Slashdot Mirror


Big Day For Browser Vulnerabilities

An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."

11 of 429 comments (clear)

  1. Been thinking about this... by byolinux · · Score: 5, Insightful
    So, a fairly common problem in all browsers bar IE (does it affect those browsers that embed IE to give tabs?)

    Possibly solutions that I've just thought up (for discussion)

    • Make the website launching any JavaScript event appear in the foreground
    • Make every dialog box give security information about the website it's from, if the website it's from is not the currently displayed tab.
    • Suspend various types of JavaScript until the tab is foremost again, but display a 'requires your attention' icon (I call shotgun on a panda for this)


    While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
    1. Re:Been thinking about this... by argent · · Score: 4, Insightful

      I would be more in favor of a tab not opening a dialog or firing any other events until it becomes active again

      That would alleviate the real problem slightly, but it wouldn't begin to address the general problem that javascript is given too much detailed control over the user interface. There are other ways to spoof websites, if you can get between the site and the user in any fashion.

      Basically, window creation should be under the user's control. It should always be obvious that any browser window, whether it's a dialog box or a pop-up window, is a browser window. It should have enough decorations to make sure you can't confuse it with a local application. Resizable windows and dialog boxes should be optional in all browsers if they're available at all, so that web designers have an incentive to create sites that work completely in a standard window.

  2. Slashdotted already... by WIAKywbfatw · · Score: 4, Insightful

    Slashdotted already. Would it kill the editors to, you know, edit and provide brief outlines of the stories they're linking to, especially in the case of stories on third party sites that they know will most likely not stand a slashdotting?

    --

    "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  3. Re:Tabs by Anonymous Coward · · Score: 4, Insightful

    That's ridiculous. It has nothing to do with tabs. The same thing would happen with multiple open windows. To come to the conclusion that "tabs are problematic" is asinine.

  4. Tabs bug explained by Tom · · Score: 4, Insightful

    Essentially, it's an interface error. The problem seems to be that dialog boxes don't explain which tab they belong to.

    So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.

    I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're /.'ed, but I wouldn't be surprised if it works just as well for opening the external site in a new window.

    --
    Assorted stuff I do sometimes: Lemuria.org
  5. Re:It's a clever one. by stromthurman · · Score: 4, Insightful

    While I agree with that sentiment on the first exploit (though it would be nice if the parent of the dialog box were displayed when the dialog box is displayed, if the parent is not already active), the second one is a bit more serious.
    A form element should not be allowed to steal the focus when it's parent is not active. With a fairly simple timer (like the ones this guys already using), a javascript ...script, could call document.myform.submit after a few minutes to harvest all of the text entered in another page.
    Forms should be strictly tied to their containers, and focus requests should be restricted only to the currently active window/tab/whathaveyou. I suspect that the reason this is an issue is because technically the form and the citibank page are both in the same window, the tabs are merely controlling what components are visible at any given point in time.

    --
    I have discovered a truly remarkable sig which this margin is too small to contain.
  6. This is why we need CHROOT browsers by freelunch · · Score: 4, Insightful

    Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".

    Other steps must be taken to deal with these issues. What we can do is treat the symptoms.

    For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.

    I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.

    Chroot, in particular, is very tricky.

  7. Don't enable Javascript by wowbagger · · Score: 5, Insightful
    Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.


    Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:

    SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!

    Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.

    But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!

    Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
    1. Re:Don't enable Javascript by Dr_Ish · · Score: 5, Insightful

      The advice here is sound. There are all sorts of evil things that can be done with javascript. I know how to do some of them and I am one of the 'good guys'. Goodness knows what can be done by those who are less well intentioned. I always run with javascript disabled, simnple as that. Not only does this prevent the problem of pop-ups, it also keeps one safe from many other dangers. If a site requires javascript, then either I will simply not use it, or I will briefly enable javascript only as necessary. One of the reasons I do not own a Subaru, is due to their love of javascript, even though their cars are great. So, webmasters be aware, your choices can influence consumer habits!

  8. Re:NY Times Ad... by XMyth · · Score: 4, Insightful

    You don't expect them to backport updates to all beta releases, do you?

    Once Firefox 1.0 hits the shelves I'm sure it will get security updates for a long time even after it isn't the latest and greatest version.

  9. Re:Whats with the dig at IE? by museumpeace · · Score: 5, Insightful

    The dig is just desserts. IE sitll can't rid itself of backdoor connections to the OS that do not plague other browsers. These came about in part because of Microsoft naivete [as its programming culture arose in the protected world of standalone office products] and partly from its attempt to defend against DOJ litigation [ aimed at its monopolistic moves to kill Netscape] by claiming that "browsers are naturally part of the OS". Serves 'em right!

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.