Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla UI Spoofing Vulnerability

CowboyNeal posted more than 10 years ago | from the shields-up dept.

Mozilla 583

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

cancel ×

583 comments

Sorry! There are no comments related to the filter you selected.

who chose this color (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9851407)

come on, if a PHB needs to read this they can't! Too bad if this was IE you linux boyz would be going down with the empire!

This is nothing... (3, Funny)

Anonymous Coward | more than 10 years ago | (#9851408)

You think your Mozilla or FireFox has neat features like that?

Well my friend, my IE can beat your browser many times over!

HA!

Re:This is nothing... (0, Troll)

westyvw (653833) | more than 10 years ago | (#9851417)

Lets see how long this takes to fix.

IE months.

Mozilla 2 days tops.

HA you IE fools!

Re:This is nothing... (5, Informative)

ceejayoz (567949) | more than 10 years ago | (#9851438)

Re:This is nothing... (3, Insightful)

auzy (680819) | more than 10 years ago | (#9851523)

Its not really an issue though.. Even if this is fixed, theres 10000 different ways of doing the same kind of thing that will throw off even most security experts. Even if its changed, there will be other ways of pretending the bar exists.. They made it confidential because theres no way to fix it.. If they fix it this way, blackhats use javascript..

Rat never thought this thru. I think his trying to gain attention over something which he never bothered contemplating that there was no possible solution anyway.

Thanks to him now, his given just about every credit card frauder on the planet new ideas (and even implemented the paypal clone code for it too). They made it confidential to just stop ppl panicing about something which has always been possible and to try to stop frauders from adding this technique to their arsenal.. Now, Rat has done an incredibly smart move and gave spammers, credit card frauders, script kiddies some new ideas.. And for that, we have to thank him

Re:This is nothing... (2)

Jugalator (259273) | more than 10 years ago | (#9851548)

Its not really an issue though..

Of course it is. It doesn't stop being an issue just because it can be done in other ways as well. It doesn't stop being an issue because it can't be fixed (more like the opposite in that case).

If they fix it this way, blackhats use javascript..

Maybe, but Javascript won't do a nearly as good job as XUL itself to make pretty much a 100% identical version of the interface that's interactive and all.

Re:This is nothing... (1)

dedazo (737510) | more than 10 years ago | (#9851509)

Mozilla 2 days tops.

Try five years.

Re:This is nothing... (1)

unoengborg (209251) | more than 10 years ago | (#9851569)

2 days?
Isn't that a very long time for finding the advanced preference where you turn off mozillas ability to hide the toolbar, statusbar, changeing the statusbar text, moving or rezizing existing windows, etc

Seriously, this is hard to fix. Some people need these features. Just turning them off by default is not a good solution.

Perhaps they could turn them off by default, and then allow users to turn them on as they occur on a site by site basis . They already have a similar solution for popup windows.

flamebait? (0)

Anonymous Coward | more than 10 years ago | (#9851463)

I took that to be more funny than flamebait. Bravo other AC.

Modder must not be a true geek.

So... (0)

Anonymous Coward | more than 10 years ago | (#9851409)

Is this the first post, or just a spoof?

Not another one! (5, Funny)

Nermal6693 (622898) | more than 10 years ago | (#9851410)

I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.

Re:Not another one! (0, Redundant)

rking (32070) | more than 10 years ago | (#9851416)

I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.

If you're using open source software then a site that loves pointing out security holes in those programs sounds very useful. If you're not using open source then I can see your point.

Re:Not another one! (-1, Redundant)

swissmonkey (535779) | more than 10 years ago | (#9851422)

Yeah, better keep them hidden, that way everybody believes that open source products are secure, and in the meantime black hats take advantage of the security holes to hack into thousands of servers or desktops !

You can stick your head in the sand if you want, but it won't make open source products more secure than they really are. The only way to have secure products is to find the holes so that they can be fixed.

