Slashdot Mirror
Big Day For Browser Vulnerabilities
An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."
Stop the presses.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Possibly solutions that I've just thought up (for discussion)
While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
Join the Free Software Foundation
it's just that IE is so tied to the OS that when it goes down so does the whole 'puter
-Nb
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Lynx missed out!
Be you Admins? nay, we are but lusers!
The advisories list the IE problems as much highly critical, whereas the others are only medium critical.
As I understand it, problem with IE vulns are that its SO tied to the OS, that even the most trivial of problems can cause much greater problems.
Join the Free Software Foundation
I use Lynx, you insensitive clod!
CDJChristian Jones
Medicine. Mathematics. Mediocrity.
I need to pull the plug! I gotta get off the net!
someone is going to steal all my PORN!
So, what now? I guess I pull this cord right her....
If I wrote something witty, you would say I stole it from somewhere.
Wanna guess how long Mozilla, Firefox and such will take to fix this?
:)
And how long IE will take?
Didn't think so.
The Tlog - a technology blog
Why would you not want it posted? Is it better for there to be holes that no one knows about simply because it's OS software?
I'd bet your paycheck we'll be seeing more and more of these.
http://www.thisoldgarage.com/ - a friends website, check it out.
My Tech Posts on Twitter
I guess the best defense is a good slashdotting.
I just tried the exploit demonstration for Safari, but it did not work. The active tab switched back to the one providing the pop-up, not the target site. Did anyone else try it and have it work?
Slashdotted already. Would it kill the editors to, you know, edit and provide brief outlines of the stories they're linking to, especially in the case of stories on third party sites that they know will most likely not stand a slashdotting?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
For those who can't be bothered to RTFA, the Mozilla vulnerability is essentially a standard link with an "onMouseOver" bit which runs a little piece of JavaScript.
The JavaScript pauses for a few seconds (while you presumably get distracted by another page) then flashes up a "Please enter some text" dialogue box.
A similar effect could be achieved by calling the JavaScript on pretty much any event; the vulnerability relies on it being unclear which site caused the dialogue box to pop up. I can see how it could be classed a vulnerability, but it's hardly earth shattering.
For Windows Firefox users: Tools -> Options... -> Advanced icon (left side) -> Software update section -> Check Now button
Speak truth to power.
Using Safari 1.2, the tab where the JavaScript dialog is coming from is activated when the dialog shows up. Nothing unsecure there. I can _see_ that this is not a CitiBank pop-up.
Anybody care to explain to me?
--
kTag
Slashdot does NOT choose anything. It posts whatever people write. Raise you filter level or start moderating
For Apple's Safari browser
g _box_sp oofing_test/
Description:
Secunia Research has discovered a vulnerability in Safari, which can be exploited by malicious web sites to spoof dialog boxes.
Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window. This can be exploited by a malicious web site to show a dialog box, which seems to originate from a trusted web site.
Successful exploitation would normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new window.
A test is available here:
http://secunia.com/multiple_browsers_dialo
The vulnerability has been confirmed in Safari 1.2.3 (v125.9). Other versions may also be affected.
Solution:
Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.
And for IE
Description:
http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
This vulnerability is related to:
SA12321
NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.
2) A security zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents.
NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.
The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Solution:
Disable Active Scripting or use another product.
Join the Free Software Foundation
Seems like all the vulnerability reports are vulnerable to reporing them on /.
Robert
Bastard Operator From 193.219.28.162
That's ridiculous. It has nothing to do with tabs. The same thing would happen with multiple open windows. To come to the conclusion that "tabs are problematic" is asinine.
Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window.
When I tried this in Safari 1.2.3, the browser switched back to the test page as it gave me the phony dialog box. The Citibank page was only visible for a second or two before Safari switched back to the exploit test page.
Doesn't seem to be a problem here... ?
Spoofing Demo 0
Slashdot 1
Take that you evil spoofers!
