Slashdot Mirror


Mozilla UI Spoofing Vulnerability

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

4 of 583 comments (clear)

  1. Re:Vulnerability? by pinny20 · · Score: 5, Insightful

    No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.

  2. There's something rotten in Firefox. by cyclop · · Score: 5, Insightful

    And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.

    (1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
    I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.

    (2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!

    The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.

    --
    -- Patent no.123456: A way to personalize /. comments with a sig attached to the end.
  3. don't allow pop-ups without menu/location/etc by orabidoo · · Score: 5, Insightful
    in about:config, or in user.js:

    user_pref("dom.disable_window_open_feature.locatio n", true);
    user_pref("dom.disable_window_open_feature.menubar ", true);
    user_pref("dom.disable_window_open_feature.minimiz able", true);
    user_pref("dom.disable_window_open_feature.resizab le", true);
    user_pref("dom.disable_window_open_feature.scrollb ars", true);
    user_pref("dom.disable_window_open_feature.status" , true);

    This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.

    It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.

    With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.

  4. Re:What the hell? by pebs · · Score: 5, Insightful

    Of course, that won't stop me from using Firefox.
    What kind of blind OSS zealotry is this?


    You know, I never advocate using Mozilla/Firefox due to lack of vulnerabilities; because deep down inside, I know there are a ton of vulnerabilities just waiting to be found. This is a problem for any reasonably complex software. Two reasons to use Mozilla/Firefox:

    1. Feature-wise, it completely blows away IE
    2. Standards compliant, which will help make the web a better place for all browsers

    Also, it runs on many OS's, but that's not a good reason for everyone.

    Currently, most of the malware/viruses/etc are for IE. But I have seen sites that try to get you to install Mozilla extensions that could be potentially malicious. With Mozilla's new-found popularity, it's only a matter of time before Mozilla gets attention from the malware writers. Get ready for it.

    --
    #!/