Slashdot Mirror
Spoofing Flaw Resurfaces in Mozilla Browsers
GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.
Frames suck, and you deserve to cause problems if you use them.
Oh, damn IE for being so insecure. Wait, this is about an Open Source browser---damn IE for being so insecure!
The number of Firefox vulnerabilities that have been exposed is frightening. But I wonder when the first actual exploit will be found...
Try out fish, the friendly interactive shell.
from TFA:
For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows.
So, uh, what about tabs? 'Cause I never have 2 windows open at the same time.
Your sig(k) has been stolen. There is a puff of smoke!
If I understand correctly, this is like a cross site scripting (XSS) attack? But a malicious web designer can put a master frame with his code, and just put something inside like paypal?
:P). I wonder how Firefox handles multi profiles, and multiple windows...
Interesting. I have a dedicated profile set up specifically for private accessing (yes, I'm paranoid
...i best stop using this unsafe browser (firefox) and go back to the safe one i was using before (IE)
oxymoron of the day - Xbox gamer
Type: Spoofing
Exploit: Local
Effects: All browsers
Description:
A 7 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.
The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.
Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.
Solution:
Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.
Unknown host pong.
Recycling old bugs...I have to say that the Mozilla code base is losing some credibility with mistakes like this. Seems like a code audit is called for guys...
The NSA: The only part of the US government that actually listens.
Is the Moz community going to release a fix for Suite?
Welcome to the Panopticon. Used to be a prison, now it's your home.
is it impossible to test new releases against old bugs?
reasons:
1) this flaw/expolits
2) not able to bookmark properly
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
Does the firefox community have any regression testing? They need fully automated test like the linux kernel has now.
tabs dont appear to be affected tho?
at least i couldnt get the example to work with tabs.....
This is somewhat of a tough issue...because obviousely you can open up a spoofed page inside of a frame that looks like a legit page. However, there are legit reasons to open up other offsite content in a frame (take a look at ask.com...I believe they leave a frame up top to their site then open another site from there searches).
The best idea would to just get rid of frames completely, they suck.
A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned.
Jesus Fuck! How can these rat bastards let this happen? the world may fall apart... oh, it's not Microsoft? Oh, sorry, false alarm... These aren't the droids you're looking for.
The Debian package of Firefox 1.0.4, with the extension tabbrowser preferences installed isn't, for example. As a result of this extension, the frame isn't injected into the frameset that is being targetted, and is opened in a new tab instead.
It is surprising, though, that a security vulnerability like this goes unnoticed for so long. On the other hand, I very much doubt that anybody has actually used this to exploit users.
www.fearthecow.net
Just one problem - the example "exploit" doesn't work. I press the MSDN link, it opens up in a new tab, press the demonstration link... And nothing happens.
So what do I do wrong?
Saying the bug resurfaced is not completely true. This bug was removed from the old Netscape rendering engine, and reintroduced when replacing it with the new and fancy Gecko rendering engine. Apache also reintroduced a number of bugs when switching from 1.3 to 2.0, I belive. That is one of the many prices you pay when rewriting old code from scratch.
Try out fish, the friendly interactive shell.
It's bad when a vulnerability listed in a few year old Hacking Exposed book scares me. I'd say that it would be a good start to use telnet for web browsing but even the telnet client I was using had a buffer overflow exploit. Le sigh!
Or are they supposed to scrap it all and rewrite from scratch every few years? I sure hope not. Anyone else out remember M13, M14, M15, etc.? *shudder*
- I don't need to go outside, my CRT tan'll do me just fine.
It appears that if you have the Tabbrowser Preferences extension installed, then this exploit doesn't work.
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
Does the Firefox team use any automated testing on the project? Seems like these sort of errors could stay dead, if so.
Software testing automation tools
If you mod me down, I shall become more powerful than you could possibly imagine.
This isn't Microsoft and Windows 2000. Of course they'll release a fix. In the year 2045, they might just tell you to upgrade though, even Open Source has its limits for supporting old software....
Suite will be EOL'ed, but security patches are still being applied.
IIRC 1.x is feature frozen, but still 'active'.
To have such fundamental flaws appear, whether by accident or negligence, is unacceptable.
Furthermore, the browser "industry" and the commercial sector NEED to come up with some guidelines as to how to promote and ensure online security for financial transactions and personal data.
