Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix (zdnet.com)

Posted by msmash on from the blast-from-the-past dept.

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

44 of 91 comments (clear)

  1. abusing a Firefox bug to trap users on malicious.. by grep+-v+'.*'+* · · Score: 1

    So: Given enough eyeballs, all bugs are shallow.

    I guess we need to include a few caring fingers as well. ESPECIALLY middle ones for those hard-to-reach, far-away keys.

    (The bug is only 11 years old -- not even a teenager yet.)

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  2. Re:abusing a Firefox bug to trap users on maliciou by Anonymous Coward · · Score: 2, Insightful

    Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

  3. Re:Hmmm... by Luckyo · · Score: 4, Interesting

    I have a firefox with standard adblock, anti tracking et al installed on pretty much all machines I administer. I got a panicked call from my mother, who runs one such machine primarily as her "youtube kittens and women magazines internet thingy" when she got stuck on one such site. No idea how she got there, but it seemed to manage to bypass the blockers I have on that machine. It happened about a month ago.

    My guess is that she followed a bad link on social media or something like that to a new site that wasn't on blacklist just yet. The easiest way out that I could figure over the phone was to literally hard crash the browser through process manager, and then tell browser on restart not to resume the session. There didn't seem to be any easy way out that I could quickly figure out over the phone otherwise. It just locked the browser to that malicious page.

  4. So over Firefox these days by Anonymous Coward · · Score: 1

    Firefox to me is no savior of privacy or champion of the web. They have sold out to Google, Yahoo, Pocket and installed extension AKA Mr. Robot without permission. Yeah Mozilla is a real saint when it comes to privacy and security. Used to have people at Mozilla who really did some good, they have either been forced out, or quit.

    1. Re:So over Firefox these days by ichimunki · · Score: 1

      So which browser do you recommend over Firefox?

      --
      I do not have a signature
    2. Re: So over Firefox these days by jd · · Score: 2

      I'd recomment Mosaic over Firefox, these days.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. Re:Hmmm... by Anonymous Coward · · Score: 1

    Not always the easiest thing to do randomly over the phone, but one way to deal with this is to add the parasitic domain to the hosts file with a 127.0.0.1 reference.

  6. Re:Hmmm... by Luckyo · · Score: 1, Informative

    I'm still not calling you back after fucking you in that thread. No matter how hard you stalk me.

  7. Modal dialog boxes by tender-matser · · Score: 2

    Why have we to suffer this horror in the first place?

    I remember reading a memo by some Microsoft engineer from some 20 years ago who was porting Internet Explorer to Unix; he noticed there that the Unix folk are easily put off by modal dialog boxes and prefer to have be able to open another window or page while a dialog box is active.

    Is that no longer the case?

    What happened since then? Why do we have to suffer the horror of gnome, which is making its dialog boxes global at display level, and nothing short of a reboot or ssh-ing in from another machine is able to save you from some misbehaving gnome crap?

    1. Re:Modal dialog boxes by scdeimos · · Score: 1

      Not sure I'd use Microsoft as a model of how to do anything. Whenever I'm forced to use MS-IE or Edge for a site they have this nasty habit of opening authentication dialogs behind the window that they relate to. You have to go hunting through the task bar icons to find the authentication dialog to submit so you can make progress.

    2. Re:Modal dialog boxes by Anonymous Coward · · Score: 3, Insightful

      My professor in school ~20 years ago said to avoid modal dialogs because they piss people off and in many cases aren't required, and are lazy designs. And he was right.

    3. Re:Modal dialog boxes by samdu · · Score: 3

      I don't know if I'd consider myself a "Unix person (though I do really like Linux)," but the issue I have with Microsoft's modal/non-modal dialog boxes is the complete lack of consistency. And this isn't an IE/Edge problem, it's a Windows problem. Some windows you can resize and interact with other windows. Some windows you can't resize, but you can still interact with other windows. Some windows you can resize and the content of the window flows to expand. Some you can resize and the content doesn't flow at all. It's a complete mess.

    4. Re:Modal dialog boxes by Anonymous Coward · · Score: 1

      No need, ever. Anything that do this, is only irritating.

      Except for all those who can't use a mouse and still want to live in a modern world. Accessibility must be thought of as a first class programming standard, like security.

    5. Re:Modal dialog boxes by tender-matser · · Score: 1

      Sure, everything is easy in my basement. Not so easy on corporate gear.

  8. bad by TRRosen · · Score: 4, Funny

    This is bad news for Firefox users. Both of them.

