Slashdot Mirror
Big Day For Browser Vulnerabilities
An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."
Stop the presses.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Possibly solutions that I've just thought up (for discussion)
While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
Join the Free Software Foundation
Guess we're all getting pwnXored today, Windows, Linux and Mac.
The Mozilla etc problem seems equally serious.
/. choose to post it?
Why further continue the public's view of the open source community's immaturity by adding such a silly editorial comment to an otherwise reasonable story submission?
And why did
it's just that IE is so tied to the OS that when it goes down so does the whole 'puter
-Nb
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Lynx missed out!
Be you Admins? nay, we are but lusers!
I use Lynx, you insensitive clod!
CDJChristian Jones
Medicine. Mathematics. Mediocrity.
I need to pull the plug! I gotta get off the net!
someone is going to steal all my PORN!
So, what now? I guess I pull this cord right her....
If I wrote something witty, you would say I stole it from somewhere.
Who will get the fixes out first. If I was a betting man, I would say Mozilla.
Free Desk
Fortunately, I use...
*checks the list*
Lynx! Yes, that will do.
Wanna guess how long Mozilla, Firefox and such will take to fix this?
:)
And how long IE will take?
Didn't think so.
The Tlog - a technology blog
No exploits possible, as the technology used by those exploits isn't understood by OB1. No Java/JavaShit. No Flashy garbage. No drive by installs. Just the web as God intended.
http://www.OffByOne.com
I guess the best defense is a good slashdotting.
It's a vulnerability lotto! Mozilla got a spoofing vuln (assuming URL spoofing vuln, as the article is slashdotted, and I'm too lazy to view the Bug Traq lists)! At least it isn't as bad as IE....guess that stack protection with SP2 isn't helping with that one?
Bored? Why not join a decent mess
Very funny - am I glad I'm working from home today... Damn near deafened me though :-)
It's official. Most of you are morons.
I just tried the exploit demonstration for Safari, but it did not work. The active tab switched back to the one providing the pop-up, not the target site. Did anyone else try it and have it work?
Slashdotted already. Would it kill the editors to, you know, edit and provide brief outlines of the stories they're linking to, especially in the case of stories on third party sites that they know will most likely not stand a slashdotting?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Seems Secunia is also vulnerable to /.'ing... 6 minutes and it's fried.
"God is a comedian playing to an audience too afraid to laugh." -- Voltaire
For those who can't be bothered to RTFA, the Mozilla vulnerability is essentially a standard link with an "onMouseOver" bit which runs a little piece of JavaScript.
The JavaScript pauses for a few seconds (while you presumably get distracted by another page) then flashes up a "Please enter some text" dialogue box.
A similar effect could be achieved by calling the JavaScript on pretty much any event; the vulnerability relies on it being unclear which site caused the dialogue box to pop up. I can see how it could be classed a vulnerability, but it's hardly earth shattering.
all URLs slashdotted already
don't peopole never learn a thing ? and they xcall themselves a security company.
For Windows Firefox users: Tools -> Options... -> Advanced icon (left side) -> Software update section -> Check Now button
Speak truth to power.
Preface: I love tabs to death, I don't remember how I could surf without them anymore.
That said, tabs are problematic, especially if you have several open to the same site but in different sessions.
For example, in my online game (see below), you can play several characters with the same account. If you play char 1, open a tab, do something there, then log out and log into your character 2 while the tab with char 1 is still open, woohoo, there's all kinds of trouble waitin' for ya, son.
Tabs make switching so convenient that you sometimes forget just where you were and what you were doing.
Assorted stuff I do sometimes: Lemuria.org
As far as security updates, patches, and good fixes (keyword: good), Mozilla and the other browsers 0wn IE
Using Safari 1.2, the tab where the JavaScript dialog is coming from is activated when the dialog shows up. Nothing unsecure there. I can _see_ that this is not a CitiBank pop-up.
Anybody care to explain to me?
--
kTag
Mozilla/Firefox: Before I get home.
IE: Before Chiristmas.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
In other words, don't visit untrusted sites?
Now what am I going to do -- how am I supposed to reply to my email?
sigs, as if you care.
Flamebait, WTF? I didn't say IE sucked...just said I was glad that I wasn't running it. Some people are to religious with platforms. It's just a browser!
For those who can't be bothered to RTFA...
Or those who can't get to it because it's slashdotted...
On behalf of those of use who can't read it yet, we thank you for the summary.
We also chastise you for both your condescending attitude and your not posting the article.
silly troll.
this is a vast right wing luddite conspiracy. :)
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
For Apple's Safari browser
g _box_sp oofing_test/
Description:
Secunia Research has discovered a vulnerability in Safari, which can be exploited by malicious web sites to spoof dialog boxes.
Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window. This can be exploited by a malicious web site to show a dialog box, which seems to originate from a trusted web site.
Successful exploitation would normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new window.
A test is available here:
http://secunia.com/multiple_browsers_dialo
The vulnerability has been confirmed in Safari 1.2.3 (v125.9). Other versions may also be affected.
Solution:
Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.
And for IE
Description:
http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
This vulnerability is related to:
SA12321
NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.
2) A security zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents.
NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.
The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Solution:
Disable Active Scripting or use another product.
Join the Free Software Foundation
"cleaverly"?
Seems like all the vulnerability reports are vulnerable to reporing them on /.
Robert
Bastard Operator From 193.219.28.162
Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window.
