Slashdot Mirror
Mozilla UI Spoofing Vulnerability
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.
Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.
PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).
Making the moon less necessary since 1998.
Mod me up if you hate the color scheme. Here's a fixed link using the "old" slashdot colors:
1 0&tid=154&tid=128&tid=172
http://slashdot.org/article.pl?sid=04/07/31/00372
(I sound like a broken record. I know that. But if it gets said enough times perhaps someone will notice and change something.)
It's probably possible to do with IE too, but the worrying part of this exploit is the fake security certificate it produces. Easy way to disable the exploit working is to disable allowing javascript to hide the status bar - the menus etc still comes up but you can tell it's fake because of the extra status bar.
Linux Wireless Hardware in the UK
No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.
"Confidential" bugs in an open source project. Really?
The owls are not what they seem
Of course, that won't stop me from using Firefox.
If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?
However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.
You are right in the sense that it is not a "standard" vunerability as such, but as is the case for IE "spoofing", it is still valid. It could still cause users to think a spoofed page is a real page, so in essence the browser is "vunerable".
:)
As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example
And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.
(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.
(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!
The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
-- Patent no.123456: A way to personalize
what sort of moron would let a webpage run code on his machine anyway?
The average user.
Its not really an issue though.. Even if this is fixed, theres 10000 different ways of doing the same kind of thing that will throw off even most security experts. Even if its changed, there will be other ways of pretending the bar exists.. They made it confidential because theres no way to fix it.. If they fix it this way, blackhats use javascript..
Rat never thought this thru. I think his trying to gain attention over something which he never bothered contemplating that there was no possible solution anyway.
Thanks to him now, his given just about every credit card frauder on the planet new ideas (and even implemented the paypal clone code for it too). They made it confidential to just stop ppl panicing about something which has always been possible and to try to stop frauders from adding this technique to their arsenal.. Now, Rat has done an incredibly smart move and gave spammers, credit card frauders, script kiddies some new ideas.. And for that, we have to thank him
> Of course, that won't stop me from using Firefox.
I used to say the same about IE 2-3 months ago, you insensitive clod!
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!
Not with the Tabextensions module. You can make EVERYTHING go to tabs..
Using XUL through HTTP can be _very_ useful, we're looking at it to replace using HTML in our web applications and it looks like it would be do a very good job at it (I think that's one of the things it was built for).
As for ActiveX, that's actually running code on your computer, XUL is just an interface language. You can't run XUL that'll install spyware on your machine for example.
Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.
Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.
Code, Hardware, stuff like that.
user_pref("dom.disable_window_open_feature.locati
user_pref("dom.disable_window_open_feature.menuba
user_pref("dom.disable_window_open_feature.minimi
user_pref("dom.disable_window_open_feature.resiza
user_pref("dom.disable_window_open_feature.scroll
user_pref("dom.disable_window_open_feature.status
This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.
It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.
With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.
In 99% of cases, he doesn't need to, he just needs to be close enough. For such a thing to work well, he'd probably have to/want to open up a new window anyway full screen, during which time, 99% of people will forget if theres a special bar there, and not notice that their theme is a light white instead of their normal light pink, and 99% of ppl dont touch the bookmarks bar, so the defaults would be fine.. And nevertheless, those who would fall for something like this would just assume that those small changes are a bug in mozilla. I dont think with this 'exploit' they can put your extension bars there anyway.. Maybe your bookmark bar, but you'll notice that if u look at the code of the spoof, that there might not actually be a way to do that.
.. Because in most phishing cases, people actually fall for it because the link is false anyway and just looks the same..
You have to think logically, to do something like this you have to give someone a link too, thats where most likely the best place to do a check.. Make sure that if a hyperlink on a page says its http://www.paypal.com, make sure it doesn't go to http://killme.com
I still think that something like that something like this in javascript would affect just as many ppl as the XUML version.. But be more dangerous because it affects every browser
Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.
Sure, if a toolbar suddenly looks like the default config all users will suspect a faked UI and get alerted instantly... you expect too much. IMHO many will simply assume the browser messed up their config and keep on browsing. Even if the majority gets suspicious, the small percentage that is fooled is most likely to be profitable enough for the phishers.
Any fresh Firefox installation asks about sending unencrypted form data, but not about executing arbitrary XUL stuff? This is a serious design flaw.
