Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing Flaw Resurfaces in Mozilla Browsers

Posted by Zonk on from the going-back-in-time dept.

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

14 of 258 comments (clear)

  1. Re:The exploit by /ASCII · · Score: 3, Informative

    Avoid using Windex on flat screens. It may damage the anti-glare coating. If possible, use only a damp cloth to wipe away any tape residue.

    --
    Try out fish, the friendly interactive shell.
  2. Not all Firefox users will be affected by chesapeake · · Score: 2, Informative

    The Debian package of Firefox 1.0.4, with the extension tabbrowser preferences installed isn't, for example. As a result of this extension, the frame isn't injected into the frameset that is being targetted, and is opened in a new tab instead.

    It is surprising, though, that a security vulnerability like this goes unnoticed for so long. On the other hand, I very much doubt that anybody has actually used this to exploit users.

    --
    www.fearthecow.net
  3. Re:what about tabs? by Punkrokkr · · Score: 5, Informative

    I tried it in tabs, spoof does not work across tabs; just seperate windows.

    --

    There's no emoticon for what I'm feeling! -- CBG, "The Computer Wore Menace Shoes"
  4. Re:Exploits? by strider44 · · Score: 2, Informative

    It is very unlikely that this would really be worth exploiting. It relies on the person opening this up in a new window (not a tab), leaving it open then coming back and clicking on another link. The links have to be clicked first one then the other.

    Before anyone could think of a way to exploit this this'd be fixed I think.

  5. Re:Why - Oh why by /ASCII · · Score: 2, Informative

    It is not impossible, Testing new releases against old bugs is called regression testing, and everybody pretends to do it. But the problem is that it is so boring and hard that very few people write working regression tests against the more complex bugs.

    --
    Try out fish, the friendly interactive shell.
  6. Tabbrowser Preferences by mogrify · · Score: 3, Informative

    It appears that if you have the Tabbrowser Preferences extension installed, then this exploit doesn't work.

    --
    perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
  7. Re:Crap. Most recent version of Moz suite is affec by VxJasonxV · · Score: 2, Informative

    Suite will be EOL'ed, but security patches are still being applied.

    IIRC 1.x is feature frozen, but still 'active'.

  8. Re:Exploits? by unformed · · Score: 3, Informative

    Did you even read the article?


    NOTE: Exploitation can easily be made "automatic". However, since this example only serves as a test to give users an understanding of how it works, we have chosen not to do so.

    Regardless, I don't consider this to be too big of deal. Th exploit can be used for a phishing attack, when a trusted site is using frames. A nontrusted site then replaces one of the inner pages with a fake lookalike, but the user can't tell, becasuse the address isn't shown in the address bar.

    Banks using frames for the trusted portion of their sites is extremely bad design, and I don't know of any that does that anyways.

  9. IE has this vulnerability by interJ · · Score: 5, Informative
    See here.

    The bug in IE was reported almost a year ago, and it is still unpatched.

    The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.

    1. Re:IE has this vulnerability by Sheepdot · · Score: 2, Informative

      It's not the same kind of thing, though, as this can be done with just one Mozilla/Firefox frame. It is somewhat similar.

    2. Re:IE has this vulnerability by draed · · Score: 2, Informative

      If you read the page on secunia that you linked, you would see that this *has* been patched more than 2 years ago.

      http://www.microsoft.com/technet/security/bulletin /ms98-020.mspx

      Also since IE5, there has been protection against this type of attack.

      1. Click Start, point to Settings, click Control Panel, and then double-click Internet.
      2. Click the Security tab.
      3. Under Select a Web content zone to specify its security settings, click Internet.
      4. Click Custom Level.
      5. Under Navigate sub-frames across different domains, click Disable.
      6. Click OK.

  10. Re:So secure by Anonymous Coward · · Score: 5, Informative

    IE has the same flaw also, so parent should not be moderated as funny, but as informative.

    http://secunia.com/advisories/11966/

  11. Re:So secure by rbochan · · Score: 2, Informative

    Indeed it does. I just found that to be the case on fully updated/patched Win2k and 9x systems when I just tested them.

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  12. Open frame in new tab by lanroth · · Score: 2, Informative
    The problem is that this authentication page appears as a frame within the online vendor. How can you tell whether that frame is a legitimate MBNA page, or just a clever phishing attack?

    I click RMB->This Frame->Open Frame In New Tab

    As you'd expect this opens the frame in a new tab where you can easily see the URL.

    You can also find information about an embedded frame by clicking RBS->This Frame->Frame Info