When I tried this in Safari 1.2.3, the browser switched back to the test page as it gave me the phony dialog box. The Citibank page was only visible for a second or two before Safari switched back to the exploit test page.
Doesn't seem to be a problem here... ?
A collection of vulnerabilities were posted by CERT yesterday for Internet Explorer. Having said this, I still do not understand how this particular article pertains to being "newsworthy". It is understandable if an issue which is deemed to have quite a large affect be posted - nothing is a substitution for using Bugtraq, et al mailing lists.
There are 10 types of people in the world.. those who understand binary and those who don't
Spoofing Demo 0
Slashdot 1
Take that you evil spoofers!
Sig it.
Essentially, it's an interface error. The problem seems to be that dialog boxes don't explain which tab they belong to.
/.'ed, but I wouldn't be surprised if it works just as well for opening the external site in a new window.
So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.
I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're
Assorted stuff I do sometimes: Lemuria.org
Although they list Mozilla*.* vulnerabilities as not very serious, they must be acknowledged anyway. One is fairly trivial, I've seen it many times: typing in a text box in a tab may send keypresses to a text box in another tab. It happens when I open many tabs at once; the last tab to load usually steals the focus. It's a minor annoyance, though, and can be easily noticed looking at the screen, since typing doesn't appear where it should. However, spoofing dialog boxes can be more serious. Although suspending script execution in inactive tabs could solve this problem, it can break other things.
At any rate, I'm fairly confident this will be solved in a sensible way by Mozilla*.* developers.
My neighbor's
I just create multiple windows. Seems redundant to me. But the same problem should happen with multiple windows anyway.
With the cyberthalamus, the singularity will happen.
I've yet to get these exploits to work properly using Safari....
The little javascript window pops up to quick....Before I even get to look at CitiBank.
And the other test page doesn't even work at all...
So much for EVERY browser affected!!
It's left blank because I have nothing to say to you punks!
Running a camino nightly build from sometime last week I cannot recreate the focus vulnerability...
While it appeared clear that the form field in the test page was stealing focus from the citibank site in the active tab there were no keystrokes recorded in the test page... as if my keystrokes were going into nowhere instead of getting stolen by the "attackers" form / background tab.
(also, the prompt vulnerability took a few tries to recreate as I load tabs in the background of the current one and needed to be fast enough to not get the prompt before I had time to switch to the citibank tab)
[place
> Make the website launching any JavaScript event appear in the foreground
That's indeed how Konqueror has fixed this in KDE 3.3.1.
As I can't link bugzilla form Slashdot... go to http://bugzilla.mozilla.org/ and type in there the bug number. (None: it's not marked there as FIXED, but you should look at the "fixed-aviary1.0" keyword, which is what matters for Firefox 1.0)
"Slashdotted" needs its own error code.
the javascript is displayed when another tab is in focus and seems to appear from another tab. This is a usability problem anyways because you should have a way of knowing where the JS popup comes frome exactly.
What about herpes?
Another one bites the dust
I am using "telnet 80" from now on... and if by chance that is vulnerable I'll write my own minimal telnet client... so what... my eyes will bleed of html tags and other cruft... ok so where do I get a ssl capable telnet client so that I can do my online banking?
SIMPLICITY FOLKS!!!
Less features is better.
Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
This is an excellent example of two facts:
Here's what the vulnerabilities are:
In all the non-IE browsers, there's a potential issue with how tabbed browsing works. Basically, the problem is that stuff on tabs other than the active tab can still (a) pop dialogs and (b) have the keyboard focus. It's pretty clear that (b) is just a problem that should be fixed, because although it's possible to concieve of a circumstance where a user would want to look at one tab while typing into a box on another, it's clearly way too surprising and not nearly useful enough to be allowed. But (a) is more interesting. It's a side effect of the fact that pages continue functioning in all ways even when they're not the active tab. This includes running Javascript/Java/Flash programs, loading, rendering, etc. And that's a good and useful thing. But when a background tab pops a dialog, it may appear to the user that the dialog was created by the active page. If the user trusts one page more than the other, that can lead to problems.
The solution to this dialog-popping problem isn't obvious. Perhaps dialogs need to be labeled with the name of the site that created them. Perhaps some other solution. But it will be worked on, even though the risk is fairly small.
The IE vulnerability is very different in that it's a system compromise flaw. It's similar in one way, though: it's caused by a subtle interaction of features. In this case, dragging and dropping of image or media files with embedded HTML code, which may be malicious. This malicious code isn't a problem, really, because IE is security-conscious and won't execute it -- except that Microsoft has that terrible "security zones" design feature. Once the malicious code is moved from the "Internet" zone to the "Local Computer" zone, the code will be executed. What makes it especially funny is that Microsoft fixed this problem in SP2 by changing the Local Computer zone so tht it will no longer execute Active Scripts. But yet another bug in the security zones can be exploited to bypass that "problem" so SP2 is vulnerable as well.
Security flaws are everywhere, but what really kills Microsoft is their rash of bad design decisions in the past, turning little holes into remote root exploits. They're getting better, I believe, but it's going to be a long hard road for them to patch all of the problems that are created by their bad design decisions. It's too late, of course, to change the design. Too much depends on it.
...for secunia.com, it's called /. effect!
Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:
SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!
Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.
But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!
Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
www.eFax.com are spammers
IE
Opera
Mozilla / Mozilla Firefox / Camino
Safari
Netscape
Konqueror
Avant Browser
Maxthon
spoofing vulnerabilities are available here and here."