:w!q
It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.
This kind of spoofing is going to become more problematic, not less.
The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.
There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.
Yes, it is. And that's a major vulnerability on IE as well, albeit one that probably won't be fixed. With Moz it can be fixed very easily - it relies on a setting being at it's default, specifically Web Features | Advanced | Allow Javascript to hide the status bar. Why that defaults to allow I don't know, I suggested years ago it shouldn't, and I always turn it off myself. If the Moz team would just set the default here sensibly this would no longer be a worry, because no one in their right mind would change it back unless they knew what they were doing and had a damn good reason to do so.
I'm wondering why the moz team doesn't just implement signed XUL. We love using XUL for our internal applications at our company but somehow having to sign it wouldn't be a problem.
I realize we now have dialogs that warn us about everything AND that most people just click through but having trusted XUL sites or signing it somehow would be just fine by me.
What really annoys me is that:
A) The bug was marked confidential for 5 freaking years!
B) The people saying that it isn't a big deal.
It IS a big deal or else the damn thing wouldn't have been marked confidential for 5 years. Sure it doesn't allow you to overwrite system files but I can recover from a virus. It's harder to recover from having a bank account wiped out because you used and unprotected debit card on a spoofed website ( forgetting that anyone who uses a debit card instead of a real credit card online is just asking to be screwed ).
Really the best route for this is to disallow remote XUL execution by default with an option to enable it in the prefs with a list of trusted XUL sites.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.
But there's a very simple solution, and I can explain it in one sentence.
Never let anything, popup windows, javascript, etc., hide any part of the browser interface.
That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I think the problem the Mozilla team has is the same problem that the IE team has, which is the same problem that the Opera team probably has - if you can make a blank window, you can redraw the interface pretty easy. But how do you fix it is the question? If you always draw the menu bar and the status bar you can still recreate the other elements. If you require that the browser always look like the parent window... well that would probably work, although many things on the web would look like crap.
I'm not making excuses for the Mozilla team (I mean this sort of freaks me out) , but I have no idea how to fix it. You could make all the bars "collapsed" on a "blank" window which would allow the user to always click them and look at the mormal UI again, but then you sort of expect that the user would know what those collapseable bars are for. Well it's better than nothing so maybe that's not such a bad idea... Anyway it's a problem with the way web browsers work as much as anything.
What am I missing when I don't understand why this problem is specific to XUL in Mozilla?
What people exactly need the status bar to be hidden?
I don't want any website to ever be able to hide the status bar, for any reason.
For that matter, I don't want any website to be able to hide my address bar, toolbar, or menu bar either.
Period. Why is THIS not an option in Mozilla or Firefox. This is my computer why is that not an option?
At first I thought maybe it's more difficult for an observant person to be fooled. So I opened up a spoofed window and compared it to a real window to see how many differences I could find. Now as a child I was pretty damn good at the spot the difference cartoons in highlights magazine, apparently use it or lose it is valid. Only after I specifically looked for them did I realize that my bookmarks toolbar was missing, and from my navigation toolbar several icons were missing and the search control was present again (I have it turned off). In other words if you're drilling through links on a site and suddenly a couple items disappear, I'm gonna guess it's really easy to not notice, regardless of experience levels (in fact maybe experience or more so familiarity make this even more effective an exploint).
The point being that even though I do fancy myself a pretty observant person (honestly I usually am) I didn't notice right off the bat what was missing from my usual interface and I bet most users wouldn't unless they looked for them on EVERY page load.
-- Button up, your ignorance is showing
> Experts don't browse with javascript enabled, so
> it's pretty obvious actually.
So how do these experts have any idea what will affect the end user? From their non-javascript Ivory Tower, they survey the scene and see all is good. meanwhile, Joe Dickwad sends his credit card info to the Ukraine, thinking he's just bought his momma a bouquet for mothers' day.
To secure the end user's experience, you need to experience things from an end-user perspective.
[this comment is nitpicking the post, not the experts, by the way]
Screw you all! I'm off to the pub
Just like my "obscure" password that I use to log into my machine! I sure hope it is never unobscured, or my security might be shot!
This isn't the exact same problem as seen on other browsers.
Here the fake page can use the exact same XUL UI controls as the real browser, instead of emulating them with DHTML. That lowers the bar significantly.
