Slashdot Mirror
Big Day For Browser Vulnerabilities
An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."
Possibly solutions that I've just thought up (for discussion)
While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
Join the Free Software Foundation
The Mozilla etc problem seems equally serious.
/. choose to post it?
Why further continue the public's view of the open source community's immaturity by adding such a silly editorial comment to an otherwise reasonable story submission?
And why did
Slashdotted already. Would it kill the editors to, you know, edit and provide brief outlines of the stories they're linking to, especially in the case of stories on third party sites that they know will most likely not stand a slashdotting?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Stop the presses.
Whoever modded the parent as offtopic must have missed the article discussing the Firefox teams plans to buy a full page NY Times announcing the release of a better browser. It's not only "funny", it's downright "insightful".
Time is what keeps everything from happening all at once.
In other words, don't visit untrusted sites?
Now what am I going to do -- how am I supposed to reply to my email?
sigs, as if you care.
Now, the bugs in IE (therefore also in windows) will not likely be fixed until mid-November, and will likely introduce new bugs or re-introduce old ones.
You are being MICROattacked, from various angles, in a SOFT manner.
That's ridiculous. It has nothing to do with tabs. The same thing would happen with multiple open windows. To come to the conclusion that "tabs are problematic" is asinine.
Essentially, it's an interface error. The problem seems to be that dialog boxes don't explain which tab they belong to.
/.'ed, but I wouldn't be surprised if it works just as well for opening the external site in a new window.
So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.
I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're
Assorted stuff I do sometimes: Lemuria.org
While I agree with that sentiment on the first exploit (though it would be nice if the parent of the dialog box were displayed when the dialog box is displayed, if the parent is not already active), the second one is a bit more serious. ...script, could call document.myform.submit after a few minutes to harvest all of the text entered in another page.
A form element should not be allowed to steal the focus when it's parent is not active. With a fairly simple timer (like the ones this guys already using), a javascript
Forms should be strictly tied to their containers, and focus requests should be restricted only to the currently active window/tab/whathaveyou. I suspect that the reason this is an issue is because technically the form and the citibank page are both in the same window, the tabs are merely controlling what components are visible at any given point in time.
I have discovered a truly remarkable sig which this margin is too small to contain.
Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:
SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!
Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.
But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!
Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
www.eFax.com are spammers
Option 4: Don't allow webpages to open dialog boxes from Javascript. The only time I've seen this as being useful is for optional client-side form validation, and there are other ways to provide the same functionality (for example, using CSS to bring up the message in the same page).
Option 5: Don't allow webpages to open windows without decorations. This is occasionally useful, but it's routinely abused by everything from pop-up ads to control-freaks who just don't want you to see how their site is structured.
You don't expect them to backport updates to all beta releases, do you?
Once Firefox 1.0 hits the shelves I'm sure it will get security updates for a long time even after it isn't the latest and greatest version.
Back in the day, there were lots of VT-100 terminal tricks...
One line blog. I hear that they're called Twitters now.
after all, I love to bash poor Microsoft, but exhaustion is rapidly setting in here. I am what passes for a careful user: I don't use IE, I run the latest Mozilla, I use a firewall and anti-spyware and when its all said and done...not much gets done because I am fretting over yet another patch or vulenrability. I have sympathetic talks with my sysadmins but my family thinks I am the the Home Network Nazi. ,despite seeming like imitations of the nation's goofy alert color codes, a step in right direction. But what I want is an alert level made meaningful by contrasting it with risks I do understand: Since we perceive risk as a product of CHANCE_OF_OCCURANCE X COST_OF_OCCURANCE, I want a system where I can set a threshold for ignoring the drivel. The basis could be a chance_of_occurance = to my chances of a serious car accident on the way to work for instance [say its 1 in 5000] and the cost is monitarized in the range from 0$ to the 1.7million [or what ever it is] that the insurance industry pays out on average for a loss of life. ...if I am fithy rich, a vulnerability that opens my brokerage account could be > than loss of life but that is for me to set. All the stuff that falls below the threshold, I don't want to hear about, at least not more than once a year in a round-up batch of patches. Enough already!
I feel like a small town policeman burried under a barrage of "sky-is-falling-alert-level-puce" faxes from the HomelandSecurity to be dealt with on zero budget.
The color codes provided by Secunia are
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
wrong, it's because the IE is a SYSTEM compromise whereas the others just expose the USER
hence the OF COURSE because of the poor choice of integrating the browser into the system
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
To call the tab browsing issue with the alert boxes a security vulnerability sounds like a bit of a stretch. A hell of a confusing UI issue, truth be told, but hardly seems like a security problem.