Feel free to castrate my browser if I messed up the links, but it looks to be working just fine... for now.
http://www.fsckin.com/
Option 4: Don't allow webpages to open dialog boxes from Javascript. The only time I've seen this as being useful is for optional client-side form validation, and there are other ways to provide the same functionality (for example, using CSS to bring up the message in the same page).
Option 5: Don't allow webpages to open windows without decorations. This is occasionally useful, but it's routinely abused by everything from pop-up ads to control-freaks who just don't want you to see how their site is structured.
Sick of the ugly it.slashdot theme? Here's a simple way to fix it. Just add the line: 64.246.11.90 it.slashdot.com to your etc/hosts file. Problem solved!
I'd go more with: Mozilla/Firefox: As soon as this story's thread gets about 100 posts IE: MAYBE before this story is lost into the abyss that is /dev/null.
Video Production Support
I just tried Dillo for the first time an hour ago. Sweet little thing. :-)
I note the vulnerability Secunia found in Mozilla et. al. is easy enough to block. It depends on onMouseOver triggers and the launchTimedPrompt() function. Block either of those via the capability.policy.* settings and the problem ceases. I'm tempted to add launchTimedPrompt() blocking across the board simply because no Web site has any business launching a delayed dialog box.
I tried that test too, i read other comments about safari, but my install had a strange behaviour (and that's in a good sense). The citybank site's tab didn't even create until i clicked OK on the Javascript dialog, that has always stayed on the test page.
The article submitter added the "(of course)" for no other reason than to try to make up for the fact that all the other non-IE browsers have vulnerabilities as well...but "M$" must be the bad guy! Right?
I don't know if you have the same settings as me. In my case, my preferences are set to open new tabs in the background -- so the dialog box appeared over the test page while the Citibank page loaded.
While it does seem somewhat insecure, I don't believe this is "critical" for Safari, particularly if you don't have the "Select new tabs as they are created" preference checked. You'll see exactly the behavior you described, which IMHO is the way around this problem.
-Geoff
They were both silly and IMO hardly bugs at all. One of them contained a dialog, no dialog ever indicates the page it came from, nothing new there.
;)
The second one was even dumber... You type on your keyboard or even try to select a value from a combo box and nothing happens in the page (the combo pops and immediately closes). A person that will be fooled by this behavior deserves to have his bank account emptied. I'm all for making a browser foolproof but its impossible to make it idiot proof! This isn't a security bug, I can see Joe Sixpack trying to logon to citybank (although I doubt he will use tabs). He will try to type his
password (joe1234) and after the j won't appear he will try again and again... The theif will get the password "jjjjjjjjjjasgyuva8hiv8auno8ghW[0-q934r78" damn Mozilla
I don't get it, I tried the Firefox exploits in 1.0PR, but neither exploit work.
On the first one:
The citibank site opens in a new tab, I click on the field that says "enter a zip code" but the typing cursor never appears. The pull downs down pull down and nothing works. Wasn't it supposed to work as normal?
On the second one, the dialog pops up when I'm on the Secunia page, just when I try to click the tab to switch to the citibank one. How am I supposed to think its from Citibank when the Secunia tab is the top tab!?
Whats the trick to getting these to work?
Everyone doesn't use gopher???
He's not in the book, you know.
Heh, it isn't the demo peoples thats the evil haxors. There white-hat guys. Its the peeples thatr posting the same demo into their comments here on slashdot, where you dont think to expect sploits....
...but pretty obvious something is not right.
/. worked. In fact no links worked in any of the tabs I had open. Nothing worked.
:)
I'd post the URL for the test page but it wouldn't let me select the text in the address bar. None of the buttons on
After opening the Citybank page I typed a ZIP code in. The text indicator stopped flashing straight away and none of the text I type appeared in the INPUT box; it appeared on the test page in a text area.
I'd like to know how it works on a password field but the test page is now slashdotted. Asterisks or the actual keystrokes?
Reminds me of the old days with FRAMESETs and using JavaScipt to fill in forms.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
I updated
I reinstalled a newer version
its not fixed
Doing something so "difficult" would require a little bit of work, and such an exertion of force violates Slashdot laws of physics. Violating those laws risks a paradox of time and physics, as well as threatening the livelihood of the checks coming from OSTG. Those precious checks.
Oh wait... the example was slashdotted. Damn. Windows Update, here I come!
End of Line.
You won't see endless mocking over that one, as opposed to when Microsoft said pretty much the same thing once to prevent an IE vulnerability attack.
This is Mozilla, so that makes it different!
What amazes me is that Mozilla, used so much less in comparison with IE, seems to be reaching par with its rate of vulnerabilities. I can't imagine how bad the Mozilla attacks would be if it had the same marketshare that IE does. In light of all the endless crap vulnerabilities in Mozilla, I've fully switched to Opera and haven't looked back.
How's this a vulnerabiblity? So I go to a website, and then open another tab, meanwhile the other website I was at waits 8 seconds and then popsup a dialog box. Hrmm yeah.. that's a vulnerability. Because one website does something while I'm at another website doesn't make it a browser vulnerability.