    1. Re:bad by campuscodi · · Score: 1

      I can confirm. I cried all weekend.

    2. Re:bad by sanf780 · · Score: 1

      Count me in. Chrome does not work well on RHEL6. However, I try to avoid non corporate websites so hopefully I am OK with regards this bug.

    3. Re:bad by kbrannen · · Score: 1

      This is bad news for Firefox users. Both of them.

      Ugh! Two people have already replied, so this must not be Firefox I'm using.

    4. Re: bad by Monster_user · · Score: 1

      What idiots use Chrome?

  9. They may be open source.. However.. by auzy · · Score: 5, Insightful

    The CEO at Mozilla now seems to get paid over $800K per year.

    I lost all respect when the CEO sent out an email absolutely begging for money to help the company survive, whilst they themselves could hire 10 full time employees with that money and still live comfortably. Management at Mozilla is begging for money whilst they are literally living like kings (and I donated a fair bit to Mozilla in the past).

    Management seems to have reached max corruption, and if management gave a damn about the software, they would at least halve their salaries and hire more developers or start some community bounties with the money, instead of prioritising themselves. Even 300K is more than enough to live VERY comfortably. $800K is just greedy. Because, if management gave a The company is slowly returning to Netscape days and management seems more focused on their own gains.

    I also wonder how many people with the current board of directors were those who started with the company.

    1. Re:They may be open source.. However.. by azcoyote · · Score: 1

      New ideas are very expensive! That's why Mozilla pays the CEO big bucks to copy Google Chrome's new ideas.

      --
      Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
    2. Re:They may be open source.. However.. by epine · · Score: 1

      $800K is just greedy.

      Ah, the world-famous escape hatch "just", wherein "you get what you pay for" can pound sand, no questions asked.

    3. Re:They may be open source.. However.. by Anonymous Coward · · Score: 1

      You would have a valid point if Mozilla was a company. It is not; Mozilla is a non-profit. It was given its flagship product for free, and could give it for free; it never had to be profitable. I'd have a hard time thinking of some revolutionary feature Mozilla added to its browser that wasn't copied from Opera or Chrome. Fortunately for them, making Google the default search engine turned out to be wildly profitable. With the amount of money they got from Google in the good years (I think several hundred million dollars yearly at some point), Mozilla could have been one of the most important players on the Internet. Instead, the money was wasted on endless series of projects that delivered nothing of value. In the meantime, the market share of Firefox has gone nowhere but down since the release of Chrome ten years ago. I think it's absurd that you defend the salary of Mozilla's CEO; Mozilla was never in the same league as any of its opponents.

    4. Re:They may be open source.. However.. by auzy · · Score: 1

      When Firefox was forked from Mozilla, it was revolutionary.

      It was promised to be non-bloated, incredibly fast, and have both theming and extensions which loaded easily (the alternative either had none, or required rebooting for every theme change, etc). That was what people like me were eager to donate to.

      Then over time, it felt like management changed. I was genuinely interested in Firefox Mobile, but that seemed like there was simply insufficient developers for that project.

      And instead of fixing issues, CEO pays increased drastically, but the major issues continued. When your computer has intermittent connectivity, Firefox SERIOUSLY struggles. Every other browser works perfectly.

      I noticed this started happening when they applied the patch a few years back to stop people continously reloading sites which weren't loading (DDOS'ing them further). No idea if that patch was the cause (I never properly checked), but I only noticed it after that.

      Also, a CEO with common sense wouldn't come begging for money when they could throw a bit of their pay in to help out the company too (who knows what their bonuses are like). It's just left a bad taste in many people's mouth

    5. Re:They may be open source.. However.. by Anonymous Coward · · Score: 1

      To put in perspective the French left wing is proposing a maximum wage of 400K euros (or a year ago, 360K euros). This is not far off from Mozilla CEO wage. Another way to frame the maximum wage by the same left wing movement/party is a ratio of 20:1 for the highest and lowest wages in a company - so think of a $40k/year janitor, although such a rule would be trivially gamed by outsourcing.

      So, Mozilla CEO pay could be a bit lower perhaps.
      Would be nice if *any* CEO at all wouldn't earn more than $800k. One $800k payment is already enough to not have to work for the rest of your life.

  10. And this is the only major Chrome alternative by xack · · Score: 2

    This is just a glimpse of the epidemic of malware to come fueled by Mozilla not caring about their users. Just wait until a Pocket exploit gets developed. We need a real alternative to the Googzilla monoculture, and Goana/Servo are not enough to matter.

