Slashdot Mirror
Mozilla UI Spoofing Vulnerability
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
You think your Mozilla or FireFox has neat features like that?
Well my friend, my IE can beat your browser many times over!
HA!
I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.
so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?
Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.
According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....
Spine World
Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.
Gotta love that security-by-obscurity...
What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.
Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.
PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).
Making the moon less necessary since 1998.
Of course, that won't stop me from using Firefox But then how do you know you ARE using the 'proper' Firefox if the interface is spoofed ?
I use middle-click tab a lot (practically every link), the proof of concept doesnt show the tabs (still opens them though)
"Confidential" bugs in an open source project. Really?
The owls are not what they seem
Of course, that won't stop me from using Firefox.
If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?
However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.
Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.
It also fails to appear properly on the Macintosh.
If someone wanted to make some kind of exploit with this, they'd want to target a specific platform and Firefox revision. (eg. 0.9 on Windows) Since Firefox is in constant development, it could well change between revisions and render these spoofs obsolete.
I don't really see this as a Firefox vulnerability. Use any browser without a popup blocker, and you'll see a lot of popup ads pretending to be legitimate OS windows and dialogs. This is really just a variation of that.
Without disabling XUL, I mean it's the equivilent of using images and text forms to spoof the IE menu bar, it just so happens that Firefox gives you tools that can be used to do a better job of it.
At any rate this can be overcome quite easily by changing the javascript prefs so that sites can't hide things like the status bar and menus.
The real problem here is not so much XUL, but Javascript!
Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.
Without this Javascript, you couldn't turn the real menubars and toolbars off, and the problem would be much less severe since although you'd have a second set of interface controls within the browser window, the real status bar would be at the bottom, and the real menubar would be at the top.
Firefox already has a way to block JS from doing this and using several other of its most annoying features, and indeed I personally have these limits switched on already. Put about:config in the address bar, and change these entires to the following values (or look up how to make a user.js file on Google):
dom.disable_window_move_resize = true
dom.disable_window_open_feature.close = true
dom.disable_window_open_feature.directories = true
dom.disable_window_open_feature.location = true
dom.disable_window_open_feature.menubar = true
dom.disable_window_open_feature.minimizable = true
dom.disable_window_open_feature.personalbar = true
dom.disable_window_open_feature.resizable = true
dom.disable_window_open_feature.scrollbars = true
dom.disable_window_open_feature.status = true
dom.disable_window_open_feature.titlebar = true
dom.disable_window_open_feature.toolbar = true
dom.disable_window_status_change = true
Now try the example given in the summary again.
And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.
(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.
(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!
The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
-- Patent no.123456: A way to personalize
what sort of moron would let a webpage run code on his machine anyway?
The average user.
Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.
now I'll go back to browsing with telnet and openssl s_client.
Well, I have to say that this exploit is particularly serious - but not the end of the world. I've every faith we'll see a fix fairly soon...
It's pretty bad because it has the end results of several techniques rolled into one handy package - URL spoofing, fake certs, browser highjacking...
Several workarounds being mentioned - using a non-standard toolbar (add at least one extra button/menu-item so you can identify a fake version...), and possibly a non-standard theme would work (though I'm not so sure about this one...)
Anyway, net result - firefox has a pretty bad security problem, with a fairly easy workaround, and no doubt a fix in the works... - how about not allowing remote sites to run XUL without first warning the user (with the option to turn this warning feature off of course - it's all about choice, right?)
Dave
1. I use a custom theme (Qute as it happens) with small icons
2. I've cutomised my toolbars to reduce them into one (plus bookmarks)
3. I have Tab Browser Extensions installed and I run in Single Window mode so all pop-up windows get opened inside my one browser window.
This is the power of Firefox!
Mr. Smoove
user_pref("dom.disable_window_open_feature.locati
user_pref("dom.disable_window_open_feature.menuba
user_pref("dom.disable_window_open_feature.minimi
user_pref("dom.disable_window_open_feature.resiza
user_pref("dom.disable_window_open_feature.scroll
user_pref("dom.disable_window_open_feature.status
This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.
It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.
With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.
Some site authors may say "but I really want to author a popup that doesn't have all that crap etc," but I don't see how it can be that important, especially given all the consequent badness. The only case I can see for this is that sometimes you do trust the content author--that there is a notion of Mozilla as a platform for application development. And, hey, ok, code reuse is good, but using Mozilla as a platform for a company-internal application is a totally different scenario; can't we recognize that as a different scenario and give it different rules instead of using one browser to rule them all?