Internet Explorer:5 984a758128fc23c/index.html
e 21e226c48554daa/index.html
2 1a537fbd8d71363/index.html
5 a55a9102057a2d9/index.html
8 50caea14be386e1/index.html
b 9f4c326f3880ea7/index.html
7 d7ec43e5923a7c1/index.html
2 072d34c12563428/index.html
1 a724b088fdd0973/index.html
d 3f53b5b7de8fe8f/index.html
http://www.mirrordot.org/stories/fa7781f4bd317269
Opera:
http://www.mirrordot.org/stories/478397b5abb68bb9
Mozilla:
http://www.mirrordot.org/stories/1a15584c6fa168ae
Safari:
http://www.mirrordot.org/stories/e1d558dc1a54e2fc
Netscape:
http://www.mirrordot.org/stories/8b61eaead060ec5e
Konqueror:
http://www.mirrordot.org/stories/8b881e18e8d466f2
Avant Browser:
http://www.mirrordot.org/stories/66e5caeed91c4506
Maxthon:
http://www.mirrordot.org/stories/e605ef483225f401
Demo link 1:
http://www.mirrordot.org/stories/06f4efd98001b965
Demo Link 2:
http://www.mirrordot.org/stories/d2436904419abff2
I'm using the newest beta of Opera (7.6b1), and neither of the vulnerabilities on secunia work.
I always visit pr0n sites while I'm paying my bills, and checking on my investments, while paying taxes and entering my credit card numbers
Here's another mozilla bug that needs to be fixed:
<scrypt type="text/javascript">
while(1) alert("ha ha!");
</script>
I've noticed the form vulnerability many times before--many email sites seem to do this, so that if I go to, say, hotmail.com and then open a new tab to go to google for a search, I start typing into the hotmail user name box.
I never thought of it as anything more than an annoyance, though... I wonder how many other little annoyances there are hiding around that may actually have security implications?
Be a PATRIOT--because the only thing we have to fear is the lack thereof.
The Mozilla etc problem seems equally serious.
Mozilla etc... "If the user explicitly opens a page in a background tab, it may not be possible to tell what webpage a dialog box is associated with". Note that the exploit can not open a page in a background tab, it can only take advantage of that if it happens.
Exposure: If the user can first be tricked into opening a page in another tab, and the exploiter can guess whether the user has "open tabs in background" (or the equivalent option) selected or not, then they may be able to trick them into entering confidential information a little easier. There are other ways to get similar results without having to trick the user twice, using frames or with multi-stage popups.
Internet explorer: The exploit can be used to launch web pages in the local security zone. The hole here is really the fact that there is such a thing as a "local security zone" at all. For seven years now, exploit after exploit has used this design flaw in the HTML control to run arbitary code as the local user. Spyware, viruses, worms, spam bots, over and over again, malicious software has gained its initial foothold through variants of this attack.
Exposure: Visiting a web page can allow an attacker to take over your computer, without any further action on your part.
And you say "The Mozilla etc problem seems equally serious."?
Jesus.
after all, I love to bash poor Microsoft, but exhaustion is rapidly setting in here. I am what passes for a careful user: I don't use IE, I run the latest Mozilla, I use a firewall and anti-spyware and when its all said and done...not much gets done because I am fretting over yet another patch or vulenrability. I have sympathetic talks with my sysadmins but my family thinks I am the the Home Network Nazi. ,despite seeming like imitations of the nation's goofy alert color codes, a step in right direction. But what I want is an alert level made meaningful by contrasting it with risks I do understand: Since we perceive risk as a product of CHANCE_OF_OCCURANCE X COST_OF_OCCURANCE, I want a system where I can set a threshold for ignoring the drivel. The basis could be a chance_of_occurance = to my chances of a serious car accident on the way to work for instance [say its 1 in 5000] and the cost is monitarized in the range from 0$ to the 1.7million [or what ever it is] that the insurance industry pays out on average for a loss of life. ...if I am fithy rich, a vulnerability that opens my brokerage account could be > than loss of life but that is for me to set. All the stuff that falls below the threshold, I don't want to hear about, at least not more than once a year in a round-up batch of patches. Enough already!
I feel like a small town policeman burried under a barrage of "sky-is-falling-alert-level-puce" faxes from the HomelandSecurity to be dealt with on zero budget.
The color codes provided by Secunia are
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
An IRC quote that sums it up for me. :)
{@BlindSite} unless your a labotamised ginger midget with a blonde gene, mozilla is very easy to use.
Taken from i-rox.
I tried in Mozzy 1.7.3 and the thing did't work, yeah it captured what I wrote in the other window but since I couldn't see what I was writing I wouldn't keep typing... It's not like someone is going to say "Oh I can't see my username it must still be working"
And next /. poll should be
Wanna guess how long Mozilla, Firefox and such will take to fix this?
There is a spark in every single flame bait point.
Actually the stack protection only really works on x86-64 CPUs. The problem is that x86-32, or IA32, simply doesn't have an NX flag to mark any piece of memory as non-executable. The SP2 feature is only there in preparation of the new chipsets, or just in case the feature is backported somehow.
I know this because I have used Mozilla since version 1. I currently use it as my only browser on Linux. The bug where a form can have its focus stolen by another tab happens accidentally all the time, and it is really annoying and has been really annoying from some time now. Any Mozilla user has to have come into contact with it, so why has it not been fixed yet?
The other more general problem of one tab being able to open a dialog box while viewing another tab is also a problem. Pop-ups of any kind should be isolated to the tab they originated from. Tabs should "contain" the page they have open as well as all pop-ups and dialogs the page generates. This would prevent the spoofing demonstrated AND it should make web browsing far more structured and organized for the user. It would effectively add a heirarchy to browsing, as new windows and dialogs generated in a tab are only displayed when that tab is selected and furthermore they are "contained" within the tab's main pane.
