Slashdot Mirror
Mozilla UI Spoofing Vulnerability
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
You think your Mozilla or FireFox has neat features like that?
Well my friend, my IE can beat your browser many times over!
HA!
Is this the first post, or just a spoof?
I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.
so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?
Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.
Let the debate begin: Life would be better/worse/the same if 90% of users used HTTP clients based on Mozilla because...
According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....
Spine World
Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.
Gotta love that security-by-obscurity...
What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.
Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.
PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).
Making the moon less necessary since 1998.
This is the problem, what sort of moron would let a webpage run code on his machine anyway? Disabling javascript will stop upwards of 70% of IE exploits too. Now all we have to do is teach clueless "web developers" about html, css and noscript tags. YAwn, welcome back to 1997.
.
Open Source Sushi
Mod me up if you hate the color scheme. Here's a fixed link using the "old" slashdot colors:
1 0&tid=154&tid=128&tid=172
http://slashdot.org/article.pl?sid=04/07/31/00372
(I sound like a broken record. I know that. But if it gets said enough times perhaps someone will notice and change something.)
Firefox 0.9+ are ugly-ass. Stay in the dark ages with me! All I got was an XML Parsing Error: undefined entity.
Of course, that won't stop me from using Firefox But then how do you know you ARE using the 'proper' Firefox if the interface is spoofed ?
I use middle-click tab a lot (practically every link), the proof of concept doesnt show the tabs (still opens them though)
"Confidential" bugs in an open source project. Really?
The owls are not what they seem
Of course, that won't stop me from using Firefox.
If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?
However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.
I took that to be more funny than flamebait. Bravo other AC.
Modder must not be a true geek.
Disclaimer: I work for a company, but I don't speak for them.
Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.
It also fails to appear properly on the Macintosh.
If someone wanted to make some kind of exploit with this, they'd want to target a specific platform and Firefox revision. (eg. 0.9 on Windows) Since Firefox is in constant development, it could well change between revisions and render these spoofs obsolete.
I don't really see this as a Firefox vulnerability. Use any browser without a popup blocker, and you'll see a lot of popup ads pretending to be legitimate OS windows and dialogs. This is really just a variation of that.
Without disabling XUL, I mean it's the equivilent of using images and text forms to spoof the IE menu bar, it just so happens that Firefox gives you tools that can be used to do a better job of it.
At any rate this can be overcome quite easily by changing the javascript prefs so that sites can't hide things like the status bar and menus.
The real problem here is not so much XUL, but Javascript!
Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.
Without this Javascript, you couldn't turn the real menubars and toolbars off, and the problem would be much less severe since although you'd have a second set of interface controls within the browser window, the real status bar would be at the bottom, and the real menubar would be at the top.
Firefox already has a way to block JS from doing this and using several other of its most annoying features, and indeed I personally have these limits switched on already. Put about:config in the address bar, and change these entires to the following values (or look up how to make a user.js file on Google):
dom.disable_window_move_resize = true
dom.disable_window_open_feature.close = true
dom.disable_window_open_feature.directories = true
dom.disable_window_open_feature.location = true
dom.disable_window_open_feature.menubar = true
dom.disable_window_open_feature.minimizable = true
dom.disable_window_open_feature.personalbar = true
dom.disable_window_open_feature.resizable = true
dom.disable_window_open_feature.scrollbars = true
dom.disable_window_open_feature.status = true
dom.disable_window_open_feature.titlebar = true
dom.disable_window_open_feature.toolbar = true
dom.disable_window_status_change = true
Now try the example given in the summary again.
And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.
(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.
(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!
The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
-- Patent no.123456: A way to personalize
This is basically a screenshot of a toolbar at the top of the browser.. I barely think its classed as a true exploit anyway, so the author got it wrong really..
The good thing is that I'm guessing people will fix it, but regardless, the only way to get tricked by it would be to click something on a webpage, so its unlikely that theres an easy way to give the link to the user without them noticing its dodgy.. Either way, its probably something which should be fixed, but its not something which can be fixed easily..
Either way, even if its fixed, its pretty trivial to make something with javascript that does exactly the same effect but does it better.. so I'm not worried at all.. Something like this can be done on any browser, so I think rat144 is using very poor judgement, and at the end, is:
-Causing ppl to worry about something which can be done in other ways anyway almost as well..
-Has now given a bad idea to blackhat crackers around the world, which is great, especially because there is no effective way of fixing this other then forcing a taskbar at the bottom with the effective address, which wont help everyone, and at the very least informing script kiddies of attacks like these will encourage them to attack every server..
I wonder why people like announcing problems like these without trying to implement a solution themselves, so at least they know if its possible before causing havoc online for everyone..
I guess this is another triumph for mouse gestures.
If you try to do any gesture on that page with the "All-In-One Gestures" extension installed, a bright red bar apears at the top and grows with each gesture.
Maybe they didn't code for this, but is sure is noticeable.
and it may not even be funny anymore: Tux and his buddy
Just customize your tool bar. If you right click on the toolbar and choose customize, you can add/remove and move your buttons and what not around. If you hit a spoofed site and your buttons have been moved about, you know your being had.
Ok guys, run with it for a while and see if someone notices. I imagine enough threads with this modded up the better chance of this color scheme going away.
the evil color scheme starts with http://it.slashdot.org...blah. just pull off the 'it.' and the color scheme switches back to normal.
Here, a nice copy-and-paste template, just populate it with the edited link like so:
Fix the Colors!
Mod me up if you hate the color scheme. Here's a fixed link using the "old" slashdot colors:
<a href=""></a>
that's it. Good luck!
(P.S. This is not for Karma. It's already excellent. I could care less. I would like to stop flinching when I bring up a page, however.)
Here is the plugin : http://www.tapouillo.com/firefox_extension/
Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.
> Of course, that won't stop me from using Firefox.
I used to say the same about IE 2-3 months ago, you insensitive clod!
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!
now I'll go back to browsing with telnet and openssl s_client.
Well, I have to say that this exploit is particularly serious - but not the end of the world. I've every faith we'll see a fix fairly soon...
It's pretty bad because it has the end results of several techniques rolled into one handy package - URL spoofing, fake certs, browser highjacking...
Several workarounds being mentioned - using a non-standard toolbar (add at least one extra button/menu-item so you can identify a fake version...), and possibly a non-standard theme would work (though I'm not so sure about this one...)
Anyway, net result - firefox has a pretty bad security problem, with a fairly easy workaround, and no doubt a fix in the works... - how about not allowing remote sites to run XUL without first warning the user (with the option to turn this warning feature off of course - it's all about choice, right?)
Dave
The issue is that Firefox/gecko is advertised as a way to make a popup look and act like a real app : if you don't allow scripts to remove the browser part, a xul application wouldn't look like a real application anymore, would it ?