1) In my case, I have always had Firefox load tabs in the background. So when the dumb little dialog pops up I am still on the Secunia site.
2) I would probably be very suspicious of a non-standard JS popup coming up and asking me for any sort of sensitive information.
3) The user must consciously be using tab browsing (with tabs loading in the foreground) to have any chance of being dupped by this. Just clicking on the link to load the page in the same window cancels the setTimeout() call, and opening the link in a new window causes the secunia.com window to come to the foreground along with the popup. Since there is no html anchor target for a new tab, any one wanting to explore this vulnerability would have to be counting on catching users that have tabs that load in the foreground, and are unsavvy enough to fall for a Javascript dialog like that. My suspicion is that most users that would even know how to use tab browsing would have a mild clue.
Are these on all platforms, or just MS stuff, or what? I guess I am not seeing it, my apologies if it's there. For Moz 1.7xx whatever, they (secunia link in article) say this for a fix
"Solution:
Don't visit trusted web sites while visiting untrusted web sites OR disable JavaScript." CAPS are mine
DUH, I never have scripting turned on. Thanks for the advice Secunia, turned it off a long time ago. It's the first thing I do with any new browser I download and install, I look at the preferences and make sure that scripting is not default on. Evil mojo it is. Seems like every other exploit has to do with having scripting turned on, or the traditional and infamous and legendary now e-vile "buffer overflows" thingee. It's like a bad Japanese sci fi "Radioactive mutant buffer overflows swamp tokyo!!11!". I got no control over "buffer overflows", that is the developers lookout (seems to never end, too, why is that???), but scripting any user got complete control over, and it pays to learn from history you would think. I really don't care how useful javascript is, it's way too insecure, been proven over and over, it's a bad idea to run it, IMO. Just like active X stuff for MS, just bad news from the git-go. One of the main reasons I don't get any web mail accounts anymore, most of them I have looked at seem to require it.
no... not gonna do it... wouldn't be prudent....
Here it is, taken from the source code of the page:
var activated;
function launchTimedPrompt()
{
if ( !activated )
{
activated = true;
document.myform.userinput.value = prompt("This is a test security survey. Please enter a test string below:");
alert("Go back to the Secunia tab where you opened this window and see the result.");
}
}
You're not going to "block" this without turning off JavaScript or disabling prompt(). I guess you just took a cursory look at the source and tried to come up with an "informative" (read: completely incorrect) post.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
There are two solutions that would be pretty easy I think, I'm not sure which would be better.
a) Delay displaying alert() calls until the tab is activated by the user.
b) When alert() is called, make the tab that called it become active automatically. This should provide a good visual cue of who it belongs to.
I think I would prefer the first option just so I wouldnt be distracted by the alert() box until I was going to use that tab anyways.
Joseph?
We need to accept that all browsers are fundamentally broken and exposed and can't be fixed. We need therefore to understand security as that set of tools and behaviors that minimize our own exposures and risks with the understanding that Browsers, in fact all desktop tools are to some extent nothing more than Dreadnoughts and Maginot Lines too big and stupid to get out of their own way and only as effective as the stupidity of the attack that tries to hit them head on.
The notion that browsers are exposed is really only relevant in term of what is exposed and how meaningful that exposure might be to you or your enterprise. If your browser gets hijacked - ok then what are you going to lose your bank account or credit card? Are you going to lose your health management PPO records? Are you going to go to jail when the FBI finds your kiddyporn? Or do you simply take other steps to protect yourself in the case when not if your machine is cracked and taken over.
IE is not a system compromise in any technical sense. IE (and the rest of explorer) runs in user mode, same as any program. If you run as non-admin, it won't be able to affect anything your user account doesn't have access to.
When they say IE is "integrated into the system" what is meant is that the re-usable browser component is guaranteed to be available on that system, like the common controls. It's considered a base-level system provided function. This allows other browsers like neoplanet or myie2 to be written without writing or distributing the HTML parsing engine.
Slashdot on Mondays:
IE can easily be removed from Windows! Microsoft was lying! IE is nothing more than a reusable COM.
Slashdot on Wednesdays:
IE is so tied into the system that it's a security hazard! That makes its vulnerabilities somehow worse than Mozilla's various file-deleting holes and other vulnerabilities!
Come on, guys, get a standard story on IE's integration and stick to it.