Slashdot Mirror
Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix (zdnet.com)
Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.
[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.
[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.
Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.
I have a firefox with standard adblock, anti tracking et al installed on pretty much all machines I administer. I got a panicked call from my mother, who runs one such machine primarily as her "youtube kittens and women magazines internet thingy" when she got stuck on one such site. No idea how she got there, but it seemed to manage to bypass the blockers I have on that machine. It happened about a month ago.
My guess is that she followed a bad link on social media or something like that to a new site that wasn't on blacklist just yet. The easiest way out that I could figure over the phone was to literally hard crash the browser through process manager, and then tell browser on restart not to resume the session. There didn't seem to be any easy way out that I could quickly figure out over the phone otherwise. It just locked the browser to that malicious page.
Why have we to suffer this horror in the first place?
I remember reading a memo by some Microsoft engineer from some 20 years ago who was porting Internet Explorer to Unix; he noticed there that the Unix folk are easily put off by modal dialog boxes and prefer to have be able to open another window or page while a dialog box is active.
Is that no longer the case?
What happened since then? Why do we have to suffer the horror of gnome, which is making its dialog boxes global at display level, and nothing short of a reboot or ssh-ing in from another machine is able to save you from some misbehaving gnome crap?
This is bad news for Firefox users. Both of them.
The CEO at Mozilla now seems to get paid over $800K per year.
I lost all respect when the CEO sent out an email absolutely begging for money to help the company survive, whilst they themselves could hire 10 full time employees with that money and still live comfortably. Management at Mozilla is begging for money whilst they are literally living like kings (and I donated a fair bit to Mozilla in the past).
Management seems to have reached max corruption, and if management gave a damn about the software, they would at least halve their salaries and hire more developers or start some community bounties with the money, instead of prioritising themselves. Even 300K is more than enough to live VERY comfortably. $800K is just greedy. Because, if management gave a The company is slowly returning to Netscape days and management seems more focused on their own gains.
I also wonder how many people with the current board of directors were those who started with the company.
This is just a glimpse of the epidemic of malware to come fueled by Mozilla not caring about their users. Just wait until a Pocket exploit gets developed. We need a real alternative to the Googzilla monoculture, and Goana/Servo are not enough to matter.
What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.
Chaos - everything, everywhere, everywhen
I am supremely disappointed that the link didn't lead to a proof of concept that blew up my desktop because I am using Firefox.
Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.
iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:
Modal dialog boxes
This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).
Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".
The web is a steaming pile of shit being exploited by ad companies and other assholes -- and I consider the ad companies to be as malicious as the black hats.
My Chrome has ScriptSafe and HTTP Switchboard. My Firefox has uMatrix and a few other things. My IE .. well, I use IE as the browser of last resort for shit I need to do but which won't play well with a sane browser.
I do *domain* level whitelisting, which means all third parties who aren't provably related to the proper operating of a web site I really need are blocked.
All ad companies, all tracking beacons, all third party shit I have no idea what it's for ... my browsers block these things. And since I assume all of those blocked third parties are assholes, idiots, morons, and other people not to be trusted I don't lose any sleep over this.
Bummer about your ad revenue, but since I don't trust your partners, have never consented to your partners, and don't give a flying fuck about your partners ... the only sensible thing to do it treat *all* third party shit as un-trustworthy.
The problem is the assholes who run the ad companies want us to run so that we accept cookies, scripts, and everything else from every random website and the people they link to. The default position of the internet is the stupidest possible set of fucking security policies you can imagine.
But, I don't care. Tell you what, let me stab your CEO as proof of trust, and I'll enable your site. But until then, I'm going to treat you as someone who my browsers will never send requests to.
The web is fundamentally broken, and the choices left to us are:
1) Blindly use it like morons and hope for the best
2) Block the shit out of everything
3) Stop using it.
For some sites, 3) is the only remaining choice because they've tied everything to letting their ad agencies in. But until ad agencies carry some liability for the shit they open us up to, that's not happening.
Until then, just stab the CEO of every internet ad company at every chance you get, and it might sort itself out.
I'd recomment Mosaic over Firefox, these days.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)