Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing Flaw Resurfaces in Mozilla Browsers

Posted by Zonk on from the going-back-in-time dept.

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

14 of 258 comments (clear)

  1. what about tabs? by farker+haiku · · Score: 5, Interesting

    from TFA:
    For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows.

    So, uh, what about tabs? 'Cause I never have 2 windows open at the same time.

    --
    Your sig(k) has been stolen. There is a puff of smoke!
    1. Re:what about tabs? by whoever57 · · Score: 2, Interesting
      I tried it in tabs, spoof does not work across tabs; just seperate windows.

      In Galeon, it does work across tabs.

      --
      The real "Libtards" are the Libertarians!
  2. Why - Oh why by Anonymous Coward · · Score: 2, Interesting

    is it impossible to test new releases against old bugs?

  3. Automated Testing by drewfuss · · Score: 4, Interesting

    Does the firefox community have any regression testing? They need fully automated test like the linux kernel has now.

  4. Ehmm. by Psionicist · · Score: 2, Interesting

    Just one problem - the example "exploit" doesn't work. I press the MSDN link, it opens up in a new tab, press the demonstration link... And nothing happens.

    So what do I do wrong?

  5. Bunk commentary on Whitedust by ttfkam · · Score: 4, Interesting
    The exposure of this older bug in new software is perhaps a good jumping off point for an argument about constructing new browser technologies from scratch, rather than simply developing existing (by the laws of probability, flawed) software to incorporate extended functionality; which is by far the industry norm as it stands. Is this a viable alternative?
    Anyone that knows the history of the Mozilla project has to see the idiocy in this statement.

    Or are they supposed to scrap it all and rewrite from scratch every few years? I sure hope not. Anyone else out remember M13, M14, M15, etc.? *shudder*
    --

    - I don't need to go outside, my CRT tan'll do me just fine.
  6. Automated testing? by Gary+W.+Longsine · · Score: 3, Interesting

    Does the Firefox team use any automated testing on the project? Seems like these sort of errors could stay dead, if so.

    Software testing automation tools

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
    1. Re:Automated testing? by Gary+W.+Longsine · · Score: 3, Interesting
      "What you don't know about testing, would float a battleship."
      That might be true. I'm not sure the density of unthunk thoughts, though. Are they even liquid at room temperature?

      Automated testing cannot prevent defects from recurring in subsequent builds as a pedantic interpretation of my passing observation might imply to a novice. I was sloppy with my terminology, yes.

      However, automated testing can and does allow development teams to identify and correct defects which are accidentally re-introduced before they ship a new version with, say, seven year old security defects.

      In the Java world automated unit tests are quite common, thanks to the ease with which they can be constructed with JUnit, and similarly with Python, Objective C and probably other Object Oriented languages and their respective unit testing frameworks. It seems to be less commonly practiced in the C/C++ world (although other types of automated testing are fairly well established in the commercial software industry and are largely language independent with respect to the product being tested).

      With a feedback loop in the development/testing process one often sees Automated Unit Tests performing double-duty as a subset of what's normally called automated regression testing. Other types of defects might be caught with an external testing harness (e.g. WinRunner or MaxQ) typically employed in support of regression testing.

      Some folks claim that application design can influence the ease and robustness of automated testing, and suggest design patterns to "Pattern your way to automated regression testing."

      Heck, automated regression testing is even practiced by at least some folk in the visual basic world these days. (This commercial site has a nice summary of the practice.)

      The point is, there are many types of automated testing, and many tools and techniques which support the concept. It seems from the perspective of a casually interested outside observer such as myself that some basic automated testing practices could be employed to help the Firefox team in their quest to create a secure, feature rich, standards compliant, and well performing web browser. I think most software developers, testers, and even development team managers would agree.

      You'll be happy to learn that terminology in the testing world isn't as well established as it might seem at first blush. There are literally hundreds of different "types of testing" and you can find dozens of different and even conflicting definitions for many common types if you look a bit. So, if you seek to pick apart this post line by line I've given you enough material to do so. Just Google around a bit until you find a definition that doesn't fit those I've used and go to town.

      Consider the Acid2 test. This is a functional test, perhaps. It might also be a regression test. It worked on the last build, and we didn't try to break it. Does it still work? Hooray! Acid2
      --
      If you mod me down, I shall become more powerful than you could possibly imagine.
  7. Re:Tough Issue by Anonymous Coward · · Score: 1, Interesting

    The best idea would to just get rid of frames completely, they suck.

    That can't be done. It's like saying nuclear bombs should be gotten rid of cause they suck. Seems like a good idea, but as soon as one browser disables frames support, the other will use that advantage to steal market share. Just like if one country disarms, they leave themselves vulnerable to nuclear attack from the others! It's MAD. (Mutually Assured Dumbness)

  8. Opera is looking... by Anonymous Coward · · Score: 1, Interesting

    really good about now. Opera is the only browser I am aware of that has all *known* vulnerabilities fixed. Per http://secunia.com/product/4932/

    YMMV, but methinks even though I use Ubuntu, I may make the switch to Opera for added security.

  9. Frame Information Box by kassemi · · Score: 2, Interesting

    What about placing a small colored box in the corner of each frame... If a frame's box differs in color from the surrounding frames, this would indicate the frame was on a different domain. That way the developers wouldn't have to worry about breaking the legitimate use of this technique.

    --
    What the hell's a "gewie?"
  10. TabBrowser Preferences Prevents This by ChadL · · Score: 2, Interesting

    If you are using the TabBrowser Preference extension for Firefox, the exploit site will just open in a new tab, and the MSDN site will remain unaffected. https://addons.mozilla.org/extensions/moreinfo.php ?id=158&application=firefox

  11. Re:So secure by ZephyrXero · · Score: 4, Interesting

    I'm not being irrational. Let me give you an example. I am the sys admin for a small network at a university. I have made all the faculty in my dept. switch over to firefox, and some to thunderbird as well, and I don't have to go around once a week getting rid of viruses, spyware, and adware like I did when they were all using IE. They don't have installation privaleges on their accounts, yet somehow these things kept getting installed till I made them start using Firefox. That's what I call a "more secure" browser...

    --
    "A truly wise man realizes he knows nothing."
  12. Frames suck... most of the time, but not always. by kiddailey · · Score: 4, Interesting

    "Frames suck, and you deserve to cause problems if you use them."
    No, frames suck most of the time.

    There are many uses for frames that can increase usability or enhance/ease integration with other systems (that you cannot directly modify for example), particularly inline frames -- if you know what you are doing.

    Simply saying frames suck without qualifying further only shows your lack of understanding of appropriate applications of them ;)