At work, I have managed to convince my bosses to use xul/php/postgres/soap instead of java/.net for our core project partly because of that (though i don't really care about that, portability and ease of devellopment is the main reason i pushed xul).
If you remove that, I don'think xul really stands out as a framework ; it would be too much tied to a browser.
1. I use a custom theme (Qute as it happens) with small icons
2. I've cutomised my toolbars to reduce them into one (plus bookmarks)
3. I have Tab Browser Extensions installed and I run in Single Window mode so all pop-up windows get opened inside my one browser window.
This is the power of Firefox!
Mr. Smoove
These funny colors at slashdot, broken IE, broken Firefox...
Bye bug-infested and eye-sore world, I'm going to live in a cave and use text-based browsers on good ol' green 300 baud terminal.
ThanNO CARRIER
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!
That's not a bug, it's a feature.
While this is a vulnerability, and XUL does make it easier, this is nothing more than a variation on a theme. The same thing can be done with gifs and javascript to suppress the menubar.
Given the way JS works, a fix is not really possible. Even if the FireFox team completely disabled XUL being downladed, the menubar could still be imitated using other methods. This is true in IE, Mozilla, Firefox, and Opera.
Using a customized interface would make the spoofed site look incorrect, but many gullible users would still fall for it.
Pretty surprised at Mozilla for having confidential bugs - is this something old from less open days or something? The browser window must be a sandbox thers no other way, this goes for every browser out there and most other things. Java, Javascript and any other styling or scripting languages must be implemented in some sort of sandbox, i know people want to have pop-up windows that hide or control the interface but there must be sacred parts (such as the address and status) that cannot be changed by anything - including extensions, no-one needs to put scrolling text in the status bar or change the reported address and users need to check that they are where they think they are before doing anything confidential. the padlock has to be the most worrying bit, and i hope the proof-of-concept writer kept their identity otherwise paypal will probably go nuts on them and cite some DMCA crap or something.
This comment does not represent the views or opinions of the user.
....to make former IE users feel at home...
I switched to Linux because a friend sent me a link that infected my pc with internet explorer (all updates installed), now there is a vulnerability for Firefox that can spoof a secure website... Looks like the only alternative is Konqueror. Too bad it lacks some of the adblocking features.
user_pref("dom.disable_window_open_feature.locati
user_pref("dom.disable_window_open_feature.menuba
user_pref("dom.disable_window_open_feature.minimi
user_pref("dom.disable_window_open_feature.resiza
user_pref("dom.disable_window_open_feature.scroll
user_pref("dom.disable_window_open_feature.status
This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.
It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.
With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
is what else is marked "confidential" ?, i thought OSS was supposed to be "open", now when i read about bugs being hidden (like certain closed source companies) i have to seriously evaluate if we can trust having Mozilla on our machines anymore
if i wanted security by obscurity i would choose MSIE, makes you wonder what else is marked confidential ? backdoors ? worse exploits ?
I don't know if its good or bad, but the proof of concept crashes firefox 0.8 (under fluxbox) on OpenBSD 3.5.
Or to use PrefBar, at least.
right here
Some site authors may say "but I really want to author a popup that doesn't have all that crap etc," but I don't see how it can be that important, especially given all the consequent badness. The only case I can see for this is that sometimes you do trust the content author--that there is a notion of Mozilla as a platform for application development. And, hey, ok, code reuse is good, but using Mozilla as a platform for a company-internal application is a totally different scenario; can't we recognize that as a different scenario and give it different rules instead of using one browser to rule them all?
Now, without being able to disable the location bar, you can't spoof the location bar trivially. You could put up a second one and hope people don't notice, and yeah, some people won't. Unfortunately, as pointed out on bugzilla, there's a case that this won't stop: you create an entire faux window, one that appears to be in front of the main one, but is actually just a part of it. So in the middle of your page you have a seeming popup window with a seeming location bar with a faux address. It wouldn't be draggable outside of the client area of the main window, but some people wouldn't notice it.
It's hard to see how to defend against that, although I am a wacky retro guy who thinks all of this DHTML stuff has given content creators way more power than they really need, and there would be nothing wrong with just pushing back on the standards until things weren't spoofable. (Remember when standards meant you wrote an RFC about something you had already implemented and figured out really worked; it didn't become a standard until people had exercised it in the field? Whatever happened to that?) Or maybe Ian Hickson is right and we're all just raving paranoic nutjobs. But it seems like exactly the sort of 'power before security' attitude that's gotten MS in a lot of trouble.
An entirely different way of looking at the problem of spoofing is that we transmit our secrets "in the clear" to the remote site. (Obviously encrypted by https or whatever.) If the remote site is spoofing, they get our password (and can maybe even open a connection to paypal or whatever and pass through everything so we don't know it's been spoofed). There's no need for us to give the secret to the remote site, though; just prove that we know it. For example, the server can give us some random data, and we use a non-reversible encryption algorithm to combine the random data and the password, and return the result of that. The server can verify that it's the right result without anyone transmitting the actual password (though the server must store the actual password, and not a hash of it). If this were the technology we were using, a spoofer wouldn't be able to use the password, unless the spoofer DID open a connection to the real site first, and get the challenge; then it could pass it through, but then the spoofer would have only this one chance to make use of the spoofed data, since the next time the real site challenged, the spoofer is stuck; whereas currently a spoofer just captures the user/password combo and keeps it around for later processing. This would raise the complexity bar for making effective use of spoofing (including email phishing!), although I don't know if it's high enough. But good luck getting it into browsers AND making it impossible for spoofers to create what looks like a login prompt of this kind but actually is just a plain old plaintext submit.
"Making the moon less necessary since 1998"
Are you claiming to be so fat, that by sprinting around the equator, you can sustain tides and stabilise the Earth's attitude?
I'm using Firefox 0.9.2 and that proof of concept proved nothing for me, all I got was a big fat error and no spoofing. Oh well, that was exciting then.
The power of accurate observation is commonly called cynicism by those who have not got it. -- G.B. Shaw
"Reported in Mozilla Firefox by:
Jérôme ATHIAS (also created a PoC)
Reported in Mozilla by:
James Ross"
Secunia just steals credits on the news from the original authors. Will you people ever stop crediting compagnies which are only COPY PASTING WHAT HAPPENS ON BUGTRAQ and credit the REAL AUTHORS ??
It pisses me off.
If I go visit a paypal site, in a new pop-up window, with standard icons which i certainly changed 3 years ago and the fact that the window is not tabbed along with the fact that non of the menubar submenus actually works, wouldn't i be like hey...wait a mniute!!! It's all wrong! This is not what is supposed to be!
So who they are fooling?
We all know for whom this trick works. The people, hearing about all FireFox buzz and fuzz recently, trying to use it and think about it in the wy they use IE for all of their short internet life.
Not only it doesn't work on MAC, but also it won't work for average FireFox users.
So it also will not stop me to use my FireFox! I just report it as a bug, that's all!
