Slashdot Mirror
Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix (zdnet.com)
Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.
[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.
[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.
My money is on Texas. Remember the Alamo!!!!
So: Given enough eyeballs, all bugs are shallow.
I guess we need to include a few caring fingers as well. ESPECIALLY middle ones for those hard-to-reach, far-away keys.
(The bug is only 11 years old -- not even a teenager yet.)
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.
I've never encountered this before. Either my various security extensions are doing the job, or I don't visit the "right" kind of sites.
Firefox to me is no savior of privacy or champion of the web. They have sold out to Google, Yahoo, Pocket and installed extension AKA Mr. Robot without permission. Yeah Mozilla is a real saint when it comes to privacy and security. Used to have people at Mozilla who really did some good, they have either been forced out, or quit.
And these are their excuses for not fixing these problems - don't they have a PMO to decide solutions and implement?
- Technical complexity requiring hard trade-offs and significant time investment
- Lack of ownership and/or resourcing
- People entrenched on two opposing sides of an important decision
- Inability to compromise on a non-perfect solution (as you describe above)
Why have we to suffer this horror in the first place?
I remember reading a memo by some Microsoft engineer from some 20 years ago who was porting Internet Explorer to Unix; he noticed there that the Unix folk are easily put off by modal dialog boxes and prefer to have be able to open another window or page while a dialog box is active.
Is that no longer the case?
What happened since then? Why do we have to suffer the horror of gnome, which is making its dialog boxes global at display level, and nothing short of a reboot or ssh-ing in from another machine is able to save you from some misbehaving gnome crap?
Can't NoScript 'tuning' fix it @ least TEMPORARILY as a 'work-around' by setting it to CUSTOM for any site & limit iframes (not taking them) ? I would think so @ least - correct me IF I am off/wrong.
* Of course, hosts would TOO blocking access to the sites summoned by the iframe in question (@ least halting any threat payloads done by them) but I'd think that as many folks that use NoScript around here might've mentioned this as a way around it temporarily until it's FIXED by Mozilla @ least.
APK
P.S.=> Let me know - curious here on your thoughts on NoScript "tuned access" to a site that may have this threat (or not)... apk
they can haz completely rewritten bwrousar since v50...? How can haz same bugs??
This is bad news for Firefox users. Both of them.
The CEO at Mozilla now seems to get paid over $800K per year.
I lost all respect when the CEO sent out an email absolutely begging for money to help the company survive, whilst they themselves could hire 10 full time employees with that money and still live comfortably. Management at Mozilla is begging for money whilst they are literally living like kings (and I donated a fair bit to Mozilla in the past).
Management seems to have reached max corruption, and if management gave a damn about the software, they would at least halve their salaries and hire more developers or start some community bounties with the money, instead of prioritising themselves. Even 300K is more than enough to live VERY comfortably. $800K is just greedy. Because, if management gave a The company is slowly returning to Netscape days and management seems more focused on their own gains.
I also wonder how many people with the current board of directors were those who started with the company.
This is just a glimpse of the epidemic of malware to come fueled by Mozilla not caring about their users. Just wait until a Pocket exploit gets developed. We need a real alternative to the Googzilla monoculture, and Goana/Servo are not enough to matter.
So: Given enough eyeballs, all bugs are shallow Linus's Law
At first I thought I was reading the thread Scientists Identify Vast Underground Ecosystem Containing Billions of Micro-organisms and laughed, but then realized I was looking at the wrong tab. Still, you may have a point as TFS of that thread points out:
... the diversity of underworld species bears comparison to the Amazon or the Galapagos Islands, but unlike those places the environment is still largely pristine because people have yet to probe most of the subsurface.
It must have been something you assimilated. . . .
they keep working on idiotic things like rust.
How about fixing the damn bugs first?
What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.
Chaos - everything, everywhere, everywhen
I am supremely disappointed that the link didn't lead to a proof of concept that blew up my desktop because I am using Firefox.
Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.
iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:
Modal dialog boxes
This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).
Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".
Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.
iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:
Modal dialog boxes
This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).
Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".
Been saying about modals since before the web....
I'm glad I use noscript with firefox.
I think it's used for scareware, as in "Microsoft is locking your computer due to detected hacking, etc. Hackers are stealing your credit cards and personal information. Please call our technician, etc." And of course you cannot escape the windows that keep opening unless you spam the escape key. Actually, that's a different exploit but prolly used for the same purpose.
"Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
So... jailbait bug?
You, those Modal dialog boxes have a strange history. True story to the best of my memory.
When Apple was developing the original Macintosh, they didn't have that "feature" in their (primitive)
GUI library at the time. But, outside developers cried that they couldn't "make things work" w/o
a model programming model (remember the time, and Apple's development platform was Pascal)
so Apple reluctantly added it. Apple really, really wanted developers to program non-model dialogs,
and caved. I don't blame Apple for this as it really wasn't much extra effort to manage a non-modal
dialog at the time (remember things weren't multi-threaded and everything was serialized through
the "waitNextEvent()" API (or whatever it was called) anyway.
So, Apple is where the model dialog started its life (I don't know if it was an Apple invention, but
they made it mainstream). That and the adoption of the C++ language as a serious development
platform are the bane of sound, maintainable software development around the world.
CAP === 'divulged'
People are still using Firefox? BOTH of them should get new browsers!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Mozilla has never given a shit. People have reported serious bugs that weren't fixed for years because the developers are insecure morons who won't admit to making mistakes.
Firefox is garbage and always was garbage.
Come on, they've been busy killing all of the old extensions, useful parts of the browser, changing the UI to something that nobody wants, and adding in useless features that would be better as extensions. Who has time to fix security bugs? There are only so many hours in a decade or so!
