Mozilla UI Spoofing Vulnerability
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....
Spine World
Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.
Gotta love that security-by-obscurity...
Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.
i am not even sure if this shoud be called bug
there is nothing it is not doing like it should
it may be stupid to allow javascript to hide the toolbars etc.
maybe it would be wise to disable those features in the next firefox version per default
it is easy to change right now...
and i don't see why this is worse than IE permitting execution of code on your machine
stop supporting microsoft with pirating their software!!!!!
Oh, and there's no excuse for "security through obscurity", especially when you've spent the past five years ridiculing the evil empire for it and thumping your chest singing the praises of being open and honest about the same thing. I don't care if this particular issue is interpreted as a bug, a vuln, a feature or anything else. The Mozilla folks kept this jewel mum for five years as far as I can tell. You know what? That means that XUL is probably flawed in some fundamental way and they know it. And if that's not the case, the fact that they hid it sure makes it seem that way.
I suspect we're going to start seeing many more of these as Mozilla gains a foothold. Perhaps all our retarded zealot fanboys will being the understand that actual vulnerabilities aside (which affect all code), plain user stupidity and the fundamental problems of the browser as an application platform make up for a large percentage of the perceived problems with IE. Heck, the other day I rain into a page that wanted me to install some XPI malware.
Maybe we're not so superior after all when people actually use what we do. Reality intrudes on the best laid plans, I guess.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
You should really read the Mozilla vuln. list. While they only allow things that have been reported, *already fixed*, and *gone for 2 versions already*, it does provide a pretty scare look at Mozilla's "security", or lack there of. While I will be the first to admit this model of secrecy has worked in the past, it doesn't look like it will in the future. First, a lot of people are moving to Mozilla and Firefox, making it a viable target (I've already seen several instances xpi spyware/trojans ["please install me to make your clock run accurately"] being used in place of traditional ActiveX), and second, security reporting has been changing. In the past Mozilla security bugs where reported directly to Mozilla, where they could be kept secret as long as it took Mozilla to fix them - I've only seen a few rare cases of someone actually taking their grievances about Mozilla's slow bug fixing public (like the 1 line Javascript exploit for taking down every Mozilla window and tab at once, which took a year to fix, finally being done when the vulnerability was reposted to a public board, which prompted it to be fixed silently shortly after 1.7 came out). With Mozilla and Firefox "mainstream" browsers now, real security experts are starting to look at them, and they don't play Mozilla's game. They want credit for their discovery, so they don't want to have it shuffled under the rug while Mozilla pretends it never existed. This means publicly announcing exploits, which not only forces Mozilla to radically change how quickly they respond to security bugs, but also forces them to publicly inform users that they should upgrade to the latest build (before of course they just kept fixes secret and let everyone who doesn't download a 12MB build everyday browse with arbitrary code execution vulnerabilities, since saving their own face was more important). The fact that Mozilla vulnerabilities are going to start getting announced within days or hours of them being patched means you're going to start getting exactly what you get in IE - hackers take the bug, make a working exploit, and deploy it a week or month later against the 90% of people who didn't download Mozilla's daily bugfix (perhaps a bigger problem then IE, since Mozilla demands you download the whole 12MB thing, instead of just a little 100KB patch file). Remember Blaster - easy, 56k friendly made available more then a month before it hit. Now try "easy, 12MB patch made available on a weekly basis" and see how few people are keeping ahead of the hackers.
At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.
:-)
This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root.