OK, so Firefox lets people use XUL to make a fake menu bar. You could do it in IE using a gif image.
From the Bugzilla page:
There's nothing to stop someone from creating a chromeless popup window containing a styled edit box on top of a GIF that looks like our chrome area, so this can be done without any XUL support, in any browser.
I recommend that we make this bug public. This is clearly not going to be fixed anytime soon and it probably affects other major browsers.
Remember it only affects the kind of person who clicks on Phishing emails anyway.
foo mane padme hum
Following those instructions, the problem will be marginalized -- every attempt at a spoof will look completely bogus.
:(
I'd do the modding myself if I weren't banned from moderating
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
Use link to get the pretty green colors back.
I build this intranet system that mimics an app. Starts from IE and produces a complete GUI Pulldowns, browser window and everything. ( works in mozilla /NS / opera and safari too )
With a little effort one could make that look just like IE, No problems at all.
I Think this is an issue for all modern browsers and what kinds of functionality are set on by default.
-- forget
Reading the bug debate is rather annoying. You've got the sensible "Either fix this or make it public so someone else can" guys, and then the "No, we must come up with a perfectly-engineered 100% solution or just hide the bug forever" guys all kind of duking it out, and the "let's just hide it forever" guys finally win, because they're in charge.
And I love the "nothing to worry about here" posers like the 5-rated comment (who moderated that up to 5?) that says this is like a screenshot of a toolbar at the top of your window.
Uh, excuse me? It can turn off the existing chrome and the replacement chrome has functional menu items, toolbars, and everything. This is not a screenshot. This is actual "fool hardcore UI experts" territory. This bug should have been public years ago. The type of "Nothing to be alarmed about, let's just keep it secret" attitude displayed in the bug comments really should be reserved for Microsoft. We at least expect it of them.
fifth sigma, inc.
You think faking out users is a feature? Great.
Of course, this is a vulnerability. So what if Windows has the same problem? You want me to smile and be happy about open source after sending my money to a thief? Some consolation.
-- Slashdot: When Public Access TV Says "No"
It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.
This kind of spoofing is going to become more problematic, not less.
I first thought changing themes would be sufficient to trick the "trickster", but I soon found out it called the current theme's images.
Spoof Stick is a plugin which allows you to see the real address of the website you are currently viewing.
All in all that spoof is very impressive from a web developers standpoint.
The point is: Webapps, as you already mentioned. But how should Mozilla (or FF) know it is loading a file from a server in a WAN or from a server in a LAN. The only solution would be then that Mozilla/FF asks if this site should be granted access to chrome (disabling urlbar, statusbar, etc.). Can be very annoying, if it would be only for XUL, maybe acceptable. But then for sure someone would come up with "Security Bug: Loading many XUL sites can DoS Mozilla" :-). So you can do it as you want, in some way it's always "insecure".
I've been using mozilla since 1.3.1 and have been extremely happy with the updates to the browser. I've looked at what firefox offers, and to me it seems just like mozilla without mail+ composer built in. Is that it, or is there something more firefox offers?
First of all, I'm seeing a different theme in the new browser. Second the layout is different (I have the address bar up by menubar), I don't see the padlock, and there are various other differences in the interface. Is this because this is a crappy proof of concept or is this bug just unable to correctly mimic customized features of the browser?
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.
There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.
to do is do like java with its "JAVA APPLET WINDOW" in big letters at the top of every java popup - make it it clear that the window might be spoofed if any downloaded XUL is used:
"Untrusted XUL Window" at the top should dissuade most sane people from believing it's a certificate window.
What happens when I put a hacked telnet server on port 80 and spoof your command line interface?
ssh
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
XUL is UI made easy. Someone can spoof an interface, so for that reason alone we should scrap this technology?? Disabling the browser from running XUL?? That's disabling web services. Warning the user?? XUL in itself is not dangerous. It just renders UI. Maybe a better solution would be to prevent websites from reading/using user prefs/skins. and btw, what do you people think XAML (MS-XUL) is all about? a browser based on XUL can be spoofed? Wait for longhorn...a whole operating system based on XAML ;-)
VStrider.
Is that I had disabled javascript from doing "everything" to windows in the javascript preferences, but lo and behold I find (from reading here) that it seems I need to also set a dozen crypric about:config preferences. That is really lousy security, and completely misleading.
All the people saying "well, IE is just as bad" completely miss the point. IE is recommended to not use by CERT, and the department of homeland security. You got really low standards if you think being no worse than that is some kind of mitigating factor.
The "trusted" part of the Browser UI should be unchangable by the remote site, period.
Oh man, I wish I had some mod points...
Is there anyway to always have links referencing "it" changed to "shit"? I don't see any user preference...
how about: only allow sites to tweak certain UI features when they're in a list inside the browser.
unknown XUL is displayed with full chrome and an additional toolbar "disable browser UI for this site", if the XUL site gives a base URL (that matches)
the mechanism when you click could be the same as with XPIs, wait two secs, confirm - then the site is trusted, its base url ends up in the preferences and everything is good.
My Tech Posts on Twitter
The spoof does not show my tab bar, or my link bar, or the proper icons. I don' think it will fool you. Until someone writes a spoof that imports my exact settings, then displays a website with those, I'm not too worried.
There is and will continue to be a tension between the content creators and the users.
The user doesn't much care about the last couple of percent closer to their vision that the content creators get from being able to control things outside the document area of the browser. They may find this or that trick makes things a little nicer, but it's not something they'd really miss if the websit author couldn't do those tricks.
The user does care about the things that malicious websites do with the same capabilities: popups, pop-behinds, bouncing windows, adware, and so on. Ask the user if they'd mind losing that last few percent if they could get rid of the crud for good, the majority would say yes.
I'm reminded of an ad that Adobe ran back in the '90s in a print magazine advertising Acrobat and promoting the PDF format. They had side-by-side pictures of an HTML page where some user had increased the font size so all the stuff the author had lined up looked strange, across from a PDF with the same content and all the text looking right purty.
What I saw, as a user, was a webpage I could read and a PDF that I had to bring right up to my eyes to make out... and my eyes were a lot better then they are now. Oh, yes, you can zoom in on the PDF when it's on the screen but then you spend all your time scrolling around as you read... it's technically a solution to the problem but just making the font bigger than the author intended and to heck with his layout and page breaks is a BETTER one.
This ad illustrated the conflict between the author and the reader perfectly. For a web browser, where the author may actually be malicious, the reader should always win.
If the news here is about IE, the percentage ratio of negative and positive responses here would've been reversed, wouldn't it ?
This is not insightful, it's an outright lie.
"This is basically a screenshot of a toolbar at the top of the browser."
Bullshit. It's an XUL spoof of the toolbar, complete with WORKING DROPDOWNS and everything else. The whole thing works and can be programmed to do whatever the hacker wants, not limited to rewriting the location bar.