For example, it's almost impossible for the casual or sophisticated user to easily determine whether a frame that appears within a website actually belongs to that website, or another. For example, if you have an online account with MBNA credit card, and make an online purchase, some vendors will display an MBNA authentication page which asks you to login to your online account to verify the purchase.
The problem is that this authentication page appears as a frame within the online vendor. How can you tell whether that frame is a legitimate MBNA page, or just a clever phishing attack? The browser gives no indication as to whether the frame belongs to MBNA or the vendor.
PayPal suffers from the same thing. I hate clicking on the "Make a Donation" button of some sites, and then seeing the PayPal login appear within a frame of the original site. That prevents me from making a donation - with today's complicated scripting invocations and what not, I don't feel trusting enough to type my account info and password into some frame which happens to appear in the middle of some other organization's website.
I can't BELIEVE that MBNA and PayPal would promote such idiotic practices, much less allow them to happen.
I tryed to test this spoof with the instructions from TFA, and I cannot seem to get it to work.
I tryed to open the links in tabs. 1st the MS one, then the Secunia, then the MS one again. Nothing out of the ordinary happened. The MS page showed up like it should, unlike the article said.
I also tryed it with tabs, but still nothing.
This is nothing more than BS spreading FUD.
(I am using Firefox 1.04)
Even -if- this gets exploited, it doesn't work cross tabs and it doesn't work if you more than one tab open in the window containing the 'trusted' site; at least not on FF 1.04 here on BeOS.
Now, how many FF users still browse with multiple windows and NO tabs? Anyone who found out about it the geeky ways uses tabs, and I should hope that the first thing you show any Joe Idiot how to do when you install FF on the machine you've just (been paid to) de-spyware is use the tabs...
really good about now. Opera is the only browser I am aware of that has all *known* vulnerabilities fixed. Per http://secunia.com/product/4932/
YMMV, but methinks even though I use Ubuntu, I may make the switch to Opera for added security.
I wish I had mod points.
I'd help you on the way to be a +5 Troll (I'd just vote underrated).
While the language is harsh, you are right. Frames do cause problems.
They sound good, but they bring problems with them.
The Internet is full. Go Away!!!
Comment removed based on user account deletion
The bug in IE was reported almost a year ago, and it is still unpatched.
The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.
The whole terminology used for web sites belies the myth of a trusted web site.
Web sites are placed on "sacrificial hosts" in a "DMZ". Web sites are not trusted by the people who build them and never have been. If the owner of a web site doesn't trust it, why should you?
A victim would never need to visit an "untrusted" web site, because this defect could be coupled with others (exploit chaining). It's even been done before with other defects, notably Download.ject.
If you mod me down, I shall become more powerful than you could possibly imagine.
Now...take how many bugs have been exposed in Firfox and how many have been exploited.
How many bugs have been exposed in IE and exploited? (Especially because for IE it's almost a 1:1 ratio)
~Ilyanep
To get message, take amount of carrier pigeons at each stage mod 2. Then decode binary.
What is the name of the developer who reintroduced this bug? It is often said about the open source community that the level of accountability just isn't enough. This is a main reason why corporations aren't as willing to transition to platforms such as Mozilla or OpenOffice. Corporate types will want to know which developer it was who reintroduced this seven-year-old bug, and what the Mozilla Project plans to do to prevent a similar incident from ever occurring again.
Cyric Zndovzny at your service.
ever since the article appeared out of the near future, (5-10mins) I've been trying to get it to work, turns out that the tabbrowser extension prevents the exploit from occurring because it rewrites the target attribute
Gravity Sucks
Is this truely a bug?
;)
I tried the exploit with a W2k box that has IE Version 6.0.2800.1106CO with SP1 and several Q### patches installed and it produces the same result.
I see how this could be used as an exploit but is it really a bug? I have written code for a game website which used multiple windows with frames and the information in the frames came from two different web servers. Yeah, I know, it sounds like a web surfing nightmare, but fret not, it was an experiment. But my point is that this may not actually be a bug, and may be an issue to consider when creating a secure website. In other words, as others here have stated, don't use frames!
burnin
This isn't Microsoft and Windows 2000. Of course they'll release a fix.
Actually, Microsoft will be releasing security fixes for Windows 2000 all the way through 2010. Will MoFo be supporting a 9 year old version of their product in 2010 or will they tell you to "upgrade"?
