Slashdot Mirror


Mozilla UI Spoofing Vulnerability

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

14 of 583 comments (clear)

  1. Vulnerability? by insecuritiez · · Score: 3, Interesting

    Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

  2. Marked confidential? by Kristoffer+Lunden · · Score: 5, Interesting

    According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....

    1. Re:Marked confidential? by GoofyBoy · · Score: 4, Interesting

      So its ok for Mozilla/Firebird to utilize security through obscurity, yet when a closed source application?

      And aren't a thousand eyes suppose to be looking at the code and fixing it? So shouldn't the fix come quickly? Isn't that the strength of OpenSource? If in theory it sounds good but in reality it doesn't work, what good is it to have a thousand eyes looking at the code for security purposes?

      --
      The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
  3. whoops by ceejayoz · · Score: 4, Interesting

    Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.

    Gotta love that security-by-obscurity...

  4. Re:Not another one! by Pahalial · · Score: 3, Interesting

    You -do- realize they've known for 5 years, right? We're only hearing now because it's apparently starting to be used in the wild, not to mention someone published research about using chrome spoofing.

    --
    Stuff.
  5. Re:There's something rotten in Firefox. by AC-x · · Score: 3, Interesting

    I certainly think having confidential bugs was a very bad idea (who gets to see them I wonder?) but running XUL code is hard not to without making it quite useless, at work we plan to look at it with the view to using it in our web applications instead of HTML (which I think is one of the things it was originally for).

    I mean, it's basically the same as using images to spoof the IE toolbars, Firefox just gives you the tools to do a better job of it.

    The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

    "Do you want this site to create an interface in XUL (phishing warning blah blah blah).
    [Yes] [No] [x] remember this for xyz.com

  6. Too much zealotry by brainnolo · · Score: 4, Interesting

    Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.

  7. Re:What the hell? by Spellbinder · · Score: 5, Interesting

    i am not even sure if this shoud be called bug
    there is nothing it is not doing like it should
    it may be stupid to allow javascript to hide the toolbars etc.
    maybe it would be wise to disable those features in the next firefox version per default
    it is easy to change right now...
    and i don't see why this is worse than IE permitting execution of code on your machine

    --


    stop supporting microsoft with pirating their software!!!!!
  8. Re:This is nothing... by dedazo · · Score: 5, Interesting
    That's nice, except that when "blackhats" do the same thing to people who use IE then it's Microsoft's fault.

    Oh, and there's no excuse for "security through obscurity", especially when you've spent the past five years ridiculing the evil empire for it and thumping your chest singing the praises of being open and honest about the same thing. I don't care if this particular issue is interpreted as a bug, a vuln, a feature or anything else. The Mozilla folks kept this jewel mum for five years as far as I can tell. You know what? That means that XUL is probably flawed in some fundamental way and they know it. And if that's not the case, the fact that they hid it sure makes it seem that way.

    I suspect we're going to start seeing many more of these as Mozilla gains a foothold. Perhaps all our retarded zealot fanboys will being the understand that actual vulnerabilities aside (which affect all code), plain user stupidity and the fundamental problems of the browser as an application platform make up for a large percentage of the perceived problems with IE. Heck, the other day I rain into a page that wanted me to install some XPI malware.

    Maybe we're not so superior after all when people actually use what we do. Reality intrudes on the best laid plans, I guess.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  9. Re:This is nothing... by auzy · · Score: 3, Interesting

    actually, you can make javascript almost as interactive.. The only advantage for this one is the theme is the same, and the bookmarks are there.. I'm actually thinking about whether its worth making a javascript clone which would fool 90% of people, and be actually a higher risk because it would work on IE too, and safari, and whatever else available.. Of course, I believe in reusable programming and the only people who would look at the code for such a thing, would be the last people you want to see it

  10. XP SP2 does this by spideyct · · Score: 3, Interesting

    Good suggestion.

    Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.

    http://www.microsoft.com/technet/prodtechnol/win xp pro/maintain/sp2brows.mspx#XSLTsection137121120120

  11. Re:This is nothing... by Michalson · · Score: 5, Interesting

    You should really read the Mozilla vuln. list. While they only allow things that have been reported, *already fixed*, and *gone for 2 versions already*, it does provide a pretty scare look at Mozilla's "security", or lack there of. While I will be the first to admit this model of secrecy has worked in the past, it doesn't look like it will in the future. First, a lot of people are moving to Mozilla and Firefox, making it a viable target (I've already seen several instances xpi spyware/trojans ["please install me to make your clock run accurately"] being used in place of traditional ActiveX), and second, security reporting has been changing. In the past Mozilla security bugs where reported directly to Mozilla, where they could be kept secret as long as it took Mozilla to fix them - I've only seen a few rare cases of someone actually taking their grievances about Mozilla's slow bug fixing public (like the 1 line Javascript exploit for taking down every Mozilla window and tab at once, which took a year to fix, finally being done when the vulnerability was reposted to a public board, which prompted it to be fixed silently shortly after 1.7 came out). With Mozilla and Firefox "mainstream" browsers now, real security experts are starting to look at them, and they don't play Mozilla's game. They want credit for their discovery, so they don't want to have it shuffled under the rug while Mozilla pretends it never existed. This means publicly announcing exploits, which not only forces Mozilla to radically change how quickly they respond to security bugs, but also forces them to publicly inform users that they should upgrade to the latest build (before of course they just kept fixes secret and let everyone who doesn't download a 12MB build everyday browse with arbitrary code execution vulnerabilities, since saving their own face was more important). The fact that Mozilla vulnerabilities are going to start getting announced within days or hours of them being patched means you're going to start getting exactly what you get in IE - hackers take the bug, make a working exploit, and deploy it a week or month later against the 90% of people who didn't download Mozilla's daily bugfix (perhaps a bigger problem then IE, since Mozilla demands you download the whole 12MB thing, instead of just a little 100KB patch file). Remember Blaster - easy, 56k friendly made available more then a month before it hit. Now try "easy, 12MB patch made available on a weekly basis" and see how few people are keeping ahead of the hackers.

  12. YOU CANNOT DO THE SAME THING WITH IE!! by skidoo2 · · Score: 4, Interesting

    At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.

    This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root. :-)

  13. XUL is bloated and slow by ngunton · · Score: 3, Interesting

    XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).

    I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.

    And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...

    BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.