Again, NOT A SCREENSHOT. This dipshit didn't even try out the proof-of-concept...
In Firefox you right click on the button (We assume the "right" way to do the exploit is to link the javacode to a buybutton") in question, e.g (I found this buy button on the internet) on the bottom of this page there is a "buy" button, and the properties shows you what it is linked to (https://www.paypal.com......). On the other hand, do the same in IE and you get ??? As I said this is an IE -bug (hehe nice eh?).
But how should Mozilla (or FF) know it is loading a file from a server in a WAN or from a server in a LAN.
The public browser that's downloaded from mozilla.org shouldn't have these capabilities at all.
If you want to enable this kind of thing on your intranet, then your company's base install should include a copy of Firefox, Internet Explorer, and so on that's modified to allow it for your own websites. Users who want to use another browser should get a page that says "the fnord incorporated intranet site requires the standard fnordco browser. Download it from the fnordco home page or call the fnordco helpdesk."
I've installed and run Suse 7.4 (I think), Suse 8.0, Suse 8.1, Suse 8.2, Red Hat (the one with the submarine pre-release name), Slackware (don't remember the release numbers, 4.0, 7.x I think), Debian stable, Debian testing, Debian unstable, Knoppix, Mandrake 8.0, and Bonzai, and I can't figure out which Mozilla version I have on Windows 98 right now.
I went to the help -> about Mozilla, and all it does is go to a Mozilla page that says Mozilla on it. I click on that, and it goes to another page that says Mozilla 1.7
So do I have Mozilla 1.7 installed? Or is it taking me to the page of the latest release, Mozilla 1.7?
After checking a few more pages, it looks like there is a 1.7.1 release. From the above, it looks like I don't have 1.7.1, so what are the steps to upgrade? Download and reinstall a
No, I don't have the previous download file to check the version number. I normally download the file and keep it in a folder that shows the version number, but thanks to the greatness of Windows, I've had to reinstall, and lost that folder in the reinstall. I've checked all the other Mozilla pull down screens in the menu to get a version number, but I don't see anything.
OK, I've found the path to the executable, and the folder show dates of June 16 on some files and July 8 on some sub-folders (chrome, etc.), so I'm assuming that's what I have.
how would I be able to tell what version I'm running without checking release dates as compared to what appears to be my downloaded or installed files date?
wouldn't it be better to show the version number immediately in the first window of about -> Mozilla?
what's the upgrade procedure (I'll be looking on the site now), shouldn't this be listed on the same page that shows the version number, how to upgrade at a minimum to a bug fix release (1.7.x)? Or just a link to minor upgrade instructions?
.exe and all related files and folders?
Reason I'm asking about the minor upgrade info is that I saw an article on a comparison (perhaps on Newsforge) between the difference on the Windows IE vulnerability, and the minor vulnerability that existed in Mozilla that was fixed hours later, where the journalist said he simply clicked on a link, and was patched/protected against the vulnerability. Is it this simple to upgrade a bug fix or security fix, normally a 1.7.x release, instead of a download and install (re-install?) of the entire
Reason I listed the questions the way I did is so that hopefully the Mozilla developers see the confusion I'm having, and may decide to make a change to the about Mozilla page, or how the version shows up when that option is chosen in the pull down menus.
And a big thanks to the Mozilla developers! Feature request, if it hasn't been implemented already, enable right clicking on a link, and opening in background a tab, instead of opening and going to the new tab immediately, like I can do with Konqueror by middle clicking. Unless I missed how to do this somehow already.
I have every confidence the Mozilla team will address it, but this doesn't make open source appear any better than closed source (re: Microsoft's timetable for fixing IE flaws).
I'm using Firefox 0.8 and the vuln doesn't work for me (I'm strangely sad about this).
Instead, it simply takes down my X session by making X consume all its ram.
This could be another bug in X though. Since when I load lots of images in firefox, after awhile, X consumes all available ram.
In the case of the vuln however, X rapidly starts consuming ram, but when I -9 firefox, it stops and returns back to normal.
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
"so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?"
the slashdot which removes uncertainty is not The True Slashdot.
This won't stop me from using Safari.
I hate sigs.
I'm wondering why the moz team doesn't just implement signed XUL. We love using XUL for our internal applications at our company but somehow having to sign it wouldn't be a problem.
I realize we now have dialogs that warn us about everything AND that most people just click through but having trusted XUL sites or signing it somehow would be just fine by me.
What really annoys me is that:
A) The bug was marked confidential for 5 freaking years!
B) The people saying that it isn't a big deal.
It IS a big deal or else the damn thing wouldn't have been marked confidential for 5 years. Sure it doesn't allow you to overwrite system files but I can recover from a virus. It's harder to recover from having a bank account wiped out because you used and unprotected debit card on a spoofed website ( forgetting that anyone who uses a debit card instead of a real credit card online is just asking to be screwed ).
Really the best route for this is to disallow remote XUL execution by default with an option to enable it in the prefs with a list of trusted XUL sites.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
Two penguins walked into a bar. The third one ducked.
-----------------------
Whats black and white and red all over? Tux after smashing that anoying butterfly.
-----------------------
Tux had to take his car for engine repair. The mechanic told him to leave his car with him for about two hours to find out whats wrong.
So Tux went across the street to a grocery store and climbed into a freezer to eat vanilla ice cream. When the two hours was up the he went back to the garage to find out what happened to his car.
When the he entered the garage, the mechanic looked at him and said, "Looks like you blew a seal."
Tux replied, "NO way, thats vanilla ice-cream!"
nospam (at) biped.us
XML is the best data format; unless your data needs to be read or written by a human or a computer.
Give me a permission to use (copyrighted) IE icons, and I'll do the same thing for IE in a day, using only DHTML and JavaScript. Same for Opera.
For ***** sake.
If Mozilla was a shell script for me and my buddies, then you can go jump. My stuff, I'll do what I like.
If Mozilla were some weirdo l33t browser for the seriously hardcore, it's a feature, caveat emptor.
But aren't we trying to get the world to switch to Mozilla? Yep. Does the world have the first clue about anything? Nope. So it's a bug. If it helps my mum get scammed cos she's not got the first clue and just clicks stuff, it's a bug.
At the very least, the hardcore should have to go find the option to hide decorations.
So far as bugs marked 'confidential'. For shame guys. For shame.
Mart
Why are you looking at me like that?
I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.
But there's a very simple solution, and I can explain it in one sentence.
Never let anything, popup windows, javascript, etc., hide any part of the browser interface.
That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
It was pretty good, but I see 2 status bars which gives it away.
It's more than proof of concept already, to spoof a dial up accounts error message and log in dialogs.
I'm using a dial-up account, which can easily be traced by the IP numbers, and I have seen a pop-under that replicated the password prompt this client has for switching screenames, while creating a situation that makes it seem a connection is lost.