  11. Re:abusing a Firefox bug to trap users on maliciou by fahrbot-bot · · Score: 1

    So: Given enough eyeballs, all bugs are shallow Linus's Law

    At first I thought I was reading the thread Scientists Identify Vast Underground Ecosystem Containing Billions of Micro-organisms and laughed, but then realized I was looking at the wrong tab. Still, you may have a point as TFS of that thread points out:

    ... the diversity of underworld species bears comparison to the Amazon or the Galapagos Islands, but unlike those places the environment is still largely pristine because people have yet to probe most of the subsurface.

    --
    It must have been something you assimilated. . . .
  12. Re:abusing a Firefox bug to trap users on maliciou by rtb61 · · Score: 4, Interesting

    What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

    --
    Chaos - everything, everywhere, everywhen
  13. Link? by Torodung · · Score: 2

    I am supremely disappointed that the link didn't lead to a proof of concept that blew up my desktop because I am using Firefox.

    1. Re:Link? by evanh · · Score: 1

      Yeah, same. Probably be a blank page for me.

  14. Re:Hmmm... by Anonymous Coward · · Score: 1

    Sites that trap users are nothing new.
    1. Go to some site
    2. Press the 'back' button.
    Didn't get out? Then you're on a malicious site that traps you. There are tons of those. Of course, the fix is often as simple as pressing back twice real fast, or using the back menu to go two steps back in one operation. Easy enough - but this blocking of "back" is just as evil as this slightly more advanced scheme. Still, you can get out by closing/killing the browser and restarting it. So no big deal.

  15. Re:abusing a Firefox bug to trap users on maliciou by Anonymous Coward · · Score: 5, Informative

    Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

    iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:

    Modal dialog boxes

    This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).

    Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".

  16. Re:Hmmm... by Luckyo · · Score: 1

    Can't admit to something I didn't do. I can however keep mocking you as an ideologically driven science denier that you demonstrated yourself to be.

    And no, still not calling you back. The only thing you'll ever get from me is mockery on the internet. Frankly, you're a great target for helping me vent daily frustrations on, as someone who demonstrably deserves all the scorn I can muster.

  17. Re:Hmmm... by Luckyo · · Score: 1

    It's a desktop connected via ethernet cable, and no, I'm not making my mother crawl under the table to sort out the cables or router.

  18. Re:abusing a Firefox bug to trap users on maliciou by Vreejack · · Score: 1

    I think it's used for scareware, as in "Microsoft is locking your computer due to detected hacking, etc. Hackers are stealing your credit cards and personal information. Please call our technician, etc." And of course you cannot escape the windows that keep opening unless you spam the escape key. Actually, that's a different exploit but prolly used for the same purpose.

    --
    "Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
  19. I'm shocked! by Locke2005 · · Score: 1

    People are still using Firefox? BOTH of them should get new browsers!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  20. Give them a Break, They've been busy by CanadianMacFan · · Score: 1

    Come on, they've been busy killing all of the old extensions, useful parts of the browser, changing the UI to something that nobody wants, and adding in useless features that would be better as extensions. Who has time to fix security bugs? There are only so many hours in a decade or so!

    1. Re:Give them a Break, They've been busy by drinkypoo · · Score: 1

      Yet that's still more than anyone in the snarky peanut gallery is doing, so I guess they're the Mozilla we deserve.

      They're doing things that not only the users don't want, but the users explicitly want them to not do. Is that doing more, or doing less? I suppose it's doing more, but it's doing more bad, not doing more good. They are actively doing harm. Someone doing nothing is effectively doing more.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  21. They've been inept AND corrupt since the beginning by Anonymous Coward · · Score: 1

    Everybody forgets that Firefox was a third party project that got brought into the fold, then bastardized with XUL.

    Firefox, while still Phoenix, was originally a GTK2 based native app, with no XUL in use. The result of this was a bare Gecko browser window with tabbing support, back when Mozilla was still the Browser Suite with single windows, no tabs, and horrible overhead for each new window. Firefox did away with all that, became popular among nerds, who passed it on by word of mouth, then something amazing happened. Google provided tens of millions to Mozilla Foundation. All of a sudden they were living it big in a way they hadn't been able to before. They brought the phoenix guy into the fold, reassigned management of the project to a 'proper' mozilla staffer, pushed him out after a year or two, then once JIT was in spidermonkey, XULized the whole thing, which provided powerful addon support, but at a dramatic increase in memory consumption and decrease in performance. The advertising they pushed help bring the common folk into the fold while the nerds mostly complained about the loss of performance, but either developed addons or were converted by addons, and quietly grumbled about the shortcomings of Mozilla. But without a better alternative and without the kind of funding for rapid development that Mozilla had they couldn't compete, standardizing on it before Google ensured they gimped themselves further in exchange for money as Google eclipsed them with its own browser, finally taking away the necessary marketshare to topple Microsoft from its throne.