Sig it.
Essentially, it's an interface error. The problem seems to be that dialog boxes don't explain which tab they belong to.
/.'ed, but I wouldn't be surprised if it works just as well for opening the external site in a new window.
So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.
I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're
Assorted stuff I do sometimes: Lemuria.org
Although they list Mozilla*.* vulnerabilities as not very serious, they must be acknowledged anyway. One is fairly trivial, I've seen it many times: typing in a text box in a tab may send keypresses to a text box in another tab. It happens when I open many tabs at once; the last tab to load usually steals the focus. It's a minor annoyance, though, and can be easily noticed looking at the screen, since typing doesn't appear where it should. However, spoofing dialog boxes can be more serious. Although suspending script execution in inactive tabs could solve this problem, it can break other things.
At any rate, I'm fairly confident this will be solved in a sensible way by Mozilla*.* developers.
My neighbor's
Let's pretend, for a minute, that a system compromising vulnerability is "equally serious" as a spoofed URL. This will take some imagination and serious role-play, but we can do it.
Now that we have that in place, let's look at this issue: when will the Mozilla development team fix the issue, and when will Microsoft?
I don't know about you, but my money's on Mozilla.
> Make the website launching any JavaScript event appear in the foreground
That's indeed how Konqueror has fixed this in KDE 3.3.1.
As I can't link bugzilla form Slashdot... go to http://bugzilla.mozilla.org/ and type in there the bug number. (None: it's not marked there as FIXED, but you should look at the "fixed-aviary1.0" keyword, which is what matters for Firefox 1.0)
I am using "telnet 80" from now on... and if by chance that is vulnerable I'll write my own minimal telnet client... so what... my eyes will bleed of html tags and other cruft... ok so where do I get a ssl capable telnet client so that I can do my online banking?
SIMPLICITY FOLKS!!!
Less features is better.
Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
This is an excellent example of two facts:
Here's what the vulnerabilities are:
In all the non-IE browsers, there's a potential issue with how tabbed browsing works. Basically, the problem is that stuff on tabs other than the active tab can still (a) pop dialogs and (b) have the keyboard focus. It's pretty clear that (b) is just a problem that should be fixed, because although it's possible to concieve of a circumstance where a user would want to look at one tab while typing into a box on another, it's clearly way too surprising and not nearly useful enough to be allowed. But (a) is more interesting. It's a side effect of the fact that pages continue functioning in all ways even when they're not the active tab. This includes running Javascript/Java/Flash programs, loading, rendering, etc. And that's a good and useful thing. But when a background tab pops a dialog, it may appear to the user that the dialog was created by the active page. If the user trusts one page more than the other, that can lead to problems.
The solution to this dialog-popping problem isn't obvious. Perhaps dialogs need to be labeled with the name of the site that created them. Perhaps some other solution. But it will be worked on, even though the risk is fairly small.
The IE vulnerability is very different in that it's a system compromise flaw. It's similar in one way, though: it's caused by a subtle interaction of features. In this case, dragging and dropping of image or media files with embedded HTML code, which may be malicious. This malicious code isn't a problem, really, because IE is security-conscious and won't execute it -- except that Microsoft has that terrible "security zones" design feature. Once the malicious code is moved from the "Internet" zone to the "Local Computer" zone, the code will be executed. What makes it especially funny is that Microsoft fixed this problem in SP2 by changing the Local Computer zone so tht it will no longer execute Active Scripts. But yet another bug in the security zones can be exploited to bypass that "problem" so SP2 is vulnerable as well.
Security flaws are everywhere, but what really kills Microsoft is their rash of bad design decisions in the past, turning little holes into remote root exploits. They're getting better, I believe, but it's going to be a long hard road for them to patch all of the problems that are created by their bad design decisions. It's too late, of course, to change the design. Too much depends on it.
Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:
SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!
Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.
But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!
Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
www.eFax.com are spammers
Option 4: Don't allow webpages to open dialog boxes from Javascript. The only time I've seen this as being useful is for optional client-side form validation, and there are other ways to provide the same functionality (for example, using CSS to bring up the message in the same page).
Option 5: Don't allow webpages to open windows without decorations. This is occasionally useful, but it's routinely abused by everything from pop-up ads to control-freaks who just don't want you to see how their site is structured.
I note the vulnerability Secunia found in Mozilla et. al. is easy enough to block. It depends on onMouseOver triggers and the launchTimedPrompt() function. Block either of those via the capability.policy.* settings and the problem ceases. I'm tempted to add launchTimedPrompt() blocking across the board simply because no Web site has any business launching a delayed dialog box.
Everyone doesn't use gopher???
He's not in the book, you know.
Back in the day, there were lots of VT-100 terminal tricks...
One line blog. I hear that they're called Twitters now.
I always visit pr0n sites while I'm paying my bills, and checking on my investments, while paying taxes and entering my credit card numbers
I've noticed the form vulnerability many times before--many email sites seem to do this, so that if I go to, say, hotmail.com and then open a new tab to go to google for a search, I start typing into the hotmail user name box.
I never thought of it as anything more than an annoyance, though... I wonder how many other little annoyances there are hiding around that may actually have security implications?
Be a PATRIOT--because the only thing we have to fear is the lack thereof.
The Mozilla etc problem seems equally serious.
Mozilla etc... "If the user explicitly opens a page in a background tab, it may not be possible to tell what webpage a dialog box is associated with". Note that the exploit can not open a page in a background tab, it can only take advantage of that if it happens.
Exposure: If the user can first be tricked into opening a page in another tab, and the exploiter can guess whether the user has "open tabs in background" (or the equivalent option) selected or not, then they may be able to trick them into entering confidential information a little easier. There are other ways to get similar results without having to trick the user twice, using frames or with multi-stage popups.
Internet explorer: The exploit can be used to launch web pages in the local security zone. The hole here is really the fact that there is such a thing as a "local security zone" at all. For seven years now, exploit after exploit has used this design flaw in the HTML control to run arbitary code as the local user. Spyware, viruses, worms, spam bots, over and over again, malicious software has gained its initial foothold through variants of this attack.
Exposure: Visiting a web page can allow an attacker to take over your computer, without any further action on your part.
And you say "The Mozilla etc problem seems equally serious."?
Jesus.
after all, I love to bash poor Microsoft, but exhaustion is rapidly setting in here. I am what passes for a careful user: I don't use IE, I run the latest Mozilla, I use a firewall and anti-spyware and when its all said and done...not much gets done because I am fretting over yet another patch or vulenrability. I have sympathetic talks with my sysadmins but my family thinks I am the the Home Network Nazi. ,despite seeming like imitations of the nation's goofy alert color codes, a step in right direction. But what I want is an alert level made meaningful by contrasting it with risks I do understand: Since we perceive risk as a product of CHANCE_OF_OCCURANCE X COST_OF_OCCURANCE, I want a system where I can set a threshold for ignoring the drivel. The basis could be a chance_of_occurance = to my chances of a serious car accident on the way to work for instance [say its 1 in 5000] and the cost is monitarized in the range from 0$ to the 1.7million [or what ever it is] that the insurance industry pays out on average for a loss of life. ...if I am fithy rich, a vulnerability that opens my brokerage account could be > than loss of life but that is for me to set. All the stuff that falls below the threshold, I don't want to hear about, at least not more than once a year in a round-up batch of patches. Enough already!
I feel like a small town policeman burried under a barrage of "sky-is-falling-alert-level-puce" faxes from the HomelandSecurity to be dealt with on zero budget.
The color codes provided by Secunia are
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
After typing in some text (it won't appear, at least with 0.10.1) go back to the Securia page. The textbox there will have all that you typed in. The exploit works, sadly.
