Mozilla UI Spoofing Vulnerability

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

What the hell?

[King_of_Prussia]

Of course, that won't stop me from using Firefox.

What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.

Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.

PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).

Re:What the hell?

[Threni]

> What kind of blind OSS zealotry is this? If somebody said something similar of
> IE there would be a unanimous uproar of upbraids from the slashdot community
> against whoever said it.

Who cares what the `slashdot community` says? There's a mixture of people here. You don't have to listen to everyone. I'm not a zealot and i'm going to be sticking with Firefox, as I don't believe i'm at risk of this particular exploit, as I have a local webpage on my hard drive which is just a list of URLs to sites I use regularly, so unless that gets hacked i'm going to end up where I expect.

> Is it somehow tolerable for OS software to have faults, even serious ones?

All software has faults. IE has loads, Firefox has a few. On balance, it would appear that users of non-microsoft software are less at risk than microsoft users, and the problems get fixed more quickly. Or do you think this most recent security issue tips the balance back in favour of IE being the safest browser to use?

Re:What the hell?

[FooBarWidget]

There are many, many people out there who continue to use IE, even after knowing there are alternatives and that IE has many security holes. So what? Why doesn't anybody label those people as "MS zealots"? But when someone says he still continues to use FireFox he gets flamed down for being a zealot?

Re:What the hell?

[pebs]

Of course, that won't stop me from using Firefox.
What kind of blind OSS zealotry is this?

You know, I never advocate using Mozilla/Firefox due to lack of vulnerabilities; because deep down inside, I know there are a ton of vulnerabilities just waiting to be found. This is a problem for any reasonably complex software. Two reasons to use Mozilla/Firefox:

1. Feature-wise, it completely blows away IE
2. Standards compliant, which will help make the web a better place for all browsers

Also, it runs on many OS's, but that's not a good reason for everyone.

Currently, most of the malware/viruses/etc are for IE. But I have seen sites that try to get you to install Mozilla extensions that could be potentially malicious. With Mozilla's new-found popularity, it's only a matter of time before Mozilla gets attention from the malware writers. Get ready for it.

Re:Vulnerability?

[NetNifty]

It's probably possible to do with IE too, but the worrying part of this exploit is the fake security certificate it produces. Easy way to disable the exploit working is to disable allowing javascript to hide the status bar - the menus etc still comes up but you can tell it's fake because of the extra status bar.

Re:Vulnerability?

[pinny20]

No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.

Double standards?

[bamf]

Of course, that won't stop me from using Firefox.

If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?

However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.

Re:Double standards?

[soloport]

It works like this:
a) If you use anything Microsoft, you're an idiot.
b) If you use anything Linux, you're a maniac.

Sort of like slow-driver/fast-driver syndrome.

Re:Vulnerability?

[MoogMan]

You are right in the sense that it is not a "standard" vunerability as such, but as is the case for IE "spoofing", it is still valid. It could still cause users to think a spoofed page is a real page, so in essence the browser is "vunerable".

As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example :)

There's something rotten in Firefox.

[cyclop]

And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.

(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.

(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!

The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.

Re:There's something rotten in Firefox.

[Jugalator]

The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy.

I fully agree this is a very bad idea. All it takes is someone to get hacked, or in another way disclosing information about these secret bugs, and then they might start circulating among "underground" hackers without us knowing it, and voila we have an exploit for an issue a very large group of the developers didn't even know exist.

If they did know, they could of course have offered help in resolving the bug much earlier.

They need to start thinking about these things now as the browser might start to gain momentum. Even if it's not huge problems revealed, merely the fact that secret bugs exists and are revealed now and then (I have no doubt we'll see more in the future since this is probably not the only one), is severe negative publicity for the Mozilla products. It wouldn't be nearly as bad if the bugs weren't secret.

Re:There's something rotten in Firefox.

[AlXtreme]

The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

How about just disabling the execution of remotely-retrieved XUL files from within Firefox by default? I'm surprised Firefox didn't warn before loading the spoof from the remote site, it clearly should as a minimum. However as more and more new users with the click-before-you-read syndrome try out Firefox having it disabled by default seems the only sane thing to do.

If you want to view your web applications internally using XUL, having a whitelist akin to the popup blocker seems the best way (don't bother user unless he figures out something is missing and he clicks on the disabled-window icon). For all us people just wanting to browse some HTML, automatically (or even after prompting) running XUL from a remote server is a flaw and potentially dangerous, and should be considered as such. I'm amazed this hasn't received more attention.

