesn't even have tables, let alone frames.

It was something Tom Duff wrote at Bell Labs before moving on to Pixar.

Nevermind

[freakyfreak]

I guess I should Read the Whole Fucking Article next time. I just read down far enough to test the link. I saw at the begining it listed FireFox 0.X....

I just found another bug existing in all browsers

[Stevyn]

This affects all browsers I've tried it on. When you click in a "hyperlink" it brings you to a page without asking you specifically if you would like to switch pages. Things to watch out for is the mouse pointer changing to a finger. In fact, if you pointer does change to a finger, you're probably vulnerable. The most shocking aspect is even Lynx is vulnerable to this web bug.

Ubiquiness?

[Principal+Skinner]

Gotta add that word to my dictionary!

IE TROUBLES

[script_scorpion]

To me IE is the vulurability.

it's not just for IE

[WarMonkey]

It's not just for IE. I tried the posted example page just now in Firefox 0.8 and the HTML object was displayed just fine.

Re:Ubiquiness??? -- Perfectly Cromulent !

[ericspinder]

You (Principal Skinner), of all people should know that Ubiquiness is a perfectly cromulent word. Of course it is very similar in meaning to another word: 'ubiquitousness'.

Re:Ubiquiness??? -- Perfectly Cromulent !

[Principal+Skinner]

"cromulent"... there's another word I never heard before I came to Springfield.