I will be surprised if the form focus bug hasn't been bug reported several times over already. The tab dialog/pop-up bug has been complained about, but I could see it not be formalized as a bug report as it is somewhat consistent with modern desktops like Windows. Still, it is a problem and a "tab containment" design should be used instead of the current design.
Just switch to Firefox, someday Microsoft will get their act sorted out, but for the moment switch the Firefox.
You wouldn't disable images on the page to fix the JPEG exploit, there's no reason to disable Javascript.
HTML's nice, but it simply can't handle even basic tasks and its the only workable solution for client side interaction unless you start using Flash (eek).
Possible Solution: Don't give out sensitive information on-line. If you can't buy it by mailing in a check or money order than don't buy it. This is not a vulneralbilty. Getting access to your hard drive or being able to install spyware without the user know it is a vulneralbility (see IE).
I've been recently getting junk e-mails from CitiBank asking me to enter my credit card number for account security purposes. It sounds fishy.
Good thing my cards are maxed out.
Demonstrations of vulnerabilities: here and here
burning edge said there are two minor security bugs fixed in oct. 19, 2004 firefox branch build, maybe...
You know what I mean
There is a spark in every single flame bait point.
" Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. "
It would be nice if when a story is posted that the obvious bias is removed from the posting and just the facts remain. Posting such clear bias against a certain product or company makes slashdot and its readers look like freaking idiots.
I don't really see this as a huge problem. Personally, I would never put sensitive information into a JavaScript dialogue; only a form field on a secure page.
In the case of my Firefox (W2K) the new tab I opened didn't take focus, so I still saw the sneaky page under the JS dialogue. The trickery was lost on me.
body
emt 377 emt 4
The problem I see is that javascript is just such a mess, and at the time was good idea as server side scripting was non-existant. I'd love to see webmasters get away from javascript and new standards which limit what javascript can do.
I mean, if theres one application that needs to be secured and we will be using for at least the next couple of decades, its the browser.
Except that most people behind a corporate firewall won't be able to view any of your links. I don't know about you but I don't think my company is interested in opening a port so that I can read slashdotted articles.
If you are using IE, FireFox, Opera or another graphical browser, please visit a dozen porn sites and delete two files at random from your hard drive.
If you are using Lynx or another text browser, please visit http://www.asciipr0n.com/ and delete three files at random from your hard drive.
Thank you for your cooperation.
Coralize the links, they'll load WAY faster and more reliably:
/
http://secunia.com/advisories/12712/
Changes to:
http://secunia.com.nyud.net:8090/advisories/12712
When I tried it, the dialog came up while the Secunia page was still showing. The Citibank tab appeared but it didn't come to the top. This "exploit" doesn't seem like a security flaw so much as an interface/usability problem - really just a consequence of tabbed browsing that allows things to happen that are confusing to the user because the non-visible tabs can still do things.
see subject
v1.0 PR
Konqueror (kde3.3.1) is actually already patched against the only vulnerability, the field-form-focus, that affects the browser.
Way to go KDE!
Hack your mind out of its sandbox.
I agree with you that pages have to work without JavaScript. However, having JavaScript disabled permanently is ridiculous if you're using the Web professionally.
Use a safe browser instead.
If you want to deploy a client-server program, write it in Java and design the protocol yourself. By the time you get done adding and configuring all the shit necessary to make a webapp act like a client-server application, you may as well have just written a Java program anyway. Oh, and I really don't like Java either, but at least you're not trying to shoehorn an application into a text delivery protocol with it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
those color TV's will make you go blind
fkin luddite
Just put your mouse over the "click" link and the wait, the script runs without having to go to the link. Oh, and you want me to tell you which link, too, no doubt.
wb
while its useful to know those can be possible exploits, i noticed that with the first "bug", if you keep the mouse over original link for 8 seconds, the same dialog window will pop-up... no need to be looking at the tabbed window...
as for the 2nd vulnerability, all my tabs are mis-behaving when i have the citi page open, so that's just a silly thing...
regardless, nice to know someone's keeping an eye out...
One has to be careful before dismissing any of these bugs as "not serious" simply because it seems convoluted steps and/or circumstances are needed to take place in order to exploit it. Remember that some past exploits have shown admirable creativity. I recall a lot of people wrote off the recent IE drag-and-drop vulnerability for this very reason - but now effective exploits are in the wild, as they say.
#DeleteChrome
It depends on how you open the link in Firefox, if you open it by a single click then I can see the cause for confusion.
If you open the link by a middle click (as I usually do) then it should be more obvious what is happening.
> Except that most people behind a corporate firewall won't be able to view any of your links. I don't know about you but I don't think my company is interested in opening a port so that I can read slashdotted articles.
It's not our fault your company is a hostile work environment.
In fact it seems to have shown some bug in Safari or in Cocoa. I used ctrl+click to pop up the menu and choose open in a new window, and what happened is that the menu stayed up, and the dialog box appeared above the secunia site, and let my type it in. I could not raise the dialog box above the menu, or pick items from the menu. When I dismissed the dialog box the Citibank window opened.
Trying a second time sort of worked better, perhaps because Citibank was cached. But in this case it stopped updating the window after only drawing a few items and paused waiting for me to fill in the dialog box.
OOOhhhoo, finally my wish will be granted *ooooohhooo, bounces around out of happiness*
*fast reading*
-
Secunia Research has discovered a vulnerability in Konqueror... [blah blah blah]...