Re:Javascript should be enabled.

[adam+mcmaster]

what sort of moron would let a webpage run code on his machine anyway?

The average user.

Re:This is nothing...

[auzy]

Its not really an issue though.. Even if this is fixed, theres 10000 different ways of doing the same kind of thing that will throw off even most security experts. Even if its changed, there will be other ways of pretending the bar exists.. They made it confidential because theres no way to fix it.. If they fix it this way, blackhats use javascript..

Rat never thought this thru. I think his trying to gain attention over something which he never bothered contemplating that there was no possible solution anyway.

Thanks to him now, his given just about every credit card frauder on the planet new ideas (and even implemented the paypal clone code for it too). They made it confidential to just stop ppl panicing about something which has always been possible and to try to stop frauders from adding this technique to their arsenal.. Now, Rat has done an incredibly smart move and gave spammers, credit card frauders, script kiddies some new ideas.. And for that, we have to thank him

Re:Vulnerability?

[FyRE666]

Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.

don't allow pop-ups without menu/location/etc

[orabidoo]

in about:config, or in user.js:

user_pref("dom.disable_window_open_feature.locatio n", true);
user_pref("dom.disable_window_open_feature.menubar ", true);
user_pref("dom.disable_window_open_feature.minimiz able", true);
user_pref("dom.disable_window_open_feature.resizab le", true);
user_pref("dom.disable_window_open_feature.scrollb ars", true);
user_pref("dom.disable_window_open_feature.status" , true);

This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.

It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.

With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.

Re:Bear in mind...

[JRIsidore]

Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

Sure, if a toolbar suddenly looks like the default config all users will suspect a faked UI and get alerted instantly... you expect too much. IMHO many will simply assume the browser messed up their config and keep on browsing. Even if the majority gets suspicious, the small percentage that is fooled is most likely to be profitable enough for the phishers.
Any fresh Firefox installation asks about sending unencrypted form data, but not about executing arbitrary XUL stuff? This is a serious design flaw.

Expect this to get more prevalent

[gedhrel]

It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.

This kind of spoofing is going to become more problematic, not less.

It's not just a bug, it's a bad user interface!

[argent]

The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.

There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.

what?

[Ender+Ryan]

Seriously, people have been doing this sort of thing for years, with every browser. This one happens to be a bit more ambitious than most, but I've seen the same thing done with IE in the past.

I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.

But there's a very simple solution, and I can explain it in one sentence.

Never let anything, popup windows, javascript, etc., hide any part of the browser interface.

That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.

Re:Marked confidential?

[archen]

I think the problem the Mozilla team has is the same problem that the IE team has, which is the same problem that the Opera team probably has - if you can make a blank window, you can redraw the interface pretty easy. But how do you fix it is the question? If you always draw the menu bar and the status bar you can still recreate the other elements. If you require that the browser always look like the parent window... well that would probably work, although many things on the web would look like crap.

I'm not making excuses for the Mozilla team (I mean this sort of freaks me out) , but I have no idea how to fix it. You could make all the bars "collapsed" on a "blank" window which would allow the user to always click them and look at the mormal UI again, but then you sort of expect that the user would know what those collapseable bars are for. Well it's better than nothing so maybe that's not such a bad idea... Anyway it's a problem with the way web browsers work as much as anything.

Why is this article specific to Mozilla?

[jdkane]

I don't understand why this cannot be done without XUL/Mozilla. E.g. Why can this spoof not happen through Mozilla & plain DHTML (no XUL), or in IE too? Without XUL I can also pop up a new window without any chrome and then create my own fake chrome elements through DHTML (including drop-down menus, status bar acorss bottometc etc)

What am I missing when I don't understand why this problem is specific to XUL in Mozilla?

Re:This is nothing...

[Atrax]

> Experts don't browse with javascript enabled, so
> it's pretty obvious actually.

So how do these experts have any idea what will affect the end user? From their non-javascript Ivory Tower, they survey the scene and see all is good. meanwhile, Joe Dickwad sends his credit card info to the Ukraine, thinking he's just bought his momma a bouquet for mothers' day.

To secure the end user's experience, you need to experience things from an end-user perspective.

[this comment is nitpicking the post, not the experts, by the way]

Re:Marked confidential?

[FuzzyBad-Mofo]

That's the thing, this code didn't have the proverbial thousand eyes looking at it, because the asshats marked it 'confidential' until just recently. If anything, this proves that security through obscurity is a losing proposition..