Christopher S. 'coldacid' Charabaruk -- coldacid.net
Essentially it makes use of the fact that dialog boxes are attached to windows, not tabs, so if you have two tabs open, and a dialog box comes up, you don't know if it's from the page you're viewing, or a different tab.
It took me a while of trying out the demo to work out what it was they were saying was a vulnerability - perhaps I'm used to the issue, I browse with confirmation of sites that want to show cookies and thus dialogs are popping up all the time for tabs I've opened in the background (and it's usually frickin' annoying...)
This is, for the most part, a user education issue (if that), not a vulnerability, though the Mozilla foundation could in general make their systems way more friendly by hiding dialogs that do not relate to the current tab until that tab is showing.
You are not alone. This is not normal. None of this is normal.
Demonstrations of vulnerabilities: here and here
>Why further continue the public's view of the open source community's immaturity by adding such a silly editorial comment to an otherwise reasonable story submission?
You're new here aren't you.
Expect lots of BS rationalizing. I dont see why people just dont admit to their bias and be done with it. I mean seriously, if you're a conservative don't tell me you're fair and balanced. If you're an OSS nut, don't tell me you're being fair. You're not. You're advocating something. People tend to appreciate it when others are being honest.
The dig is just desserts. IE sitll can't rid itself of backdoor connections to the OS that do not plague other browsers. These came about in part because of Microsoft naivete [as its programming culture arose in the protected world of standalone office products] and partly from its attempt to defend against DOJ litigation [ aimed at its monopolistic moves to kill Netscape] by claiming that "browsers are naturally part of the OS". Serves 'em right!
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
If you are using IE, FireFox, Opera or another graphical browser, please visit a dozen porn sites and delete two files at random from your hard drive.
If you are using Lynx or another text browser, please visit http://www.asciipr0n.com/ and delete three files at random from your hard drive.
Thank you for your cooperation.
The Mozilla etc problem seems equally serious.
Ummm No not really. In fact it does not seem all that much like a bug at all. More like an artifact of using tabs. There are a few fixes that will be easy to put into all the tabbed browsers.
1. When a dialog is opened the requestiing page is brough to the top.
2. Put the calling URL on the Dialogs title bar.
3. Do not dialogs to be displayed if the the calling page is not in the foreground.
The Mozilla/other browser issues "Could" allow someone to be fooled but you would really have to work at it. The IE issue seems to allow the remote execution of code on your system. The potental damage seems much higher to me.
Of course if you are right and they are equal and Mozzilla has a fix before Microsoft then it would show that Mozilla can fix major security issues better than Microsoft.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
wrong, it's because the IE is a SYSTEM compromise whereas the others just expose the USER
hence the OF COURSE because of the poor choice of integrating the browser into the system
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The "while" here means "at the same time that", not "whereas"."
I admit to being biased against a company whose browser exploit allows remotely initiated code execution without user interaction as opposed to the organization which produced the browser whose "exploit" is that you can't tell which tab generated a popup.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You're allowed to grab focus on assorted events (like onload, or on a timer) and assign it to a specific text input box. Many sites like google and dictionary.reference.com use this for legitimate purposes.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Are these on all platforms, or just MS stuff, or what? I guess I am not seeing it, my apologies if it's there. For Moz 1.7xx whatever, they (secunia link in article) say this for a fix
"Solution:
Don't visit trusted web sites while visiting untrusted web sites OR disable JavaScript." CAPS are mine
DUH, I never have scripting turned on. Thanks for the advice Secunia, turned it off a long time ago. It's the first thing I do with any new browser I download and install, I look at the preferences and make sure that scripting is not default on. Evil mojo it is. Seems like every other exploit has to do with having scripting turned on, or the traditional and infamous and legendary now e-vile "buffer overflows" thingee. It's like a bad Japanese sci fi "Radioactive mutant buffer overflows swamp tokyo!!11!". I got no control over "buffer overflows", that is the developers lookout (seems to never end, too, why is that???), but scripting any user got complete control over, and it pays to learn from history you would think. I really don't care how useful javascript is, it's way too insecure, been proven over and over, it's a bad idea to run it, IMO. Just like active X stuff for MS, just bad news from the git-go. One of the main reasons I don't get any web mail accounts anymore, most of them I have looked at seem to require it.
no... not gonna do it... wouldn't be prudent....