...
*NoooooooooooooHHHH!Inactive tabs can launch dialog boxes.... [blah balh blah] ...
Successful exploitation would normally require that a user is tricked... [blah blah blah]...
*Oohhh*A test is available * ooh ooh, does one dare ...*
The vendor reports that the vulnerability has been fixed in KDE 3.3.1.
</sarcasm>
*Konqi User goes back to Yawning*
I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
To call the tab browsing issue with the alert boxes a security vulnerability sounds like a bit of a stretch. A hell of a confusing UI issue, truth be told, but hardly seems like a security problem.
1) In my case, I have always had Firefox load tabs in the background. So when the dumb little dialog pops up I am still on the Secunia site.
2) I would probably be very suspicious of a non-standard JS popup coming up and asking me for any sort of sensitive information.
3) The user must consciously be using tab browsing (with tabs loading in the foreground) to have any chance of being dupped by this. Just clicking on the link to load the page in the same window cancels the setTimeout() call, and opening the link in a new window causes the secunia.com window to come to the foreground along with the popup. Since there is no html anchor target for a new tab, any one wanting to explore this vulnerability would have to be counting on catching users that have tabs that load in the foreground, and are unsavvy enough to fall for a Javascript dialog like that. My suspicion is that most users that would even know how to use tab browsing would have a mild clue.
Thats weak, a spoofing bug that I have to use my imagination?
Are these on all platforms, or just MS stuff, or what? I guess I am not seeing it, my apologies if it's there. For Moz 1.7xx whatever, they (secunia link in article) say this for a fix
"Solution:
Don't visit trusted web sites while visiting untrusted web sites OR disable JavaScript." CAPS are mine
DUH, I never have scripting turned on. Thanks for the advice Secunia, turned it off a long time ago. It's the first thing I do with any new browser I download and install, I look at the preferences and make sure that scripting is not default on. Evil mojo it is. Seems like every other exploit has to do with having scripting turned on, or the traditional and infamous and legendary now e-vile "buffer overflows" thingee. It's like a bad Japanese sci fi "Radioactive mutant buffer overflows swamp tokyo!!11!". I got no control over "buffer overflows", that is the developers lookout (seems to never end, too, why is that???), but scripting any user got complete control over, and it pays to learn from history you would think. I really don't care how useful javascript is, it's way too insecure, been proven over and over, it's a bad idea to run it, IMO. Just like active X stuff for MS, just bad news from the git-go. One of the main reasons I don't get any web mail accounts anymore, most of them I have looked at seem to require it.
no... not gonna do it... wouldn't be prudent....
I left Javascript enabled in Konqueror, but set "open new windows" to "ask" in preferences and set the other JS policies to "ignore." Site displayed normally, and the spoofed text entry box didn't launch.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
'nuff said.
feh. stuff.
AFAIK, this is related to the way generic windows work. When an application pops up a window or dialog, the topmost window of the application with the same window class as the caller is what is next behind the popup. In case of browsers, all windows/tabs are just running in a separate thread, so when thread A (from tab A) wants to pop-up a dialog box, if the topmost window of the application is B (which has the same class), the dialog will appear as though it is from window B.
Sorry, dont think we can blame IE/Firefox or anyone else for this one.
The JavaScript dialogue box popped up while I was still looking at the Secunia web page. The dialog box always appeared about 5 seconds before the Citibank webpage would even start to appear. The telephone lines in my neighborhood are only good for 26.4K and probably because of that slight slowness that the dialog box would always pop-up before the webpage had started to appear. That made the dialog box seem like it was poping-up from the Secunia webpage not the Citibank webpage. Someone with a faster Internet connection probably would have occasionaly had the dialog box open up at the same time as the Citibank webpage. I am using the Linux version of Mozilla Firefox 0.9.1 and running it in Slackware 10 Linux.
If you goto the second issue for Mozilla here and then click on the citibank link, its interesting that it grabs text in the url textbox, or if you open any other XUL dialog box (New Bookmark Folder - Though in IE its not affected when adding a bookmark) it doesn't let you enter text... This same vuneribility exists in internet explorer (grabs text in url textbox too) but I wonder if it can be exploited in IE/Mozilla using a hidden frame, or inline? I tested it with autofill but that part was fine.
Since we're at it, why don't we go back using square wheels? =)
My neighbor's
The Last Measure link contains stuff you really don't want to be seeing. Don't click on it if you're just looking for a demo of the popup style.
"I would give my right hand to be ambidextrous."
This means popups can't survive their parents, which is probably a good thing.
Visual parenting is needed, too. If the parent window is minimized or goes to the back, so should its child windows. Window headers should reflect the parent window's header.
Child windows shouldn't be allowed to position themselves entirely outside of the parent window. They should have to overlap, at least marginally. (Strict users might turn on a mode where they have to overlap totally, like subwindows in an application.) This creates a visual association between the parent and child windows.
With this, multiple window sites behave in a more tolerable manner.
There are two solutions that would be pretty easy I think, I'm not sure which would be better.
a) Delay displaying alert() calls until the tab is activated by the user.
b) When alert() is called, make the tab that called it become active automatically. This should provide a good visual cue of who it belongs to.
I think I would prefer the first option just so I wouldnt be distracted by the alert() box until I was going to use that tab anyways.
Joseph?
