Mozilla UI Spoofing Vulnerability
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.
And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.
(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.
(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!
The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
-- Patent no.123456: A way to personalize
user_pref("dom.disable_window_open_feature.locati
user_pref("dom.disable_window_open_feature.menuba
user_pref("dom.disable_window_open_feature.minimi
user_pref("dom.disable_window_open_feature.resiza
user_pref("dom.disable_window_open_feature.scroll
user_pref("dom.disable_window_open_feature.status
This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.
It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.
With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.
Of course, that won't stop me from using Firefox.
What kind of blind OSS zealotry is this?
You know, I never advocate using Mozilla/Firefox due to lack of vulnerabilities; because deep down inside, I know there are a ton of vulnerabilities just waiting to be found. This is a problem for any reasonably complex software. Two reasons to use Mozilla/Firefox:
1. Feature-wise, it completely blows away IE
2. Standards compliant, which will help make the web a better place for all browsers
Also, it runs on many OS's, but that's not a good reason for everyone.
Currently, most of the malware/viruses/etc are for IE. But I have seen sites that try to get you to install Mozilla extensions that could be potentially malicious. With Mozilla's new-found popularity, it's only a matter of time before Mozilla gets attention from the malware writers. Get ready for it.
#!/