    In the end one Microsoft was replaced with another and some incompetent or downright malicious faux sjws got their gravy train while fucking over the people they claim to represent.

    For anyone in doubt, or who doesn't remember, go look at how many memory leaks and other crippling bugs came about during that period that Mozilla 'systemd'd as NOTABUG or WILLNOTFIX. There are thousands of them. The memory leaks themselves have been responsible for more or all of the major CRITICAL bugs, especially the sandboxing breaking ones in the past 5-10 years. The whole mess is directly attributable to the questionable management that has continued to run Mozilla because nobody help them responsible for their incompetence. Now as Big G takes over, we are all paying the consequences.

  22. The web isn't to be trusted ... by Anonymous Coward · · Score: 2, Interesting

    The web is a steaming pile of shit being exploited by ad companies and other assholes -- and I consider the ad companies to be as malicious as the black hats.

    My Chrome has ScriptSafe and HTTP Switchboard. My Firefox has uMatrix and a few other things. My IE .. well, I use IE as the browser of last resort for shit I need to do but which won't play well with a sane browser.

    I do *domain* level whitelisting, which means all third parties who aren't provably related to the proper operating of a web site I really need are blocked.

    All ad companies, all tracking beacons, all third party shit I have no idea what it's for ... my browsers block these things. And since I assume all of those blocked third parties are assholes, idiots, morons, and other people not to be trusted I don't lose any sleep over this.

    Bummer about your ad revenue, but since I don't trust your partners, have never consented to your partners, and don't give a flying fuck about your partners ... the only sensible thing to do it treat *all* third party shit as un-trustworthy.

    The problem is the assholes who run the ad companies want us to run so that we accept cookies, scripts, and everything else from every random website and the people they link to. The default position of the internet is the stupidest possible set of fucking security policies you can imagine.

    But, I don't care. Tell you what, let me stab your CEO as proof of trust, and I'll enable your site. But until then, I'm going to treat you as someone who my browsers will never send requests to.

    The web is fundamentally broken, and the choices left to us are:

    1) Blindly use it like morons and hope for the best
    2) Block the shit out of everything
    3) Stop using it.

    For some sites, 3) is the only remaining choice because they've tied everything to letting their ad agencies in. But until ad agencies carry some liability for the shit they open us up to, that's not happening.

    Until then, just stab the CEO of every internet ad company at every chance you get, and it might sort itself out.

  23. Re:abusing a Firefox bug to trap users on maliciou by Kjella · · Score: 1

    I like a power user's tool with half a dozen different menus and toolbars and windows floating or docked all over the place and so do 99% of all the people here I would assume. Certainly nobody is intimidated by Visual Studio or Photoshop or anything else that throw a ton of controls at you. I see my old man is struggling even on fairly simple web sites though because there's too many menus and sidebars and dynamically expanding and contracting sections and whatnot. Modal dialogs make for a very simple interaction model, either you open a file or you cancel. You save a file or you cancel. You print something or you cancel. Heck with smartphones pretty much everything is a "modal" dialog because there's not much space for else on a 5" screen operated by sausage fingers. Yes, they're overused because they make the programmer's life simple. But a lot of times making it non-modal wouldn't really add any value either, least that's my opinion.

    --
    Live today, because you never know what tomorrow brings
  24. Re: abusing a Firefox bug to trap users on malicio by Monster_user · · Score: 1

    Spamming the escape key didn't seem to work the last time I tried it. If I was lucky, a well timed Ctrl+W whilst spamming escape might kill it. Had to end the process.

    Didn't know this had been fixed anywhere. Getting these in IE is why I used Firefox with noscript.

  25. Re:abusing a Firefox bug to trap users on maliciou by cascadingstylesheet · · Score: 1

    What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

    Reminds me of the early web, popup hell, every attempt to close a popup opened three more - seriously, did they really think you we going to just finally say "ok, ok, I'll buy something, I give up!"

  26. Re:Hmmm... by Luckyo · · Score: 1

    I defeated your anti-scientific dogma using logic, therefore I'm a nazi and you desperately trying to stalk me across slashdot posts is being anti-nazi.

    We've come a long way folks. And this appears to be the destination. The batshit levels of insanity are real.