We need to accept that all browsers are fundamentally broken and exposed and can't be fixed. We need therefore to understand security as that set of tools and behaviors that minimize our own exposures and risks with the understanding that Browsers, in fact all desktop tools are to some extent nothing more than Dreadnoughts and Maginot Lines too big and stupid to get out of their own way and only as effective as the stupidity of the attack that tries to hit them head on.
The notion that browsers are exposed is really only relevant in term of what is exposed and how meaningful that exposure might be to you or your enterprise. If your browser gets hijacked - ok then what are you going to lose your bank account or credit card? Are you going to lose your health management PPO records? Are you going to go to jail when the FBI finds your kiddyporn? Or do you simply take other steps to protect yourself in the case when not if your machine is cracked and taken over.
I use Konquerer as my main browser, with Mozilla and Epiphany as more "functional" browsers for specific sites I've found that need Java or Javascript (or cookies, for that matter). And lo and behold, that's exactly what's written in the article.
---
Solution:
Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.
---
I tested the spoof vulnerability in Konqueror 3.3.1 (the latest).
When displaying the popup, it 1) switched back to the tab that owns it, and 2) the popup clearly contained the server name "secunia.com".
I was about to call this unhealthy sensationalism, but I haven't checked out older versions. Can anyone confirm the vulnerability in 3.3.0 and older? Thanks.
-- B.
This sig does in fact not have the property it claims not to have.
IE is not a system compromise in any technical sense. IE (and the rest of explorer) runs in user mode, same as any program. If you run as non-admin, it won't be able to affect anything your user account doesn't have access to.
When they say IE is "integrated into the system" what is meant is that the re-usable browser component is guaranteed to be available on that system, like the common controls. It's considered a base-level system provided function. This allows other browsers like neoplanet or myie2 to be written without writing or distributing the HTML parsing engine.
Your profile says you post about once a month. I think you are cheating somehow. You hacker! I will have the admin ban you! What's that flying over my head? It looks...funny.
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
Hello, :)
Please excuse me for the offtopic reply, but where does your sig come from? It strongly reminds me of a @doing I've seen in some MUD, and I was wondering if you were perchance the same person.
This will be a good example of who patches faster.. OSS or CSS. And they're off!
One wonders if slashdot enjoys crippling sites and confounding its own readers... otherwise surely they'd post coral-ified or other robust caching links.
I'm an animal lover -- they're delicious!
The window from an unactive tab coming to the front in Firefox does not really seem like that big of a deal. I kind of like the fact that it does this. At work, the server needs to resart to load a new java war file so I usually browse on other tabs while the server is restarting. when it starts, the notification window pops to the top. Perhaps there should be an option to turn this on or off (the option could default to off)...I don't really see that many people putting really important information into a javascript notification window anyway.
SIGFAULT
I mean, I can see how it could be used as such, but what about the legitimate implementations of it? That's more like an ability of JavaScript that can be exploited.
Bad example, but it's no different than a firearm. Used properly, it can be used for protection and hunting game, but improperly it can be used to kill someone for no reason whatsoever.
"Which I why I keep javascript turned off. Blocks another subset of ads. "
Better turn off JPEG and HTML too then, the most annoying ads are just JPEGS linked via affliate links. If you want to block Google adverts, you don't have to suffer. Just map "googlesyndication.com" to localhost in your hosts file.
I tried Javascript (Active Scripting) switched off when I was using Internet Explorer. Nothing worked. The biggest problems, news sites that use pull down menus, popup pages from links, none of my banking sites worked, no stock investing, parts of zdnet failed, what a pain!
A more appropriate question to ask is, how long will the patch take to be distributed to end-users?
Most people don't run nightly builds. Most non-geek people rely on distributions to provide them their patches. As more Windows/IE users migrate to OSS software, the question "How long until the patch is pushed to me by Redhat/SuSe/etc?" will become more relevant than "How long it took someone to mark the bug as 'fixed'?"
http://shit.slashdot.org/article.pl?sid=04/10/20/1 344208
you are correct, I trusted the summary's use of "System", bad DrSkwid
btw. it is insightful
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
> btw. it is insightful
No, it isn't.
Well, since I posted, 2 more mods have agreed that your factually incorrect post is "insightful". Gotta love slashdot.
you idiot
:
see the subject
insightfull
whereas the correct spelling is ?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
OKAY thanks for the CAPS LOCK.
An IE vulnerability has never affected my system any more or less than a Mozilla vulnerability, despite IE's integration with the shell. This is just something IE-bashers restate over and over to "prove" that IE's vulnerabilities are somehow worse merely, because IE has a reusable COM architecture that is globally exposed to the shell and used everywhere.
I hate to burst your bubble, but iexplore.exe runs in user mode like any other app. Integration with the shell is something that has been way overblown here on Slashdot (in fact, it's amusing that in one breath people will argue that IE isn't integrated and can be easily removed and therefore Microsoft is lying, and in the other breath they will argue that IE is so tied to the shell that it's a security hazard).
Mozilla has had vulnerabilities so bad, files in my download folder were disappearing! Imagine the ABSOLUTE UPROAR that would be on Slashdot if that happened to IE. But because it was Mozilla/Firefox, it was glossed over and forgotten.
I am an extremely happy Opera user, and though it too has its share of flaws from time to time, Mozilla has more than proven itself to be a hole-ridden piece of software with a strange bug-handling strategy--witness the flaw discovered in 1999 and marked "Confidential" for five years only to be fixed just recently (oh, yeah, remember that? Slashdot reported on it...yet again it was glossed over and forgotten by the masses).
hehe I'm not modding it myself, honest!
yay, a 5 for being wrong, I wish one still got the proper karma score instead of "excellent" !