Re:Not another one! (0)

Anonymous Coward | more than 10 years ago | (#9851572)

Hey dumbass, I think your joke-detector has broken down

Just FYI

Re:Not another one! (2, Interesting)

Zeal17 (602971) | more than 10 years ago | (#9851424)

I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.

Does this make the point less valid? The open-source community seems to react quickly to criticism like this, so my guess is there will be a fix quickly.

Re:Not another one! (3, Interesting)

Pahalial (580781) | more than 10 years ago | (#9851464)

You -do- realize they've known for 5 years, right? We're only hearing now because it's apparently starting to be used in the wild, not to mention someone published research about using chrome spoofing.

Re:Not another one! (1)

Zeal17 (602971) | more than 10 years ago | (#9851491)

Well, the grandparent [slashdot.org] was implying that Secunia was reporting mostly bugs in OSS, and therefore should not be listened to, I was just pointing out that ANY news is good. If this exploit had been publicized 5 years ago, we wouldn't be talking about this now.

Re:Not another one! (1, Informative)

Anonymous Coward | more than 10 years ago | (#9851498)

The grandparent was being funny and the following posts mistook mild humour for a troll.

I'm using Firefox... (5, Funny)

Anonymous Coward | more than 10 years ago | (#9851411)

so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?

Re:I'm using Firefox... (0, Troll)

sanctimonius hypocrt (235536) | more than 10 years ago | (#9851440)


am I really seeing slashdot, or is someone trying to spoof me

It's really Slashdot. If it were a spoof, you wouldn't have to reload so many times


Re:I'm using Firefox... (5, Funny)

HoneyBunchesOfGoats (619017) | more than 10 years ago | (#9851445)

You can tell that it's not the real slashdot because they got the colors all wrong.

Re:I'm using Firefox... (2, Funny)

King_of_Prussia (741355) | more than 10 years ago | (#9851451)

I think I'm being spoofed, only a colourblind script-kiddie from Norway could have chosen a background colour this vomit-inducing.

Re:I'm using Firefox... (1)

dedazo (737510) | more than 10 years ago | (#9851492)

No, those cool 503 server errors are real.

Re:I'm using Firefox... (2, Funny)

Pharmboy (216950) | more than 10 years ago | (#9851502)

Depends, did you get a bunch of 500 and 503 errors? Then its the real Slashdot. Oh, and look for dupes on the front page, the spoof's don't do that.

Re:I'm using Firefox... (0)

Anonymous Coward | more than 10 years ago | (#9851552)

so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?

Just like in the Matrix, there is no spoof.

Vulnerability? (3, Interesting)

insecuritiez (606865) | more than 10 years ago | (#9851415)

Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

Re:Vulnerability? (3, Informative)

kristofme (791986) | more than 10 years ago | (#9851444)

I had the same opinion initally, but if you check out the spoofed Mozilla window [nd.edu] you have to admit this could prove to be dangerous..
Having said that, I'll stick to Firefox nonetheless - let's just hope the Firefox team will find a way to fix it soon.

Re:Vulnerability? (1)

lachlan76 (770870) | more than 10 years ago | (#9851554)

The only thing is that that window on the site doesn't have the web developer toolbar, the bookmark toolbar, and my 15 tabs, so for me it's easy to tell the difference. But it scares me too.

Re:Vulnerability? (3, Insightful)

NetNifty (796376) | more than 10 years ago | (#9851447)

It's probably possible to do with IE too, but the worrying part of this exploit is the fake security certificate it produces. Easy way to disable the exploit working is to disable allowing javascript to hide the status bar - the menus etc still comes up but you can tell it's fake because of the extra status bar.

Re:Vulnerability? (1)

drskrud (684409) | more than 10 years ago | (#9851471)

By the same token, if you just don't use the default Firefox settings you'll be able to notice the differences.

Re:Vulnerability? (5, Insightful)

pinny20 (415459) | more than 10 years ago | (#9851448)

No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.