Here is the social engineering behind the phish, and why it nearly worked. On an older OS, I had probably fifty windows open, using a non-tabbing browser from Redmond. I hit a site that hangs my connection waiting for content to fill the page to the point where I cannot navigate further, so I start closing windows, thinking I have hit a memory wall. By the time I have closed all the browser windows, I find a dialog, that appears to suggest what I suspect already, that I have lost my dial up connection. But, rather than just saying that, it asks me to log on again, with password. In this particular situation, and my attention diverted, I almost fell for it, and who ever wrote that pop-up could have phished my log in info for that account and all it leads to, financial information, etcetera.
If I had quit MSIE altogether rather than rather than trying to free up memory, I would not have seen the dialog, but I did, and it almost worked, because of the situation.
Popups - This is Mozilla/Firefox!!! They should open another tab! That is, if they are enabled at all.
Popunders - see popups.
Moving windows - If you can't do it in a tab, it don't get done.
Windows without tool/status bars - NOTHING should be able to touch my toolbar. EVERYTHING a website shows should be in the content part of the tab.
You are completely correct about the demarcation between the browser and the document.
Is there any reason to not have that demarcation?
What is black and white, black and white, black and white?
Tux the penguin, rolling down a hill.
What is black and white and laughing?
The penguin that pushed him.
I'm a huge fan of OSS. That said, I must point out that that sort of reasoning is stupid. When Microsoft simply says, "Only browse sites you know are safe," (which someone at MS said once... ridiculous! I will not tolerate that from anyone, OSS or otherwise!) OSS supporters get up in arms. And for good reason! The web should be safe. Networking in general should be safe. Nothing you don't want to allow to get in should ever get in.
BTW, I explained a very simple solution to these sort of browser interface spoofing problems somewhere above, for all browsers.
I'd also like to point out, as I'm using Galeon, I'm not vulnerable to these problems ;p Haha, so I am invincible... INVINCIBLE!! Hehe, j/k :)
Cheers!
Sticking feathers up your butt does not make you a chicken - Tyler Durden
The spoof is not perfect (but it would generally be effective) on OSX: I have the normal Mac menubar at the top of the screen, and a second one (without menus) at the top of the Firefox window.
Good suggestion.
n xp pro/maintain/sp2brows.mspx#XSLTsection137121120120
Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.
http://www.microsoft.com/technet/prodtechnol/wi
What am I missing when I don't understand why this problem is specific to XUL in Mozilla?
For me, I look at the track record of a browser. Mozilla has a pretty good track record. They're probably going to have a lot more vulnerabilities down the road, but I trust that their devs will do a good job in fixing the major ones. Note that I do not believe this bug to be "major" in any sense of the word; and BTW, it is not specific to mozilla.
Also, their browser is sweet. And it's (IMO) the best available on linux. So I use it.
I mean, I could use IE under wine... but what's the point?
...reload the page before filling any confidential data just for the hell of it... the spoofed one won't refresh
This is pretty off-topic, but does anybody here know the name of the window manager theme this guy Jeff uses in his screenshot? I really like the look of it.
--Though, it can only really work if you're seriously snoozing while browsing; too many weird little quirks being off-kilter. (Pays to keep alert for those 'second cats' walking by!) --For instance. . . The first thing of several which went out the window immediately upon configuring my browser was that annoying, 'Google bar'. --My open source browser will not pay homage to a corporation which is selling IPO shares for over $100 each, and which has the power to destroy the world upon reaching step '2'. (That's what those question marks obscure in most cases, btw. --When everybody is dead, you get to keep all the money. Think about it! "Collect ten thousand computers and all the web addresses in existence," is hardly any less animated than, "Collect all the underpants.")
Funny thing is I just switched from Firebird, like two days ago, so as to play with the new toys. (Ted Mielczarek, who wrote, "Nuke Anything," emailed me about his latest update. Now you can wipe whole selections. Excel-lent!)
Anyway. . . I expect that when Firefox 1.0 finally arrives, this sort of silliness will be null and void. But until then, spoofed browser fronts are the sort of thing which makes being a computer geek fun and interesting!
--Until, that is, the five-hundredth attempt sneaks past your radar and makes your life hell; "Can I change all my passwords before the evil-hacker destroys me? Damn! He's almost certainly written a script which does it automatically! Argh! Shoot me now! Note to self; YOU ARE AN IDIOT. STOP. YOU ARE TOO STUPID TO LIVE. STOP. YOUR LEFT MOUSE BUTTON PRIVILAGES HAVE BEEN REVOKED FOREVER. FULL STOP."
-FL
You realize, if your family has keystroke loggers on their system and they ever email you or communicate about you online, someone will be collecting information about you. At one point enough information can be gathered to "socially engineer" you into giving some more information.
Viola. To quote all the kiddies out there, "pWn3d"
It seems to work fine for blocking pop-ups.
At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.
:-)
This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root.
>using Mozilla as a platform for a company-internal application is a totally different scenario; can't we recognize that as a different scenario and give it different rules instead of using one browser to rule them all?
Good insight, but thinking that way flies you close to the gravitational pull of the idea of "security zones". Maybe it's possible to do that right but the record isn't encouraging.
>There's no need for us to give the secret to the remote site, though; just prove that we know it.
Amen! You're also right about the limitations:
>making it impossible for spoofers to create what looks like a login prompt of this kind but actually is just a plain old plaintext submit.
The security world calls this the "trusted path" problem. Microsoft's much-ridiculed Ctrl-Alt-Del to log in is an attempt at solving this issue.
Thanks to the shody implementation of XUL in the most recent release of Mozilla/Firefox, us OS X user have nothing to fear. Try it on a mac and you will notice that the menu bar does not appear, at all, let alone correctly.
This is not entirely a Mozilla only problem. With enough knowledge of DHTML one can easily do the same thing in IE, and potential other browsers on windows. As a matter of fact IE may be even easier to spoof because the would be no need to know what theme a user is using (atleast on pre XP os). Also, unlike mozilla IE will allow you to execute harmful code with out any notification to the user.
In anycase this could probably be easily solved by having mozzila give some sort of notification when XUL is loaded.
First they should put some sort of permanent "chrome" warning on the window...perhaps use a colored boarder...green for the base window, and yellow, orange, red, blue...to denote wether you are at the same page, domain, local site, or redirected to somewhere else entirely. Also, there should be the full-qualified ACTUAL unclipped URL at the top or bottom of the window of ALL chromless windows...that would also help prevent spoofing.
Safari just gives a blank window and downloads the .xul file.
Take a piece of paper and put two columns on it.
On one column list all the IE exploits in the other list all the mozilla exploits.
Choose whichever one has the least.
evil is as evil does
Obviously, the spoof page is using chrome-type URLs to load your current theme. Contrary to some posts above, you can use a non-default theme and verify this; alternatively, you can still view the source.