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Slashdot on Mondays:
IE can easily be removed from Windows! Microsoft was lying! IE is nothing more than a reusable COM.
Slashdot on Wednesdays:
IE is so tied into the system that it's a security hazard! That makes its vulnerabilities somehow worse than Mozilla's various file-deleting holes and other vulnerabilities!
Come on, guys, get a standard story on IE's integration and stick to it.
You still don't get it.
... well there are a lot of us who open almost every page in a tab now - so much more convenient.
It's a demo, not a honed exploit - you have to use your head and a little effort to imagine an exploit, but good grief, it only takes a *little* thought to see it.
The second demo technique could easily be used to harvest a password. Those fields don't usually have anything showing up in the to begin with. The javascript could also probably be used to populate that field on the bankone page with characters that would show up as asterisks as the user types. The focus was simply moved in the demo to show the technique - a much slicker attack is easily possible.
And as far as it only working in tabs
If you really clicked a link called Last Measure in a post by a guy named irc.goatse.cx troll, then after seeing garbage in Google translation checked out what was the original translated page, went to its url, saw an ascii art of goatse man stretching his ass (no hint yet, Einstein?) with nothing else but a text field a submit button below and with GNAA Last Measure version 3.4 in the browser title bar, you entered some text and hit the Submit Query button, and *THEN* you were surprised that you saw "stuff you really don't want to be seeing" then please take no offense but you must be a fucking moron! Grandparent made it VERY HARD to see what you saw by accident. Therefore he is not a troll. YOU ARE. I'm sorry but you are so unimaginably stupid that you should not be allowed to use the Interweb. Ever. Dear God, what an outrageously stupid imbecile you are! Seriously, I just cannot believe it! OMFG!!!!
I've been on the bugzilla entry for this bug for three years! The fix was in CVS before the security bulletin came out.
You forgot to say what year's christmas.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
They can't. Mozilla isn't a recognised user on most Windows platforms. :) Only users can chown.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The Mostly Crystal theme has an update button in the upper right corner. But it isn't red. It's blue and it turns green after checking. It works too, but not after a double click (this is waht the alt text says) but after a single click. ;)
- Save a tree, eat more woodpeckers
and now we both get (rightly) modded down for being offtopic, negating whatever karma benefit the positive mods might have had ;)
A poster points out the problems with the slashdot mod system and gets modded "flamebait" by some clueless numbnut with mod points. And the guy was (sensibly) posting as an AC to boot.
The irony is priceless.
Note to all slashdot modders. It helps to engage your brain BEFORE you click the "moderate" button.
Thanks for your attention.
Where have we heard this before?
Ok, this should be relatively easy to fix, just do something so the user knows what tab launced the dialog. There are several obvious good solutions.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
...with the test. The java dialog box opens right on top of the original page, no transfer at all to the 'new' tab. Only an idiot would type anything besides 'buggeroff' into a java window from 'nowhere'.
Meanwhile, still in OmniWeb, if the link is 'saved to clipboard' and opened as a tab, the test is totally bypassed. Omniweb will not let the test run in any manner that would show the setting or display of the 'new' tab BEFORE the phony dialog opens.
Omni's the real 'alternative Mac browser'. I love Firefox, but it's not ready for prime time, not on a Mac, anyway. Way too windows-like. And getting slower. By the time it reaches v.2 it ought to give Opera a run for the money in the 'slug' dep't, if the 'curve' it's on stays even. Omni costs a few bucks. It's in that [sad violin swell] "you get what you pay for" area of life...
If you are using Tabbrowser Extensions then go: Tab -> Tabbrowser Extensions Preferences
and there "New Tabs" section radio button to "Load in the Background"
This monster is my own creation. I didn't know as much when I started building this as I do now.
Oh, boy, have you ever had the "we can add this to the current design, and then spend six months finding problems and fixing them, or we can spend three months on a new design that incorporates the lessons we learned" discussion? And lost?
Have you ever gotten bawled out for doing the redesign in your own time anyway?
Bravo, Mr. irc.goatse.cx troll! My sincerest congratulations, Sir! Using an account named "irc.goatse.cx troll" you have posted a link named "Last Measure" even explaining what it does for those few who don't know it, getting to the final target was not easy, and yet people were still doing it, while your brilliant post was moderated as +5, Insightful for so long! This is a briliant achievement! But I have some idea for you: next time you might want to post a link to a website which you can edit. When anyone posts a comment "mod parent down, don't click link" or when someone moderates it down, just change the web page content removing goatse ascii art and the form with submit button leading to Last Measure url and instead put there a copy of Wikipedia article instead. That way mods won't mod you down. You might even have the webpage randomly redirect people to Last Measure website and Last Measure Wikipedia article upon clicking the submit button in such a way that for some time everyone would get the article and after some time the probability of getting Last Measure would increase, reaching one after the story is archived. It would be an honor if I could help writing such a script, please answer here or in your journal.
I always open everything in background. I think it's a bit annoying, but so far I can live with it. =) It can be reproduced this way: try to open simultaneously a lot of websites (in background, foreground, it doesn't matter). Some of these will probably load before the others, right? Select an already loaded website while others are still loading. Sometimes, a form or password box in other website will steal the keyboard focus. It is more likely to happen with the rightmost tabs, but I have no idea why.
My neighbor's