Re:Vulnerability? (4, Insightful)

MoogMan (442253) | more than 10 years ago | (#9851469)

You are right in the sense that it is not a "standard" vunerability as such, but as is the case for IE "spoofing", it is still valid. It could still cause users to think a spoofed page is a real page, so in essence the browser is "vunerable".

As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example :)

Re:Vulnerability? (4, Insightful)

FyRE666 (263011) | more than 10 years ago | (#9851578)

Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.

-1 Flamebait (0, Flamebait)

JamesKPolk (13313) | more than 10 years ago | (#9851418)

Let the debate begin: Life would be better/worse/the same if 90% of users used HTTP clients based on Mozilla because...

Re:-1 Flamebait (1)

Zeal17 (602971) | more than 10 years ago | (#9851462)

Let the debate begin: Life would be better/worse/the same if 90% of users used HTTP clients based on Mozilla because...

You are right to a point, having close to 100% saturation by any software is a security risk. That is why they took some of the root DNS servers off of bind. The biggest problem with IE is that they use their market share to impose standards that suit them on the world. If there was a more even distribution of browsers out there, no one would have a majority and all of the browsers would have to conform to standards, or fade away.

if i got a cent..... (0, Offtopic)

Elior (718065) | more than 10 years ago | (#9851419)

if i got a cent everytime someone found an IE bug..*rolls eyes*

Marked confidential? (5, Interesting)

Kristoffer Lunden (800757) | more than 10 years ago | (#9851429)

According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....

Re:Marked confidential? (0)

Anonymous Coward | more than 10 years ago | (#9851555)

Have a look at the bug report please. This kind of "bug" can be used with other browsers like IE, and the right way to fix it (if any) is all but obvious. You will at the same time learn a little more about the obscurity policy of the mozilla developers.

whoops (4, Interesting)

ceejayoz (567949) | more than 10 years ago | (#9851430)

Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.

Gotta love that security-by-obscurity...

Confidential bugs in open source projects (2, Insightful)

October_30th (531777) | more than 10 years ago | (#9851453)

"Confidential" bugs in an open source project. Really?

What the hell? (4, Insightful)

King_of_Prussia (741355) | more than 10 years ago | (#9851432)

Of course, that won't stop me from using Firefox.

What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.

Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.

PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).

Re:What the hell? (5, Funny)

tirenours (583610) | more than 10 years ago | (#9851488)

And from the linked page, a gem that we shouldn't overlook:

"if you don't have Firefox (you should get it!)"

Its not mine, its not a story, (0, Offtopic)

kayen_telva (676872) | more than 10 years ago | (#9851495)

and it may not even be funny anymore: Tux and his buddy [drizzt.it]

Re:Its not mine, its not a story, (0, Offtopic)

kayen_telva (676872) | more than 10 years ago | (#9851503)

whoops. way too early. forgot the email addy fbdsl @ hotmail.com

Re:What the hell? (1, Insightful)

Pharmboy (216950) | more than 10 years ago | (#9851519)

<stupidity>
This is why I use Windows, which is more secure because hackers can't search the code for vulnerabilities to exploit.
</stupidity>

But it does make me glad I have both installed on all computers. It is ironic tho, with all the MS bashing, and this is actually a more serious exploit the last few IE exploits. Firefox doesn't have the quantity of bugs that IE has, but it makes up for it with the quality I guess.

As for me, I'm gonna start surfing in a shell with Lynx.

Re:What the hell? (5, Interesting)

Spellbinder (615834) | more than 10 years ago | (#9851568)

i am not even sure if this shoud be called bug
there is nothing it is not doing like it should
it may be stupid to allow javascript to hide the toolbars etc.
maybe it would be wise to disable those features in the next firefox version per default
it is easy to change right now...
and i don't see why this is worse than IE permitting execution of code on your machine

Re:What the hell? (2, Interesting)

4lex (648184) | more than 10 years ago | (#9851534)

Since it doesn't affect the Mac OS X version (just checked), it won't stop me using Mozilla Firefox, for sure ;)

Re:What the hell? (3, Insightful)

Threni (635302) | more than 10 years ago | (#9851535)

> What kind of blind OSS zealotry is this? If somebody said something similar of
> IE there would be a unanimous uproar of upbraids from the slashdot community
> against whoever said it.

