Big Day For Browser Vulnerabilities
An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."
Possibly solutions that I've just thought up (for discussion)
While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
Join the Free Software Foundation
Slashdotted already. Would it kill the editors to, you know, edit and provide brief outlines of the stories they're linking to, especially in the case of stories on third party sites that they know will most likely not stand a slashdotting?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
That's ridiculous. It has nothing to do with tabs. The same thing would happen with multiple open windows. To come to the conclusion that "tabs are problematic" is asinine.
Essentially, it's an interface error. The problem seems to be that dialog boxes don't explain which tab they belong to.
/.'ed, but I wouldn't be surprised if it works just as well for opening the external site in a new window.
So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.
I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're
Assorted stuff I do sometimes: Lemuria.org
While I agree with that sentiment on the first exploit (though it would be nice if the parent of the dialog box were displayed when the dialog box is displayed, if the parent is not already active), the second one is a bit more serious. ...script, could call document.myform.submit after a few minutes to harvest all of the text entered in another page.
A form element should not be allowed to steal the focus when it's parent is not active. With a fairly simple timer (like the ones this guys already using), a javascript
Forms should be strictly tied to their containers, and focus requests should be restricted only to the currently active window/tab/whathaveyou. I suspect that the reason this is an issue is because technically the form and the citibank page are both in the same window, the tabs are merely controlling what components are visible at any given point in time.
I have discovered a truly remarkable sig which this margin is too small to contain.
Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:
SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!
Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.
But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!
Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
www.eFax.com are spammers
You don't expect them to backport updates to all beta releases, do you?
Once Firefox 1.0 hits the shelves I'm sure it will get security updates for a long time even after it isn't the latest and greatest version.
The dig is just desserts. IE sitll can't rid itself of backdoor connections to the OS that do not plague other browsers. These came about in part because of Microsoft naivete [as its programming culture arose in the protected world of standalone office products] and partly from its attempt to defend against DOJ litigation [ aimed at its monopolistic moves to kill Netscape] by claiming that "browsers are naturally part of the OS". Serves 'em right!
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.