Slashdot Mirror


Mozilla UI Spoofing Vulnerability

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

4 of 583 comments (clear)

  1. Marked confidential? by Kristoffer+Lunden · · Score: 5, Interesting

    According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....

  2. Re:What the hell? by Spellbinder · · Score: 5, Interesting

    i am not even sure if this shoud be called bug
    there is nothing it is not doing like it should
    it may be stupid to allow javascript to hide the toolbars etc.
    maybe it would be wise to disable those features in the next firefox version per default
    it is easy to change right now...
    and i don't see why this is worse than IE permitting execution of code on your machine

    --


    stop supporting microsoft with pirating their software!!!!!
  3. Re:This is nothing... by dedazo · · Score: 5, Interesting
    That's nice, except that when "blackhats" do the same thing to people who use IE then it's Microsoft's fault.

    Oh, and there's no excuse for "security through obscurity", especially when you've spent the past five years ridiculing the evil empire for it and thumping your chest singing the praises of being open and honest about the same thing. I don't care if this particular issue is interpreted as a bug, a vuln, a feature or anything else. The Mozilla folks kept this jewel mum for five years as far as I can tell. You know what? That means that XUL is probably flawed in some fundamental way and they know it. And if that's not the case, the fact that they hid it sure makes it seem that way.

    I suspect we're going to start seeing many more of these as Mozilla gains a foothold. Perhaps all our retarded zealot fanboys will being the understand that actual vulnerabilities aside (which affect all code), plain user stupidity and the fundamental problems of the browser as an application platform make up for a large percentage of the perceived problems with IE. Heck, the other day I rain into a page that wanted me to install some XPI malware.

    Maybe we're not so superior after all when people actually use what we do. Reality intrudes on the best laid plans, I guess.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  4. Re:This is nothing... by Michalson · · Score: 5, Interesting

    You should really read the Mozilla vuln. list. While they only allow things that have been reported, *already fixed*, and *gone for 2 versions already*, it does provide a pretty scare look at Mozilla's "security", or lack there of. While I will be the first to admit this model of secrecy has worked in the past, it doesn't look like it will in the future. First, a lot of people are moving to Mozilla and Firefox, making it a viable target (I've already seen several instances xpi spyware/trojans ["please install me to make your clock run accurately"] being used in place of traditional ActiveX), and second, security reporting has been changing. In the past Mozilla security bugs where reported directly to Mozilla, where they could be kept secret as long as it took Mozilla to fix them - I've only seen a few rare cases of someone actually taking their grievances about Mozilla's slow bug fixing public (like the 1 line Javascript exploit for taking down every Mozilla window and tab at once, which took a year to fix, finally being done when the vulnerability was reposted to a public board, which prompted it to be fixed silently shortly after 1.7 came out). With Mozilla and Firefox "mainstream" browsers now, real security experts are starting to look at them, and they don't play Mozilla's game. They want credit for their discovery, so they don't want to have it shuffled under the rug while Mozilla pretends it never existed. This means publicly announcing exploits, which not only forces Mozilla to radically change how quickly they respond to security bugs, but also forces them to publicly inform users that they should upgrade to the latest build (before of course they just kept fixes secret and let everyone who doesn't download a 12MB build everyday browse with arbitrary code execution vulnerabilities, since saving their own face was more important). The fact that Mozilla vulnerabilities are going to start getting announced within days or hours of them being patched means you're going to start getting exactly what you get in IE - hackers take the bug, make a working exploit, and deploy it a week or month later against the 90% of people who didn't download Mozilla's daily bugfix (perhaps a bigger problem then IE, since Mozilla demands you download the whole 12MB thing, instead of just a little 100KB patch file). Remember Blaster - easy, 56k friendly made available more then a month before it hit. Now try "easy, 12MB patch made available on a weekly basis" and see how few people are keeping ahead of the hackers.