Now, without being able to disable the location bar, you can't spoof the location bar trivially. You could put up a second one and hope people don't notice, and yeah, some people won't. Unfortunately, as pointed out on bugzilla, there's a case that this won't stop: you create an entire faux window, one that appears to be in front of the main one, but is actually just a part of it. So in the middle of your page you have a seeming popup window with a seeming location bar with a faux address. It wouldn't be draggable outside of the client area of the main window, but some people wouldn't notice it.
It's hard to see how to defend against that, although I am a wacky retro guy who thinks all of this DHTML stuff has given content creators way more power than they really need, and there would be nothing wrong with just pushing back on the standards until things weren't spoofable. (Remember when standards meant you wrote an RFC about something you had already implemented and figured out really worked; it didn't become a standard until people had exercised it in the field? Whatever happened to that?) Or maybe Ian Hickson is right and we're all just raving paranoic nutjobs. But it seems like exactly the sort of 'power before security' attitude that's gotten MS in a lot of trouble.
An entirely different way of looking at the problem of spoofing is that we transmit our secrets "in the clear" to the remote site. (Obviously encrypted by https or whatever.) If the remote site is spoofing, they get our password (and can maybe even open a connection to paypal or whatever and pass through everything so we don't know it's been spoofed). There's no need for us to give the secret to the remote site, though; just prove that we know it. For example, the server can give us some random data, and we use a non-reversible encryption algorithm to combine the random data and the password, and return the result of that. The server can verify that it's the right result without anyone transmitting the actual password (though the server must store the actual password, and not a hash of it). If this were the technology we were using, a spoofer wouldn't be able to use the password, unless the spoofer DID open a connection to the real site first, and get the challenge; then it could pass it through, but then the spoofer would have only this one chance to make use of the spoofed data, since the next time the real site challenged, the spoofer is stuck; whereas currently a spoofer just captures the user/password combo and keeps it around for later processing. This would raise the complexity bar for making effective use of spoofing (including email phishing!), although I don't know if it's high enough. But good luck getting it into browsers AND making it impossible for spoofers to create what looks like a login prompt of this kind but actually is just a plain old plaintext submit.
Use link to get the pretty green colors back.
It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.
This kind of spoofing is going to become more problematic, not less.
The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.
There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.
I do support for about 150 users, most of whom are programmers. I'm starting to have to clean spyware out of three or four computers a week, and a couple of times I've seen "spoofs" that looked like they were trying to trick people into allowing the bogus code to run, and none of them look like exactly like "real" IE or other application windows to my eye.
Yet, based on their track record, they do the job.
So an exploit that does a better job than that, well, it's a problem. The problem should be blocked at the source... starting with removing the ability to change the browser window decorations even if you DO still allow popups.
I'm wondering why the moz team doesn't just implement signed XUL. We love using XUL for our internal applications at our company but somehow having to sign it wouldn't be a problem.
I realize we now have dialogs that warn us about everything AND that most people just click through but having trusted XUL sites or signing it somehow would be just fine by me.
What really annoys me is that:
A) The bug was marked confidential for 5 freaking years!
B) The people saying that it isn't a big deal.
It IS a big deal or else the damn thing wouldn't have been marked confidential for 5 years. Sure it doesn't allow you to overwrite system files but I can recover from a virus. It's harder to recover from having a bank account wiped out because you used and unprotected debit card on a spoofed website ( forgetting that anyone who uses a debit card instead of a real credit card online is just asking to be screwed ).
Really the best route for this is to disallow remote XUL execution by default with an option to enable it in the prefs with a list of trusted XUL sites.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.
But there's a very simple solution, and I can explain it in one sentence.
Never let anything, popup windows, javascript, etc., hide any part of the browser interface.
That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Good suggestion.
n xp pro/maintain/sp2brows.mspx#XSLTsection137121120120
Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.
http://www.microsoft.com/technet/prodtechnol/wi
What am I missing when I don't understand why this problem is specific to XUL in Mozilla?
At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.
:-)
This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root.
What it does is mimic the interface of an UNMODIFIED Firefox. Install ANY exension that changes the menubar or toolbar and you'll notice all that gone in the new window.
