Slashdot Mirror
Mozilla UI Spoofing Vulnerability
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.
Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.
PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).
Making the moon less necessary since 1998.
No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.
Of course, that won't stop me from using Firefox.
If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?
However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.
You are right in the sense that it is not a "standard" vunerability as such, but as is the case for IE "spoofing", it is still valid. It could still cause users to think a spoofed page is a real page, so in essence the browser is "vunerable".
:)
As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example
And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.
(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.
(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!
The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
-- Patent no.123456: A way to personalize
what sort of moron would let a webpage run code on his machine anyway?
The average user.
Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.
Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.
Code, Hardware, stuff like that.
user_pref("dom.disable_window_open_feature.locati
user_pref("dom.disable_window_open_feature.menuba
user_pref("dom.disable_window_open_feature.minimi
user_pref("dom.disable_window_open_feature.resiza
user_pref("dom.disable_window_open_feature.scroll
user_pref("dom.disable_window_open_feature.status
This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.
It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.
With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.
It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.
This kind of spoofing is going to become more problematic, not less.
The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.
There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.
I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.
But there's a very simple solution, and I can explain it in one sentence.
Never let anything, popup windows, javascript, etc., hide any part of the browser interface.
That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
That's the thing, this code didn't have the proverbial thousand eyes looking at it, because the asshats marked it 'confidential' until just recently. If anything, this proves that security through obscurity is a losing proposition..