The applications don't check whether the frames displayed in a single window all originate from the same Web site.
And they shouldn't check that because often frames do not originate on the same web site (e.g., Google, Hotmail). The problem is if you try to frame something low security inside something high security; the other direction is OK.
What they should check (according to Secunia) is something different: when code attempts to put content into a target, the browser should check whether that code actually created that frame and otherwise refuse.
A simple way of fixing this problem might be to prefix the name of any frame with the host that created it, so that "target=foobar" actually means "target=www.host-of-this-page.com::foobar"; that also helps avoid confusing name conflicts between web sites. But that suffers from the same problem as anything else that relies on host names: you can't tell which ones are supposed to "belong together".
Alternatively, you might require that if any frame in a window uses https, then all of them must, and they all must use the same certificate.
The best solution is probably just to abolish frames altogether; they cause many other problems as well.
A slightly less drastic solution would be to prohibit the display of any https content in a frame.
That's a typical response. How is this relevant to the fact that the Open Source community of developers missed a bug that is SEVEN years old?
----- Open Source = More Secure (mmmmkay)
well since you have access to the source you could just make the changes yourself...
or wait till someone else does
"I reject your reality, and substitute my own" - Adam Savage
The problem is not that different frames can come from different sites. The problem is that one site can change the existing content of a frame that is already being displayed.
So, if you do banking in one window and you then open up a malicious site in another, the malicious site can change the content of a frame in your banking window. That's not "faking", it's something worse.
I can't think of a legitimate use for that "feature" in a real application, and the fact that it didn't use to work suggests that sites aren't relying on it.
Let's hope so. I love it when the competition does most of the field research for me.
The eternal struggle of good vs. evil begins within one's self.
lets see how long til a patch to fix it.
i would prefere to hear about these flaws, knowing there will soon be a patch. that is where i find the difference between firefox and other browsers.
If this message had "IE" in the subject rather than "Firefox", people wouldn't be finding every reason in the book to excuse this glaring oversight.
It is similar to how the Dems and GOPs snipe at each other over every little thing each party does.
Come on, people, be objective already. Silliness such as this ruins the "credibility" of the OS community.
NO SOUP FOR YOU! ONE YEAR!
----- Open Source = More Secure (mmmmkay)
If you had bothered to read the linked demo page you would know that the bug is present in IE and Opera as well.
I just tried it in IE6 (Win2K) and it works just the same as Firefox.
The only problem is that this feature (affecting the frames of one window from another) is actually used a lot, for example when pop-ups are involved. I know of at least one banking application which will break if they flat out disallow changing one frame from within another.
A better solution would be to only allow it for frames sharing the same domain, I suppose.
Build a site that uses off-site graphics (eg because one of your ISPs provides scripting but charges for excess bandwidth, and the other provides no scripting but will serve as many images as you like for free).
Then wait for the complaints to come in from people whose computers are infected with a piece of malware called Zonealarm.
It is very easy for any page to "get out of a frame," so there is no excuse for web page designers to allow their pages to be framed.
Yeah, right.
"...perhaps Mozilla should just take the lead on this and remove frame support entirely."
As much as I hate frames (oh GOD do I hate frames!), this would be a step back for FireFox and its proponents. One of the largest arguments for using non-IE browsers is compatibility with standards. Frames are in the HTML 4.01 standard, and therefore, removing support would be incredibly hypocritical.
Laziness, check. Impatience, check. Hubris, double check!
This is not really true ...
You have to see it this way: Microsoft sells an operating system.
Debian "gives" away an operating system.
Mozilla Foundation develops _new_ software.
Both, Microsoft *and* Debian provide security-patches to their _operating system_ for years to come. (Yepp, Woody is still being supported, even when Sarge is released)
The Mozilla Foundation just develops new sofware.
That's the beauty of open-source-software. Innovation and development can take place on one place, and security patches can be provided somewhere else entirely. You can even make a patch available yourself, if you wish!
You see? Another security fault in an open sores program. This is what you get if you don't pay your developers. Opening the source so that everyone can see the flaws is just asking for trouble. I'm going back to IE.
-- Cheers!
I see a differance between IE and Firefox in that most firefox flaws are discovered with theory and unharmfull proof of concept and quickly patched whereas MS doesnt patch any IE hole untill criminals have been activly using it for months, that is why I use Firefox (except when I use my Mac.)
