Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla UI Spoofing Vulnerability

Posted by CowboyNeal on from the shields-up dept.

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

6 of 583 comments (clear)

  1. Re:This is nothing... by ceejayoz · · Score: 5, Informative

    except it has been a known issue since 1999...

  2. Bear in mind... by Aluminum+Tuesday · · Score: 5, Informative

    Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

    It also fails to appear properly on the Macintosh.

    If someone wanted to make some kind of exploit with this, they'd want to target a specific platform and Firefox revision. (eg. 0.9 on Windows) Since Firefox is in constant development, it could well change between revisions and render these spoofs obsolete.

    I don't really see this as a Firefox vulnerability. Use any browser without a popup blocker, and you'll see a lot of popup ads pretending to be legitimate OS windows and dialogs. This is really just a variation of that.

  3. Javascript window "features" by Ianoo · · Score: 5, Informative

    The real problem here is not so much XUL, but Javascript!

    Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.

    Without this Javascript, you couldn't turn the real menubars and toolbars off, and the problem would be much less severe since although you'd have a second set of interface controls within the browser window, the real status bar would be at the bottom, and the real menubar would be at the top.

    Firefox already has a way to block JS from doing this and using several other of its most annoying features, and indeed I personally have these limits switched on already. Put about:config in the address bar, and change these entires to the following values (or look up how to make a user.js file on Google):

    dom.disable_window_move_resize = true
    dom.disable_window_open_feature.close = true
    dom.disable_window_open_feature.directories = true
    dom.disable_window_open_feature.location = true
    dom.disable_window_open_feature.menubar = true
    dom.disable_window_open_feature.minimizable = true
    dom.disable_window_open_feature.personalbar = true
    dom.disable_window_open_feature.resizable = true
    dom.disable_window_open_feature.scrollbars = true
    dom.disable_window_open_feature.status = true
    dom.disable_window_open_feature.titlebar = true
    dom.disable_window_open_feature.toolbar = true
    dom.disable_window_status_change = true


    Now try the example given in the summary again.

  4. too bad, Mozilla suite suckers! by frankie · · Score: 5, Informative
    We fans of the "bloated" original Mozilla are once again left in the dust by Firefox. Loading the test page results in:
    XML Parsing Error: undefined entity
    Location: http://www.nd.edu/~jsmith30/xul/test/browser.xul
    Line Number 20, Column 1:
    <window id="main-window"
    ^
    In seriousness, that's probably just an artifact of Firefox-specific XUL in the example, and could be fixed by a dedicated black hat. I agree with Lanoo, all versions of Moz should disable javascript toolbar-hiding by default.
  5. Use shit.slashdot.org :) by Anonymous Coward · · Score: 5, Informative

    Use link to get the pretty green colors back.

  6. I wasn't vulnerable! by Dwonis · · Score: 5, Informative
    I couldn't figure out why I wasn't vulnerable, until I looked in my user.js file:
    // More DOM/JavaScript options

    // Make sure all pop-up windows are resizable:
    user_pref("dom.disable_window_open_fea ture.resizable", true);

    // Make sure all pop-up windows are minimizable:
    user_pref("dom.disable_window_open_f eature.minimizable", true);

    // Always display the menu in pop-up windows:
    user_pref("dom.disable_window_open_featu re.menubar", true);

    // Always display the Navigation Toolbar in pop-up windows:
    user_pref("dom.disable_window_open_featu re.location", true);

    That didn't prevent the statusbar hack, but it made everything else *really* obvious.

    Have a look at about:config. There's a lot of useful stuff in there.