Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing Flaw Resurfaces in Mozilla Browsers

Posted by Zonk on from the going-back-in-time dept.

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

16 of 258 comments (clear)

  1. So secure by Anonymous Coward · · Score: 4, Funny

    Oh, damn IE for being so insecure. Wait, this is about an Open Source browser---damn IE for being so insecure!

    1. Re:So secure by Anonymous Coward · · Score: 5, Informative

      IE has the same flaw also, so parent should not be moderated as funny, but as informative.

      http://secunia.com/advisories/11966/

    2. Re:So secure by ZephyrXero · · Score: 4, Interesting

      I'm not being irrational. Let me give you an example. I am the sys admin for a small network at a university. I have made all the faculty in my dept. switch over to firefox, and some to thunderbird as well, and I don't have to go around once a week getting rid of viruses, spyware, and adware like I did when they were all using IE. They don't have installation privaleges on their accounts, yet somehow these things kept getting installed till I made them start using Firefox. That's what I call a "more secure" browser...

      --
      "A truly wise man realizes he knows nothing."
  2. Exploits? by /ASCII · · Score: 4, Insightful

    The number of Firefox vulnerabilities that have been exposed is frightening. But I wonder when the first actual exploit will be found...

    --
    Try out fish, the friendly interactive shell.
    1. Re:Exploits? by ZephyrXero · · Score: 4, Insightful

      frightening??? I'm a big fan of open source, and i'm actually pretty amazed the number has been so small. It's just about the first open source program to really become popular and I think Mozilla's doing a damn find job of keeping up with the hax0rz...

      --
      "A truly wise man realizes he knows nothing."
  3. what about tabs? by farker+haiku · · Score: 5, Interesting

    from TFA:
    For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows.

    So, uh, what about tabs? 'Cause I never have 2 windows open at the same time.

    --
    Your sig(k) has been stolen. There is a puff of smoke!
    1. Re:what about tabs? by Punkrokkr · · Score: 5, Informative

      I tried it in tabs, spoof does not work across tabs; just seperate windows.

      --

      There's no emoticon for what I'm feeling! -- CBG, "The Computer Wore Menace Shoes"
  4. The exploit by k4_pacific · · Score: 4, Funny

    Type: Spoofing
    Exploit: Local
    Effects: All browsers

    Description:
    A 7 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

    The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.

    Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.

    Solution:
    Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.

    --
    Unknown host pong.
  5. Automated Testing by drewfuss · · Score: 4, Interesting

    Does the firefox community have any regression testing? They need fully automated test like the linux kernel has now.

  6. Re:Good the flaws are being found so quickly but.. by /ASCII · · Score: 4, Insightful

    Saying the bug resurfaced is not completely true. This bug was removed from the old Netscape rendering engine, and reintroduced when replacing it with the new and fancy Gecko rendering engine. Apache also reintroduced a number of bugs when switching from 1.3 to 2.0, I belive. That is one of the many prices you pay when rewriting old code from scratch.

    --
    Try out fish, the friendly interactive shell.
  7. Bunk commentary on Whitedust by ttfkam · · Score: 4, Interesting
    The exposure of this older bug in new software is perhaps a good jumping off point for an argument about constructing new browser technologies from scratch, rather than simply developing existing (by the laws of probability, flawed) software to incorporate extended functionality; which is by far the industry norm as it stands. Is this a viable alternative?
    Anyone that knows the history of the Mozilla project has to see the idiocy in this statement.

    Or are they supposed to scrap it all and rewrite from scratch every few years? I sure hope not. Anyone else out remember M13, M14, M15, etc.? *shudder*
    --

    - I don't need to go outside, my CRT tan'll do me just fine.
  8. Re:Old news. by ZephyrXero · · Score: 4, Insightful

    it's actually nothing to do with malicious code...it's just that someone could make an easy fake site with frames... I'm sure there are some sites that legitimately use this feature with differnt parts of their site hosted on different servers...What's next? Ban sites that use offsite graphics?

    --
    "A truly wise man realizes he knows nothing."
  9. Disappointed in QA for browsers by null+etc. · · Score: 4, Insightful
    I must say that there should be a clean, concise list of security flaws that should never appear within a web browser, and each browser should be forced to undergo testing against that list before being released.

    To have such fundamental flaws appear, whether by accident or negligence, is unacceptable.

    Furthermore, the browser "industry" and the commercial sector NEED to come up with some guidelines as to how to promote and ensure online security for financial transactions and personal data.

    For example, it's almost impossible for the casual or sophisticated user to easily determine whether a frame that appears within a website actually belongs to that website, or another. For example, if you have an online account with MBNA credit card, and make an online purchase, some vendors will display an MBNA authentication page which asks you to login to your online account to verify the purchase.

    The problem is that this authentication page appears as a frame within the online vendor. How can you tell whether that frame is a legitimate MBNA page, or just a clever phishing attack? The browser gives no indication as to whether the frame belongs to MBNA or the vendor.

    PayPal suffers from the same thing. I hate clicking on the "Make a Donation" button of some sites, and then seeing the PayPal login appear within a frame of the original site. That prevents me from making a donation - with today's complicated scripting invocations and what not, I don't feel trusting enough to type my account info and password into some frame which happens to appear in the middle of some other organization's website.

    I can't BELIEVE that MBNA and PayPal would promote such idiotic practices, much less allow them to happen.

  10. IE has this vulnerability by interJ · · Score: 5, Informative
    See here.

    The bug in IE was reported almost a year ago, and it is still unpatched.

    The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.

  11. Re:Old news. by MankyD · · Score: 4, Insightful

    The problem is not offsite graphics. The problem is controlling one webpage with an offsite webpage. This should never ever ever ever be allowed for obvious reasons. From TFA: "As a result, an attacker could insert content into a frame on a trusted Web site." (read that: "a website can modify the contents of a trusted website".)

    There is absolutley no reason anyone should ever use this exploit for legitimate reasons. Yes, I can think of a few times it would be great if one website could help someone fill out another websites forms - but its not neccessary. If someone really wants to do that, they should attain permission and do it via GET or POST vars, or some serverside communication.

    A website should still have control over what page is being shown in its frames, but not over the content of those pages directly.

    --
    -dave
    http://millionnumbers.com/ - own the number of your dreams
  12. Frames suck... most of the time, but not always. by kiddailey · · Score: 4, Interesting

    "Frames suck, and you deserve to cause problems if you use them."
    No, frames suck most of the time.

    There are many uses for frames that can increase usability or enhance/ease integration with other systems (that you cannot directly modify for example), particularly inline frames -- if you know what you are doing.

    Simply saying frames suck without qualifying further only shows your lack of understanding of appropriate applications of them ;)