Everybody forgets that Firefox was a third party project that got brought into the fold, then bastardized with XUL.
Firefox, while still Phoenix, was originally a GTK2 based native app, with no XUL in use. The result of this was a bare Gecko browser window with tabbing support, back when Mozilla was still the Browser Suite with single windows, no tabs, and horrible overhead for each new window. Firefox did away with all that, became popular among nerds, who passed it on by word of mouth, then something amazing happened. Google provided tens of millions to Mozilla Foundation. All of a sudden they were living it big in a way they hadn't been able to before. They brought the phoenix guy into the fold, reassigned management of the project to a 'proper' mozilla staffer, pushed him out after a year or two, then once JIT was in spidermonkey, XULized the whole thing, which provided powerful addon support, but at a dramatic increase in memory consumption and decrease in performance. The advertising they pushed help bring the common folk into the fold while the nerds mostly complained about the loss of performance, but either developed addons or were converted by addons, and quietly grumbled about the shortcomings of Mozilla. But without a better alternative and without the kind of funding for rapid development that Mozilla had they couldn't compete, standardizing on it before Google ensured they gimped themselves further in exchange for money as Google eclipsed them with its own browser, finally taking away the necessary marketshare to topple Microsoft from its throne.
In the end one Microsoft was replaced with another and some incompetent or downright malicious faux sjws got their gravy train while fucking over the people they claim to represent.
For anyone in doubt, or who doesn't remember, go look at how many memory leaks and other crippling bugs came about during that period that Mozilla 'systemd'd as NOTABUG or WILLNOTFIX. There are thousands of them. The memory leaks themselves have been responsible for more or all of the major CRITICAL bugs, especially the sandboxing breaking ones in the past 5-10 years. The whole mess is directly attributable to the questionable management that has continued to run Mozilla because nobody help them responsible for their incompetence. Now as Big G takes over, we are all paying the consequences.
The web is a steaming pile of shit being exploited by ad companies and other assholes -- and I consider the ad companies to be as malicious as the black hats.
My Chrome has ScriptSafe and HTTP Switchboard. My Firefox has uMatrix and a few other things. My IE .. well, I use IE as the browser of last resort for shit I need to do but which won't play well with a sane browser.
I do *domain* level whitelisting, which means all third parties who aren't provably related to the proper operating of a web site I really need are blocked.
All ad companies, all tracking beacons, all third party shit I have no idea what it's for ... my browsers block these things. And since I assume all of those blocked third parties are assholes, idiots, morons, and other people not to be trusted I don't lose any sleep over this.
Bummer about your ad revenue, but since I don't trust your partners, have never consented to your partners, and don't give a flying fuck about your partners ... the only sensible thing to do it treat *all* third party shit as un-trustworthy.
The problem is the assholes who run the ad companies want us to run so that we accept cookies, scripts, and everything else from every random website and the people they link to. The default position of the internet is the stupidest possible set of fucking security policies you can imagine.
But, I don't care. Tell you what, let me stab your CEO as proof of trust, and I'll enable your site. But until then, I'm going to treat you as someone who my browsers will never send requests to.
The web is fundamentally broken, and the choices left to us are:
1) Blindly use it like morons and hope for the best
2) Block the shit out of everything
3) Stop using it.
For some sites, 3) is the only remaining choice because they've tied everything to letting their ad agencies in. But until ad agencies carry some liability for the shit they open us up to, that's not happening.
Until then, just stab the CEO of every internet ad company at every chance you get, and it might sort itself out.
This invalidates your whole post. You don't give 2 fucks about firefox and didn't even post anything original. All you really wanted to do was shit on some blue haired lesbians. FUCK OFF.
They're too busy monitoring employee political contributions for badthink to actually do their jobs and fix their code.
I like a power user's tool with half a dozen different menus and toolbars and windows floating or docked all over the place and so do 99% of all the people here I would assume. Certainly nobody is intimidated by Visual Studio or Photoshop or anything else that throw a ton of controls at you. I see my old man is struggling even on fairly simple web sites though because there's too many menus and sidebars and dynamically expanding and contracting sections and whatnot. Modal dialogs make for a very simple interaction model, either you open a file or you cancel. You save a file or you cancel. You print something or you cancel. Heck with smartphones pretty much everything is a "modal" dialog because there's not much space for else on a 5" screen operated by sausage fingers. Yes, they're overused because they make the programmer's life simple. But a lot of times making it non-modal wouldn't really add any value either, least that's my opinion.
Live today, because you never know what tomorrow brings
Iâ(TM)m guessing that the current owner of slashdot really donâ(TM)t give a shit. These nazi posts should be trivial to block.
Spamming the escape key didn't seem to work the last time I tried it. If I was lucky, a well timed Ctrl+W whilst spamming escape might kill it. Had to end the process.
Didn't know this had been fixed anywhere. Getting these in IE is why I used Firefox with noscript.
Peoples are still permitting iframes in this day and age? Well, those that are will obviously get what they deserve.
Oh yes there are words for people who use modal dialogs and for system designers who permit the use of modal dialogs. Just because HR will get upset does not mean, however, that those words are not completely appropriate!
I use almost nothing but modal dialogs. Not because I'm lazy or because it's easy. I use them because 99% of users can only handle one or two options at a time, and having my program pop up 15 dialogs will confuse them.
Congrats that you find them annoying, but I'm designing for all the people who aren't you.
What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.
Reminds me of the early web, popup hell, every attempt to close a popup opened three more - seriously, did they really think you we going to just finally say "ok, ok, I'll buy something, I give up!"