I left Javascript enabled in Konqueror, but set "open new windows" to "ask" in preferences and set the other JS policies to "ignore." Site displayed normally, and the spoofed text entry box didn't launch.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
The Last Measure link contains stuff you really don't want to be seeing. Don't click on it if you're just looking for a demo of the popup style.
"I would give my right hand to be ambidextrous."
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
This means popups can't survive their parents, which is probably a good thing.
Visual parenting is needed, too. If the parent window is minimized or goes to the back, so should its child windows. Window headers should reflect the parent window's header.
Child windows shouldn't be allowed to position themselves entirely outside of the parent window. They should have to overlap, at least marginally. (Strict users might turn on a mode where they have to overlap totally, like subwindows in an application.) This creates a visual association between the parent and child windows.
With this, multiple window sites behave in a more tolerable manner.
I just place an sh in front of the it.slashdot.org for an appropriate link.
0 /1 344208&tid=172&tid=113&tid=154&tid=114&tid=218
http://shit.slashdot.org/article.pl?sid=04/10/2
Ask Slashdot - google for stupid people.
There are two solutions that would be pretty easy I think, I'm not sure which would be better.
a) Delay displaying alert() calls until the tab is activated by the user.
b) When alert() is called, make the tab that called it become active automatically. This should provide a good visual cue of who it belongs to.
I think I would prefer the first option just so I wouldnt be distracted by the alert() box until I was going to use that tab anyways.
Joseph?
We need to accept that all browsers are fundamentally broken and exposed and can't be fixed. We need therefore to understand security as that set of tools and behaviors that minimize our own exposures and risks with the understanding that Browsers, in fact all desktop tools are to some extent nothing more than Dreadnoughts and Maginot Lines too big and stupid to get out of their own way and only as effective as the stupidity of the attack that tries to hit them head on.
The notion that browsers are exposed is really only relevant in term of what is exposed and how meaningful that exposure might be to you or your enterprise. If your browser gets hijacked - ok then what are you going to lose your bank account or credit card? Are you going to lose your health management PPO records? Are you going to go to jail when the FBI finds your kiddyporn? Or do you simply take other steps to protect yourself in the case when not if your machine is cracked and taken over.
I tested the spoof vulnerability in Konqueror 3.3.1 (the latest).
When displaying the popup, it 1) switched back to the tab that owns it, and 2) the popup clearly contained the server name "secunia.com".
I was about to call this unhealthy sensationalism, but I haven't checked out older versions. Can anyone confirm the vulnerability in 3.3.0 and older? Thanks.
-- B.
This sig does in fact not have the property it claims not to have.
IE is not a system compromise in any technical sense. IE (and the rest of explorer) runs in user mode, same as any program. If you run as non-admin, it won't be able to affect anything your user account doesn't have access to.
When they say IE is "integrated into the system" what is meant is that the re-usable browser component is guaranteed to be available on that system, like the common controls. It's considered a base-level system provided function. This allows other browsers like neoplanet or myie2 to be written without writing or distributing the HTML parsing engine.
The window from an unactive tab coming to the front in Firefox does not really seem like that big of a deal. I kind of like the fact that it does this. At work, the server needs to resart to load a new java war file so I usually browse on other tabs while the server is restarting. when it starts, the notification window pops to the top. Perhaps there should be an option to turn this on or off (the option could default to off)...I don't really see that many people putting really important information into a javascript notification window anyway.
SIGFAULT