They will tell you to upgrade, and you will then have the choice: download and compile the full latest version, or cherry-pick and patch only the bits you really want to patch. Either way, you still need to recompile the app. This will not affect the copy of the application you are already running from memory: only newly-started browser instances will be "secure". I don't think a 10-year uptime is at all unrealistic, especially if you're running FreeBSD.
Je fume. Tu fumes. Nous fûmes!
I click RMB->This Frame->Open Frame In New Tab
As you'd expect this opens the frame in a new tab where you can easily see the URL.
You can also find information about an embedded frame by clicking RBS->This Frame->Frame Info
For this to work, 1) http://msdn.microsoft.com/library/default.asp must be open in another window 2) http://msdn.microsoft.com/library/default.asp must be the active tab in that other window i.e. top or visible It will not work if: 1) http://msdn.microsoft.com/library/default.asp is open in another tab in the same window i.e. non-active or hidden 2) any other site with frames is open in the active tab in another window (e.g. http://www.turtle-express.com/) For a successful phishing attack you must: 1) open your bank (or some other imprtant) web page in a new window 2) that web page must use frames 3) you must then switch to another window and surf to the attackers web page 4) the attacker must know which web site is open in the other window in order to spoof a part of it 5) the log-in page is the only non-unique page so even if the attacker gets past 1-4 you must have left the login page in the other window, otherwise yiou would know something has happened because the content would be different!
That is one of the many prices you pay when rewriting old code from scratch
and not having an automated regression test suite.
Thank God that we don't get as many security bugs as I.E., dontcha think?
What about placing a small colored box in the corner of each frame... If a frame's box differs in color from the surrounding frames, this would indicate the frame was on a different domain. That way the developers wouldn't have to worry about breaking the legitimate use of this technique.
What the hell's a "gewie?"
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1
For example, I use Epiphany and Firefox.
Epiphany is completely castrated. I turn off Java, Javascript, Cookies. I disable IDN and referrers. There's flash, and that's it's own security issue, but such is life.
And then I have Firefox. With Java/Script, Cookies, and everything else.
Unless a website (like, heh, MSDN) needs the extra functionality, I use my more secure browser, Epiphany. Sufing pr0n, google searches, downloading whatever. It all works just fine with Epiphany's reduced "functionality". And as a direct result, I wouldn't be signing into my Amazon account in Epiphany, because it can't set cookies or use Javascript. I wouldn't be surfing for pr0n with Firefox, because I can surf pr0n with Epiphany.
The spoof technically works on Epiphany, so someone could be capturing my Slashdot post right now. OMFG! RUN!
If you are using the TabBrowser Preference extension for Firefox, the exploit site will just open in a new tab, and the MSDN site will remain unaffected. https://addons.mozilla.org/extensions/moreinfo.php ?id=158&application=firefox
Konqueror doesn't seem to "work" :)
<flamebaitmode>
Could this have something to do with writing "good" code (khtml) instead of writing the code quickly (firefox/gecko/mozilla)? *ducks*
</flamebaitmode>
It's open source, audit the code yourself you lazy bum!! :)
This just in, putting your picture inside a frame may cause an unfavorable reaction to whoever is looking at it. The results can range from shreeks of horror, to nausea and an look of disdain on the viewers face. The fix is to burn the picture with the frame....
in a follow up with GregThePaladin, he stated that it would really only be likly to exploit this flaw if it were, some one on the inside
This is the first time IN MY LIFE that I see a browser add-on INCREASING its security, and not otherwise.
(hypothetical) Secunia advisory
blablablah... bug.
Versions affected: Firefox v1.04 etc....
Workaround: Install the tabbrowser preferences extension.
w00t.
WTF? This sucks more arse than something that sucks a lot of arse! The flaw is not apparent in my installation of Firefox 1.0.4 The frame opens in a new tab, not in the seperate window. The frame does, however, load across windows in IE6.
I tried this in Internet Explorer 6 on a fully-patched Windows XP SP2 machine and get the same result. No idea why Secunia would single out Firefox/Mozilla on this one... Try it yourself
For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.
Gee, do you think?!
Who are these people surfing in multiple windows and tabs to trusted, sort-of-trusted, and untrusted sites simultaneously while doing critical transactions with personal information and finances? We need to know, we need to identify them, we need to prevent them from polluting the gene pool without having their common sense upgraded to "semi-conscious of surroundings" first.