Is the solution really any harder than restricting the use of chrome URLs? If not, why are people suggesting convoluted JavaScript restrictions that still only allow a trained eye to spot the difference?
I do have mod points to burn, but I'd rather ask a question that seems worth asking but that has not been addressed in the discussion. Besides, the intent of the question is to establish why we're all proposing to fix the symptoms of the problem, rather than its cause.
Attack its weak point for massive damage!
Ka-Ping Yee from Berkeley write some papers about Secure Interaction Design. Worth reading, especially for UI/Security developers.
From the page:
"Criticizing bad user interfaces is easy. Designing good ones is tough. The paper tries to give some new ideas on how to think about secure interaction design and some positive design suggestions, not just criticism."
http://www.sims.berkeley.edu/~ping/sid/
I am still using good old Firebird tech. It's proven with time :) (since 1999)
You can't handle the truth.
Tux the Linux penguin is driving through Arizona (on vacation from the South Pole) when he notices that the oil-pressure light is on. He gets out to look and sees oil dripping out of the motor. He drives to the nearest town and stops at the first gas station. After dropping the car off, Tux goes for a walk around town. He sees an ice-cream shop and, being a penguin in Arizona, decides that something cold would really hit the spot. He gets a big bowl of vanilla ice cream and sits down to eat. Having no hands, he makes a real mess trying to eat with his little flippers. After finishing his ice cream, he goes back to the gas station and asks the mechanic if he's found the problem. The mechanic looks up and says, "It looks like you just blew a seal." "No, no," the penguin replies, "It's just ice cream." pleasebanme at q3arena dotcom please :)
Blind fanboyism at its worse
we are superior because we respond to these kinds of issues a lot faster than MS does. if IE and firefox were two species of squirrel, firefox would be the one to develop the fire spear first and use it to defend itself against evil hax0r monkeys.
no such thing as complex applications without room for errors.
The menu bar is fairly intrusive--but wouldn't it be a fair compromise to mandate the status bar's appearance? Or maybe even just a single icon that signifies hidden statusbar/menubar?
"As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example :)"
It's a catch-22. Everyone here has heard of Rich Browser Clients i.e. Flex. Well to make them possible, you have to be able to retrieve the interface and behaviour remotely. Now how do you keep the bad guys out of a good idea?
While most normal people would ignore something as insulting as that, I see that you have moderated your flambait up, so I'll bite your troll.
As someone who's seen an auto-root jump out of Outlook and completely co-op a well kept fortune 100 company machine, I can say that neither the user nor administrators are to blame for rampant M$ exploits. The problems poor OS design and idiotic application design and the problems still exist. Programs can hide from M$'s kernel. The file system does not have execute and user permissions built in and enforced by the kernel. The programs, such as IE and Outlook will execute local code on remote demand as root. Email that plays wav files is just one example. The result is the perpetual root of the week being forever fought by anti-virus companies and others.
The design of Linux itself goes a long way toward fighting malware of the type you complain about. This exploit, while serious, won't allow a non root user to install software and malware hits a dead end right there. As the author of the article points out, the spoofer does not know what UI you have and Firefox gives you different preferences even in the M$ monoculture. Such an attack is obvious to someone who runs KDE in a different window manager. A far more dangerous exploit is to forge the "this application requires root password" dialog. In a corporate environment, this is a non issue because the user won't know that password and users in a well configured environment won't have to enter their passwords more than once a day. They will recognize the dialog as bogus.
Nice try at a defense of an obviously defenseless browser. A few clueless market droids will shake their heads and congratulate themselves on their continued use of IE and all the effort and money spent after it. "IE, the worst your money can buy."
Friends don't help friends install M$ junk.
What it does is mimic the interface of an UNMODIFIED Firefox. Install ANY exension that changes the menubar or toolbar and you'll notice all that gone in the new window.
Heck, you don't even need to install any extensions...just customize your toolbar a little...place ANY icon after the help menu and try the proof of concept...it doesn't work - the difference is too obvious.
Neat trick, definitely, but I don't see it as much more.
Find a job you like and you will never work a day in your life.
I just had to kill X - it took over all my system resources - it was trying to do something but it didn't work. It tried to open up a full-screen window, but it was obvious that something unusual was going on.
I call that a "wierd" website or webpage or something. Going to have to do a little better to try to convince me that nothing unusual is going on.
WTF?
That is the most impressive browser hack I have ever seen!
Now, you can't believe anything you see!
IE, can you ever forgive me and take me back, please?
This is kinda interesting, but I clicked on one of the links and it's missing two things. First is the tab bar, which for some reason I like having all the time. Second is the quick links. I don't know if this XUL page can actually bring up my quick launch. It also had that little activity icon in it, which I removed. I think all I'm saying is that it isn't a perfect exploit, it can be seen through with a discerning eye. It would be a danger though to people who either a: don't change the settings or b: don't look at their browser controls very much. I imagine the solution is just gonna be some popup box, "are you sure you want to run this xul content?" I don't know, but this is kinda interesting.
Too bad it doesn't work with my Firefox. I've got popups forced to tabs and it looks kinda funny: whole browser window, inside tab's render area. I don't know anyone who would fall for this.
Robert
Bastard Operator From 193.219.28.162
"Viola"?
At least that's a step above "Wallah". I'll give you credit for at least getting the first letter right.
Agreed. The browser has no business running nonstandard external file formats. Whomever put in this backdoor should be found from the CVS comments and should lose the ability to put code into Mozilla. They're a security risk.
Wouldn't it be more honest to say 'Solution: None'?
-- Ed Avis ed@membled.com
There'd better be a patch for this soon.
Make me a friend and I'll mod you up
XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).
I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.
And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...
BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.
I can't stress this enough. I dont care how much it hurts the "aesthetics" of the site. Refresh, stop, etc should be on all windows. I do a lot of right-click context web searches with FF and if its a JS produced 'pop-up window' I can't see the results. Yes, I know the work-around, but thats not the point. The point is the web depends on a nav bar and a URL box telling you where you are.
I would be all for FF making the nav bar permenant on all windows for the sake of usability and to stop spoofing. There are other ways to spoof like this, so in the end this is a JS implementation problem (like the parent claims) and not really an FF/XUL issue. I mean, the FF people can fix the XUL loading, but that just leaves me with 5 other ways to fool you into giving me your paypal password.
JavaScripts? JavaScripts? We don't need no stinkin' JavaScripts!
That didn't prevent the statusbar hack, but it made everything else *really* obvious.
Have a look at about:config. There's a lot of useful stuff in there.
What is to prevent me from using PNG's to spoof an interface?
After all how many people change the theme when they install it?
I think that there are times when you want to remove parts of the UI via scripting, but I think that there should always be certain parts which should move.