Heck, you don't even need to install any extensions...just customize your toolbar a little...place ANY icon after the help menu and try the proof of concept...it doesn't work - the difference is too obvious.
Neat trick, definitely, but I don't see it as much more.
Find a job you like and you will never work a day in your life.
XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).
I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.
And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...
BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.
That didn't prevent the statusbar hack, but it made everything else *really* obvious.
Have a look at about:config. There's a lot of useful stuff in there.
I've always known Mozilla to be less than the perfection that Slashdotters have paraded it around as. Now that all these security vulnerabilities are being discovered...well, nothing's changed for me because I use Opera.
No pointless XUL, no reimplemented widgets, no cute little XPI spoofs. Just a native web browser that is the fastest and leanest out there.
It's interesting to watch the conflicts of posters today. On one hand, they want to keep using Firefox and supporting it. On the other hand, they know that if this was an IE vulnerability, they'd be all over it and crying out about "why would anybody still be using IE, especially if this was known for five years!!"
Just an amusing illustration of double-standards on some people's parts. Not everyone...just the hardcore zealots who like to post here. This trend of Mozilla holes is a nice way for them to gain a little perspective on the matter.
Now, imagine if Mozilla had IE's marketshare right now! These holes would be blown apart by hackers, and I imagine dozens more would be discovered. Already, the trend is rising.
I'm running Firefox 9.2, and nothing happens. Guess I was smart in limiting what permissions Javascript has. Why exactly would you let Javascript do all the things it can do, when you have the option to disable the most pesky ones in Firefox? All I'm saying is, people are making a bigger deal out of this than it really is. Just make all releases have minimal Javascript settings by default, and then make the user activate the more spoofable settings (alter window size, hide status bar).
Okay, so somebody essentially builds a Javascript replica of the Firefox browser which activates as a popup when somebody clicks on a link. For this, the Mozilla folks are being raked over the coals. This is like saying a bank vault is insecure because it can be breached with explosives. Any browser could be spoofed this way and this has been going on with IE for a long time ("Your computer is infected with spyware, click OK to install more spyware^W^Wour software.")
Granted, I'd like to see it more secure by default , e.g., it doesn't install software by default, Javascript disabled, etc. This also isn't uniquely a Mozilla problem as the first versions of Red Hat shipped with telnet and rlogin ports open by default. It all goes back to the age old debate about security versus functionality.
As others have mentioned, you can change the Javascript behaviour to ensure that all new windows will always retain their title and control bars. Consequently it is amtter of configuring your browser properly.
The FF team made an admirable effort to come up with a default configuration in prefs.js that mostly works and adding a few lines to it is a matter of concientious system administration.
My son told me he did a screen capture on the computer of his comp sci teacher, then installed it as a background and had the poor guy futz around for a long time trying to figure out why all his icons and taskbar is dead - we cannot honestly say that such an exploit is a bug in Windows now can we?
Oh well, what the hell...
No matter how much we beef up Firefox's impressive security,we can't do a thing to protect it from idiotic users who click first and ask questions later.Nothing can protect idiots from themselves. As for Mozilla ignoring the bug,they might've though it could've been something mebmasterse could do to enchance their pages.Now that people are taking aadvantage of it,they announced it as a bug. For example,if you made a browser,you might want to allow Javascript to change the background of the UI.Except that nobody decent does it,and those who do cover the UI in pornography and/or ads.So you plug the hole.
The idea was/is: If you focus on web browsing only, you always have to see what other browsers (esspecially IE) do and always jump after them if they create some cool new thing or introduce a new successful tag (also it's not in the specs). So the idea is to create a surplus value like XUL in combination with other things, like access to Mozilla internal interfaces or RDF,XUL,SOAP,XML support, which makes it easy to create some web-apps (a application development platform). So here you are the challenger then and don't have to follow the other browsers all the time.
Try this, it mostly works:t ion", true);
b ar", true);
m izable", true);
z able", true);
l lbars", true);
u s", true);
./.mozilla/firefox/default.flc/prefs.js
user_pref("dom.disable_window_open_feature.loca
user_pref("dom.disable_window_open_feature.menu
user_pref("dom.disable_window_open_feature.mini
user_pref("dom.disable_window_open_feature.resi
user_pref("dom.disable_window_open_feature.scro
user_pref("dom.disable_window_open_feature.stat
It is only the last line that seems to be buggy, since the status bar still gets overloaded.
Oh well, what the hell...