Actually, I've seen people load their machines with cr*pware on "free" pr0n sites all day long and among the many open pop-up windows they've merely reduced to the taskbar, they open another IE session and start doing online banking. It makes me cringe.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Ok, I tried this with FF 1.04 and could not get it to work no matter what I tried. I tried both the using tabs and opening all links in new windows and I could not get it to work. IE, on the other hand, handled the exploit perfectly, thank god. At least I can still count on IE to run the flaw correctly.
Broadly, yes. There will be no new major updates to the Mozilla Application Suite. However, they will continue to issue security updates to the 1.7.x line (you'll note that 1.7.8 was released after they announced it was being EOL'd).
There's a community-driven project to continue development of the Mozilla Application Suite under a new name (well, if you know the history, it's actually an old name but I digress). However, this is separate from the maintainance of the Mozilla 1.7.x line.
Short answer: there will be a fix. It will be an official Mozilla Foundation product update.
I don't see why you don't just make the jump to Firefox and Thunderbird. They have all the features that the old Mozilla has and more, plus the fact that they are actively maintained means that this exploit will be fixed in no time. Mozilla is being broken up into smaller, better components, look at NVU, it's practically better than Frontpage right now, and Thunderbird is compared favorably to Outlook. The Mozilla foundation has given up on the suite, Netscape has given up on the suite, the only one who hasn't given up on the suite are hackers and simply put, it's time to _let it die_.
You can either upgrade your browser or face the consequences. You can't have your cake and eat it too, not unless you're using Firefox.
You are not concerned by the Cascade of Attention-Deficit Teenagers (CADT), are you?
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
Apocalypse Cancelled, Sorry, No Ticket Refunds
Wow. Another Firefox vulnerability. Tell me, how many companies have either been completely shut down by a massive megaworm and/or have preemptively shut themselves down to stop the spread of destruction from this egregious and terrible flaw?
I'm using Firefox 1.0.4 and it's apparently not vulnerable because the test didn't do anything...
No existe.
Mozilla may publish patches quickly, but users just don't care to patch.
;) about 10% of Firefox users still have older, insecure versions.
In my logs (and netcraft may confirm that
If FF was as popular as IE is now, that would have been a lot of potential victims and great market for spyware.
Opera 8 has MSDN listed in its new ua.ini and completly cloaks as IE to avoid being served crapHTML(tm). Still no sings of flaw in Opera 8.
Seriously, the problem is that this was (supposed to be) killed in a previous version of the Gecko browsers. It should not have revived itself.
The following browsers are not affected:
* Mozilla Firefox 0.9 and later
* Mozilla 1.7
* Opera 7.52
* Netscape 7.2
* Camino 0.8 (build 2004062308)
Source Secunia
At least in Opera, dead bugs stay dead.
.. paranoid crackpot leftover from the days of Amiga.
This only seems to be for Mozilla/Firefox, but since Epiphany (GNOME's browser) uses the Mozilla/Gecko core, are we Epiphany users also at risk?
There are many uses for frames that can increase usability or enhance/ease integration with other systems (that you cannot directly modify for example), particularly inline frames -- if you know what you are doing.
Simply saying frames suck without qualifying further only shows your lack of understanding of appropriate applications of them
"Now...take how many bugs have been exposed in Firfox and how many have been exploited.
How many bugs have been exposed in IE and exploited?"
Oh, well, shit. There's a great reply. Bugs/exploits are fine and fun... as long as they're not exploited!
What kind of stupid logic were you taught? More so, why do you not have the brains to realize that your logic is flat out wrong?
You, Sir, are a clown. Please take your wonderful insight and never bother to post here again until you can figure out how to pull your head out of your ass.
Did anybody else try the test from TFA? I tried it in my firefox and the 'flaw' doesn't exist! If the vulnerability exists in other users firefoxes perhaps it's something to do with the TabMix plugin (opens new windows in tabs instead) which breaks the vulnerability??
Time is an illusion. Lunchtime doubly so. - Douglas Adams
This exploit won't work usign tabs, so type about:config in the url field and turn on (true) the option "browser.tabs.showSingleWindowModePrefs" then goto advanced settings que enable an option that says "Force links that open windows to open in a new tab" and you'll have a beter browser experience in REAL single window mode, without this vulnerability.