For example, if you install prefbar, it is not hidden by javascript, and so it will suddenly appear *above* anything in the content window. The status bar is another example of something that if it is not modifyable would be hard to spoof. Of course, with the main browser suite this is hard because the attacker would not necessarily know which components were installed, making a purely graphical attack unreliable.
Calling chrome components does allow this to be more easily exploited and it should be avoided.
The simple fix would also involve in my opinion, preventing content from calling Chrome documents.
LedgerSMB: Open source Accounting/ERP
When I attempt to view the spoof, I get:
XML Parsing Error: undefined entity
Location: http://www.nd.edu/~jsmith30/xul/test/browser.xul
Line Number 233, Column 35:<key id="key_newMessage" key="&sendMessage.commandkey;" command="Browser:NewMessage" modifiers="accel"/>
I'm running firefox 0.9.2, and it *does* remove the UI elements, but the spoofed UI fails to load.
Oh, that's good. The slashdot code thinks my post is lame because of "junk characters" when I leave the error position indicator in.
Exactly, now shut up and make one for crist sake!
I've always known Mozilla to be less than the perfection that Slashdotters have paraded it around as. Now that all these security vulnerabilities are being discovered...well, nothing's changed for me because I use Opera.
No pointless XUL, no reimplemented widgets, no cute little XPI spoofs. Just a native web browser that is the fastest and leanest out there.
It's interesting to watch the conflicts of posters today. On one hand, they want to keep using Firefox and supporting it. On the other hand, they know that if this was an IE vulnerability, they'd be all over it and crying out about "why would anybody still be using IE, especially if this was known for five years!!"
Just an amusing illustration of double-standards on some people's parts. Not everyone...just the hardcore zealots who like to post here. This trend of Mozilla holes is a nice way for them to gain a little perspective on the matter.
Now, imagine if Mozilla had IE's marketshare right now! These holes would be blown apart by hackers, and I imagine dozens more would be discovered. Already, the trend is rising.
To wit, those 'extras': built-in popup blocking; built-in google search; being free and Free; Extensions; Tabbed Browsing; about:config.
And how about not having to deal with bloat if you want to avoid it? You can keep FF very trim, and still take maximum advantage of its best features. Try that with IE.-
Self-referential sigs are rarely entertaining.
Look at the justifications. "This isn't really a Firefox vulnerability."
IE allowing random ActiveX to execute is considered a vulnerability, but Firefox executing random XUL isn't?
I think this recognition that Mozilla/Firefox is far from perfect is LONG overdue. Too bad it required a security exploit to do it. But so many people lack perspective around here, it's amazing.
Security by obscurity is almost always a bad idea for lots of reasons. This is just one more bit of evidence to that effect - that bugs kept in the shadows may be less likely to be fixed.
I'm running Firefox 9.2, and nothing happens. Guess I was smart in limiting what permissions Javascript has. Why exactly would you let Javascript do all the things it can do, when you have the option to disable the most pesky ones in Firefox? All I'm saying is, people are making a bigger deal out of this than it really is. Just make all releases have minimal Javascript settings by default, and then make the user activate the more spoofable settings (alter window size, hide status bar).
While I agree that some of these elements have been wildly abused, there are instances in web-based app design where pop-ups facilitate a useful interface design, get around browser limitations with CSS/DHTML and can even limit the amount of requests to the server.
Suggesting that it be made a separate program is great when you're working in a closed environment.
Saying that scripting should not be able to do a pop-up or create windows without toolbars and/or status bars is silly and single-minded.
This is just bad design, this shouldn't even be a question, most regular users won't have any idea what in the world you are talking about if you popup a warning dialog explaining what this is doing. It just makes no sense to allow a remote site to spoof a window like this, that's why early java applets waaaaaay before had a "warning" color coded message at the bottom (and still do).
After we've had that for so long, it's amazing that it wasn't considered for XUL.
- sigs are for wimps.
This is why I think XUL is a bad idea. It's adding too much power to an inherently insecure environment. If it's not done right, you get problems like this. Please, stop trying to make web browser anything more than a web browser. If you screw up, and being human you will screw up, it causes damage. It's better to leave the web browser as a web browser and something that's better to not put any trust in.
The problem where applications that use the Microsoft HTML control or Apple's Webkit and LaunchServices to handle protocols and file types that aren't known to them... that's a whole different problem.
We're talking about allowing scripts top open webpages with minimal decoration so they can be made to look like application windows.
Okay, so somebody essentially builds a Javascript replica of the Firefox browser which activates as a popup when somebody clicks on a link. For this, the Mozilla folks are being raked over the coals. This is like saying a bank vault is insecure because it can be breached with explosives. Any browser could be spoofed this way and this has been going on with IE for a long time ("Your computer is infected with spyware, click OK to install more spyware^W^Wour software.")
Granted, I'd like to see it more secure by default , e.g., it doesn't install software by default, Javascript disabled, etc. This also isn't uniquely a Mozilla problem as the first versions of Red Hat shipped with telnet and rlogin ports open by default. It all goes back to the age old debate about security versus functionality.
As others have mentioned, you can change the Javascript behaviour to ensure that all new windows will always retain their title and control bars. Consequently it is amtter of configuring your browser properly.
The FF team made an admirable effort to come up with a default configuration in prefs.js that mostly works and adding a few lines to it is a matter of concientious system administration.
My son told me he did a screen capture on the computer of his comp sci teacher, then installed it as a background and had the poor guy futz around for a long time trying to figure out why all his icons and taskbar is dead - we cannot honestly say that such an exploit is a bug in Windows now can we?
Oh well, what the hell...
Time to switch to Opera 'til the FAT LADY sings.
No matter how much we beef up Firefox's impressive security,we can't do a thing to protect it from idiotic users who click first and ask questions later.Nothing can protect idiots from themselves. As for Mozilla ignoring the bug,they might've though it could've been something mebmasterse could do to enchance their pages.Now that people are taking aadvantage of it,they announced it as a bug. For example,if you made a browser,you might want to allow Javascript to change the background of the UI.Except that nobody decent does it,and those who do cover the UI in pornography and/or ads.So you plug the hole.
i think wit hthe current state of affairs, even if IE does some miracle by fixing all bugs-past,present and future --even then it might not get over its tarnished image with customers.
what do u think?
They have to change the name of iE to somethin new,to grasp their lost respect.
with the name IE , i think it s all over!
BTW,wasnt Firefox a name change?
Why does yahoo do this
No bugs for Mozilla / Firefox? MY ASS!!!
I got an XML parsing error when I tried to see the proof of concept (both of them). I'm using Firefox 0.8 on Mac OS 10.3.4. Has anyone seen this vulnerability exploited on 0.9 versions of Firefox?
Don't see what the big deal about it is. Its just a link to paypal. Yeah, I checked the ssl cert. This reminds me I need to login in to check on a purchase. ;)
The line of reasoning is an software-attribute specific application and has little or no known real-life (or human social) aspect that mirrors my statement, except for maybe Monte Carlo (gambling).