I've always known Mozilla to be less than the perfection that Slashdotters have paraded it around as. Now that all these security vulnerabilities are being discovered...well, nothing's changed for me because I use Opera.
No pointless XUL, no reimplemented widgets, no cute little XPI spoofs. Just a native web browser that is the fastest and leanest out there.
It's interesting to watch the conflicts of posters today. On one hand, they want to keep using Firefox and supporting it. On the other hand, they know that if this was an IE vulnerability, they'd be all over it and crying out about "why would anybody still be using IE, especially if this was known for five years!!"
Just an amusing illustration of double-standards on some people's parts. Not everyone...just the hardcore zealots who like to post here. This trend of Mozilla holes is a nice way for them to gain a little perspective on the matter.
Now, imagine if Mozilla had IE's marketshare right now! These holes would be blown apart by hackers, and I imagine dozens more would be discovered. Already, the trend is rising.
That's the thing, this code didn't have the proverbial thousand eyes looking at it, because the asshats marked it 'confidential' until just recently. If anything, this proves that security through obscurity is a losing proposition..
I'm running Firefox 9.2, and nothing happens. Guess I was smart in limiting what permissions Javascript has. Why exactly would you let Javascript do all the things it can do, when you have the option to disable the most pesky ones in Firefox? All I'm saying is, people are making a bigger deal out of this than it really is. Just make all releases have minimal Javascript settings by default, and then make the user activate the more spoofable settings (alter window size, hide status bar).
No matter how much we beef up Firefox's impressive security,we can't do a thing to protect it from idiotic users who click first and ask questions later.Nothing can protect idiots from themselves. As for Mozilla ignoring the bug,they might've though it could've been something mebmasterse could do to enchance their pages.Now that people are taking aadvantage of it,they announced it as a bug. For example,if you made a browser,you might want to allow Javascript to change the background of the UI.Except that nobody decent does it,and those who do cover the UI in pornography and/or ads.So you plug the hole.
1) Whenever you have to show the user some information that is not directly related to the task at hand. Example: you have a multi-page "wizard" style form allowing a user to enter information into a database. It is a fairly complex process, in which the options offered on later pages will depend on which options were selected on earlier pages. Scattered across each page, you have links that open a glossary to define a particular term. Opening the glossary information in a new window (one without toolbars, etc), allows you to provide that information to the user without interrupting their workflow. Toolbars are extraneous to the window, since it never shows anything but the glossary page. Showing them would be pointless, and would detract from the look-and-feel of the application.
2) When you want to offer a user the ability to view an arbitrary item from a list without reloading the page. Example: you have a bunch of images, and you want to let a user preview each one. You list each filename and other file details, then you have a link entitle "Preview", which opens up a new window (with no toolbar, etc) showing that image. Subsequent previews will resize the existing preview window and change its url rather than opening an entirely new one. If the preview button left the index page to preview each picture, it would increase the amount of traffic on your web server, with each new request for the index page. This may seem trivial, but if the index page is generated using information from a database, that can mount up fast, especially if you have multiple concurrent users. Again, toolbars are extraneous to the function of the window in this situation.
3) In any situation where you want to make two windows easily distinguishable from one another. If you have ever watched inexperienced or non-proficient web users, you will note that they frequently become confused when dealing with multiple browser windows, and this is especially true when the page author adds a target="_blank" attribute to a link. The new window opens, taking up all the available screen real estate, and looking exactly like the previous window, so the user naturally tries to use the "Back" button to return to what they were just looking at. But it doesn't work, and so they have to stop and study their open programs to figure out what happened. If, on the other hand, that content were opened in a smaller window with no toolbars overlaid on the parent window, it is instantly obvious that it's a new window, and the user is much less likely to get confused, leading to a better experience with the web site.
The first and second examples come from real life uses of window.open() -- both in my own pages. The third is applicable to virtually any proper use of JavaScript window control. I hate pop-up ads as much as anyone, and I'm profoundly grateful that FireFox blocks unsolicited calls to window.open(). Two other things make me glad: firstly, that you have the option of turning all that stuff off because you hate it; and secondly, I am glad that you're not in charge of FireFox development, because I suspect that a lot of "annoying" pages might not function properly in FireFox if you were.