Big Day For Browser Vulnerabilities

An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."

NY Times Ad...

[jea6]

Stop the presses.

Re:NY Times Ad...

[DAtkins]

Actually, according to MozillaZine the fix has been fixed in the 1.0 code tree, but hasn't been merged into the existing builds yet. I would expect a fix before 1.0 goes gold.

Been thinking about this...

[byolinux]

So, a fairly common problem in all browsers bar IE (does it affect those browsers that embed IE to give tabs?)

Possibly solutions that I've just thought up (for discussion)

• Make the website launching any JavaScript event appear in the foreground
• Make every dialog box give security information about the website it's from, if the website it's from is not the currently displayed tab.
• Suspend various types of JavaScript until the tab is foremost again, but display a 'requires your attention' icon (I call shotgun on a panda for this)

While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.

Re:Been thinking about this...

[CXI]

I would be more in favor of a tab not opening a dialog or firing any other events until it becomes active again. Allowing tabs to gain focus without user intervention has the potential to be annoying as hell. For example, an ad on a page could keep popping that tab to the front for you to see it. Ugh.

All browsers?

[chjones]

All browsers have been reported vulnerable to different vulnerabilities today.

I use Lynx, you insensitive clod!

CDJ

Re:All browsers?

[byolinux]

I use Lynx, you insensitive clod!

Must you post in HTML? I use telnet to fetch/post my web traffic you insensitive clod! It's people like you who clog up the web! ;)

Safari Exploit demonstration did not work

[99BottlesOfBeerInMyF]

I just tried the exploit demonstration for Safari, but it did not work. The active tab switched back to the one providing the pop-up, not the target site. Did anyone else try it and have it work?

It's a clever one.

[jimicus]

For those who can't be bothered to RTFA, the Mozilla vulnerability is essentially a standard link with an "onMouseOver" bit which runs a little piece of JavaScript.

The JavaScript pauses for a few seconds (while you presumably get distracted by another page) then flashes up a "Please enter some text" dialogue box.

A similar effect could be achieved by calling the JavaScript on pretty much any event; the vulnerability relies on it being unclear which site caused the dialogue box to pop up. I can see how it could be classed a vulnerability, but it's hardly earth shattering.

About the second tab issue

[ESqVIP]

This was already filed as bug 124750, and has already been fixed. I'm using a 2004-10-19 build, and I can assure I already tested it.

As I can't link bugzilla form Slashdot... go to http://bugzilla.mozilla.org/ and type in there the bug number. (None: it's not marked there as FIXED, but you should look at the "fixed-aviary1.0" keyword, which is what matters for Firefox 1.0)

It's interesting to compare these

This is an excellent example of two facts:

• All software suffers security problems, and many of the security holes are actually just unintended side effects of useful features; and
• Microsoft's software is much, much worse than the rest, because it's plagued by old design decisions that make it easy to turn a minor security problem into a remote root exploit.

Here's what the vulnerabilities are:

In all the non-IE browsers, there's a potential issue with how tabbed browsing works. Basically, the problem is that stuff on tabs other than the active tab can still (a) pop dialogs and (b) have the keyboard focus. It's pretty clear that (b) is just a problem that should be fixed, because although it's possible to concieve of a circumstance where a user would want to look at one tab while typing into a box on another, it's clearly way too surprising and not nearly useful enough to be allowed. But (a) is more interesting. It's a side effect of the fact that pages continue functioning in all ways even when they're not the active tab. This includes running Javascript/Java/Flash programs, loading, rendering, etc. And that's a good and useful thing. But when a background tab pops a dialog, it may appear to the user that the dialog was created by the active page. If the user trusts one page more than the other, that can lead to problems.

The solution to this dialog-popping problem isn't obvious. Perhaps dialogs need to be labeled with the name of the site that created them. Perhaps some other solution. But it will be worked on, even though the risk is fairly small.

The IE vulnerability is very different in that it's a system compromise flaw. It's similar in one way, though: it's caused by a subtle interaction of features. In this case, dragging and dropping of image or media files with embedded HTML code, which may be malicious. This malicious code isn't a problem, really, because IE is security-conscious and won't execute it -- except that Microsoft has that terrible "security zones" design feature. Once the malicious code is moved from the "Internet" zone to the "Local Computer" zone, the code will be executed. What makes it especially funny is that Microsoft fixed this problem in SP2 by changing the Local Computer zone so tht it will no longer execute Active Scripts. But yet another bug in the security zones can be exploited to bypass that "problem" so SP2 is vulnerable as well.

Security flaws are everywhere, but what really kills Microsoft is their rash of bad design decisions in the past, turning little holes into remote root exploits. They're getting better, I believe, but it's going to be a long hard road for them to patch all of the problems that are created by their bad design decisions. It's too late, of course, to change the design. Too much depends on it.

Don't enable Javascript

[wowbagger]

Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.

Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:

SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!

Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.

But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!

Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.

Re:Don't enable Javascript

[Dr_Ish]

The advice here is sound. There are all sorts of evil things that can be done with javascript. I know how to do some of them and I am one of the 'good guys'. Goodness knows what can be done by those who are less well intentioned. I always run with javascript disabled, simnple as that. Not only does this prevent the problem of pop-ups, it also keeps one safe from many other dangers. If a site requires javascript, then either I will simply not use it, or I will briefly enable javascript only as necessary. One of the reasons I do not own a Subaru, is due to their love of javascript, even though their cars are great. So, webmasters be aware, your choices can influence consumer habits!

Re:spoofing demos aren't working on my browser

[eobanb]

I get it. It tricks the browser into displaying a blank page. Clever bastards.

You have to be kidding.

[argent]

The Mozilla etc problem seems equally serious.

Mozilla etc... "If the user explicitly opens a page in a background tab, it may not be possible to tell what webpage a dialog box is associated with". Note that the exploit can not open a page in a background tab, it can only take advantage of that if it happens.

Exposure: If the user can first be tricked into opening a page in another tab, and the exploiter can guess whether the user has "open tabs in background" (or the equivalent option) selected or not, then they may be able to trick them into entering confidential information a little easier. There are other ways to get similar results without having to trick the user twice, using frames or with multi-stage popups.

Internet explorer: The exploit can be used to launch web pages in the local security zone. The hole here is really the fact that there is such a thing as a "local security zone" at all. For seven years now, exploit after exploit has used this design flaw in the HTML control to run arbitary code as the local user. Spyware, viruses, worms, spam bots, over and over again, malicious software has gained its initial foothold through variants of this attack.

Exposure: Visiting a web page can allow an attacker to take over your computer, without any further action on your part.

And you say "The Mozilla etc problem seems equally serious."?

Jesus.

Re:Whats with the dig at IE?

[museumpeace]

The dig is just desserts. IE sitll can't rid itself of backdoor connections to the OS that do not plague other browsers. These came about in part because of Microsoft naivete [as its programming culture arose in the protected world of standalone office products] and partly from its attempt to defend against DOJ litigation [ aimed at its monopolistic moves to kill Netscape] by claiming that "browsers are naturally part of the OS". Serves 'em right!