The grid axis are: Past (X) and Future (Y). I'll demonstrate that X is independent of Y, hence my original posting.
One can have a perfectly good piece of usable software with no know past or future bug. Quite an achievement that OSS hopes to demostrate (and I truly do hope so). DJS-DNS is a potential contender for this category.
Other can have a perfectly good piece of software with lots of hidden/undiscovered (future) bug. I'd say Wordperfect and Lotus-1-2-3 is one of them. (don't ask how I know this).
3rd combination: Software that has an intensive buggy history but performs admirably would be BIND and DHCPD. I'd like to say sendmail, but GOSH, those M4 rule syntax processing looks error-prone.
Worst combination: Lots of reported bugs, and lots of future bugs. Netscape! Surprised? Don't be. It hasn't reach critical mass level yet (and probably won't).
Yeah, turning on javascript worked. It should be listed on the page, to help others out, after all, the advisories say to turn javascript off (I always keep it off anyway, and it's easier with konqueror, with Mozilla, I have to go into the options, find the right menu, then turn it on (and every tab is activated with javascript), while with mozilla, it's much simpler, it's not in front of me right now, but I think it is tools, plus one sub menu, click, and javascript is on or off, and only for the one tab.
ok, to move from 1.7, to 1.7.1, I haven't checked the site yet, and just in case it doesn't clearly say, what should I do (if you know, otherwise don't waste time looking for me, I'll find it later) should I download the full version and replace the whole thing with 1.7.1, like I did when I went from 1.5 to 1.7? Or is there a simpler and smaller patch to go from 1.7 to 1.7.1 on Windows?
Thanks again for the javascript tip.
I think we all deserve a public apology from the Mozilla Organization for their betrayal of open source principles in the "confidental" bug classification. Whoever thought that this would be acceptable needs to get a clue.
This doesn't work for me. I see the new buttons and all, but they are below the normal ones. Who would be fooled by this? And that's ignoring the whole, all extensions disappear thingy.
Not a sentence!
This release along with the ssl certificate spoof reported here proof of concept here, does not make my favorite brower look good :(
[alk]
For this spoof to have maximal effect, you must have the following settings at their default, out-of-the-box state:
* Web Features | Advanced | Allow Javascript to hide the status bar
* Default selection of toolbars and toolbar buttons
* No particularly bizarre browser extensions installed
* Javascript should be enabled.
As you can see, you have to be browsing with very open settings to be affected. What Firefox users browse with javascript enabled? At the very least, the Slashdot crowd has been lastmeasured enough to know better. "No particularly bizarre browser extensions"... again, not likely with Firefox users, extensions of all sort are the norm. And on top of all that, it only works on versions 0.9 and up, the bugged releases that sent me, if not many others, back to 0.8.
http://persianews.on.nimp.org/?u=Tar_Baby
Also, let's not alarm the public by warning them of security holes.
So what if some people get ripped off when they otherwise might have stopped using online transactions had the problem been exposed to the general public?
We don't want them panicing, so it's better not to tell them.
It's too bad that Rat has publicized the issue, because no con-artist would have been able to come up with this exploit on his/her own.
So we can do neat things like chop the stupid slashdot theme prefix, or attempt to googlify links to news sites to avoid registration :)
Where are all the Microsoft apologists? I've noticed a few, but I thought there'd be more with such a HUGE story as this.
I still have lots of faith in Firefox. It hasn't let me down yet, and even when there are errors/security issues I actually feel like the Mozilla team is fixing them for your and my sake instead of to maintain an image.
There's something to be said for intentions.
Gmail supports Safari now.
Are you always so demanding of software before it's released to the general public?
This is what happens when more people start using software. It becomes popular, and thus becomes more of a target.
This is why I've personally not been a strong proponent for Linux adoption amongst the commoners. They'll just fuck it up for everyone else.
What does this mean for mozilla advocates? I've been trying to convince the head of information security to use mozilla instead of internet explorer, but then this and the previous mozilla exploit were released. It is disappointing, but then I hear that this vulnerability has been around for five years and the previous vulnerability was known for about two years. Features for mozilla are great, but shouldn't the developers be spending sometime solving these potential vulnerabilities? It would be easier for mozilla advocates if we could say that "mozilla is rock solid and secure" and have faith when we say it. Mozilla is way ahead of internet explorer on following W3C web standards and features that make surfing easier. It is time to look at all of those bugs in bugzilla and check them for potenial vulnerabilities.
BTW, as an after thought...
Dear Mozilla developers,
You did a great job on the browser and I love using it. I enjoy advocating its usage to others.
Andrew
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
Make XUL/XBL web pages ask for
"security prompt alert",
when visiting such pages.
Such that at least people could know.
Now if someone click "ignore all",
that's another problem.
If you bothered to read the f*ing comments, you would have noticed that in fact there is no single Slashdot-hive-mind collective viewpoint. In the comments there has been an active discussion of whether this really is a vuln. and a large percent are actualy agreeing with your position.
I wish there was a 'Making Dumb Generalizations About Slashdot' downmod. You so deserve it.
Hyperbole is the worst thing ever.
Actually improvements have been made to the XPI system in Firefox 0.9+ nightly builds.
Some of them that I can remember on top of my head are:
- Whitelisting, by default update.mozilla.org is added
- Disabled XPI install on page load
pwned!
Shooting from the hip has costly implication. So, shame on me...
Thank you... "insignificant indication" might be what I was shooting for.
Well known fact, which is why most people are intelligent enough to copy and paste the URL and go from there.
Need step-by-step instructions?
1. I do mean Netscape... as I contribute to Mozilla network protocol coding used by Firefox, Galeon, and a few other Gecko-using browsers. Netscape recent and upcoming releases are a disaster waiting to happen.
2. Ok, that is obvious that past vector has been established. Poor programmer, buggy code...vice versa. Same point for demonstrating that vector X is independent of vector Y. No direct correlation of past bugginess to future bugginess. Just a trending data showing that is likely probable.
3. You say DJB-DNS is "not likely" to have many bugs. You're still using past trending data as a form of future projection. Still like the stock market, it is not a foolproof method. Arguably, DJB-DNS is probably the most perfect code I have inspected in a while. Since I have made this inspection, I can state with high certainity that his code will have extremely low probability of being buggy.
Again, we cannot predict the future bugginess unless QA examines the code. And you are right, it all boils down to "crack programmer."
Now, if we can get a team of "crack programmers" not only writing good codes but working as a team, we'd have a killer apps!
Xept he didn't provide a URL, but liked using a href...
Right Click > Copy Link Location
(or Copy Shortcut, in IE)
To quoth the smartass, "pwned!"
That obviously entales copying the link location, which is not necessarily a URL, which is what you said first.
Now you're just a flip-flopping waffler.