Who cares what the `slashdot community` says? There's a mixture of people here. You don't have to listen to everyone. I'm not a zealot and i'm going to be sticking with Firefox, as I don't believe i'm at risk of this particular exploit, as I have a local webpage on my hard drive which is just a list of URLs to sites I use regularly, so unless that gets hacked i'm going to end up where I expect.

> Is it somehow tolerable for OS software to have faults, even serious ones?

All software has faults. IE has loads, Firefox has a few. On balance, it would appear that users of non-microsoft software are less at risk than microsoft users, and the problems get fixed more quickly. Or do you think this most recent security issue tips the balance back in favour of IE being the safest browser to use?

Re:What the hell? (1)

rsheridan6 (600425) | more than 10 years ago | (#9851562)

If you're waiting for a web browser without serious faults, you'll be waiting a long time. Firefox is still the best, AFAIK, despite this weakness.

Re:What the hell? (1)

Jugalator (259273) | more than 10 years ago | (#9851573)

Firefox is still the best, AFAIK, despite this weakness.

With "this weakness" -- do you mean the fact that they're developing a product with secret bugs (security by obscurity), or do you mean this particular bug?

Javascript should be enabled. (0)

Anonymous Coward | more than 10 years ago | (#9851434)

This is the problem, what sort of moron would let a webpage run code on his machine anyway? Disabling javascript will stop upwards of 70% of IE exploits too. Now all we have to do is teach clueless "web developers" about html, css and noscript tags. YAwn, welcome back to 1997.

Re:Javascript should be enabled. (4, Insightful)

adam mcmaster (697132) | more than 10 years ago | (#9851515)

what sort of moron would let a webpage run code on his machine anyway?

The average user.

Its a Known Vulnerability in Mozilla (1)

poofyhairguy82 (635386) | more than 10 years ago | (#9851436)

This issue appears to be the same as Mozilla Bug 244965 [mozilla.org]

.

Fix the Colors! (1, Insightful)

imag0 (605684) | more than 10 years ago | (#9851437)

Mod me up if you hate the color scheme. Here's a fixed link using the "old" slashdot colors:

http://slashdot.org/article.pl?sid=04/07/31/003721 0&tid=154&tid=128&tid=172 [slashdot.org]

(I sound like a broken record. I know that. But if it gets said enough times perhaps someone will notice and change something.)

Re:Fix the Colors! (0)

Anonymous Coward | more than 10 years ago | (#9851465)

What? IMHO this is the best color scheme slashdot has.

Re:Fix the Colors! (0)

Anonymous Coward | more than 10 years ago | (#9851472)

Or login and set preferences to lite html!

At least Post a decent URI [slashdot.org]

Re:Fix the Colors! (1)

Cameroon (16395) | more than 10 years ago | (#9851483)

Well then I guess we need an equal or larger number of "Don't change the scheme, it's the best one you've got." comments as well.

Re:Fix the Colors! (0, Offtopic)

poofyhairguy82 (635386) | more than 10 years ago | (#9851487)

(I sound like a broken record. I know that. But if it gets said enough times perhaps someone will notice and change something.)

Either that, or the butt ugly colors will give you god-like mod points.

going home - read this... (0, Offtopic)

imag0 (605684) | more than 10 years ago | (#9851504)

Ok guys, run with it for a while and see if someone notices. I imagine enough threads with this modded up the better chance of this color scheme going away.
the evil color scheme starts with http://it.slashdot.org...blah. just pull off the 'it.' and the color scheme switches back to normal.
Here, a nice copy-and-paste template, just populate it with the edited link like so:

Fix the Colors!

Mod me up if you hate the color scheme. Here's a fixed link using the "old" slashdot colors:

<a href=""></a>

that's it. Good luck!

(P.S. This is not for Karma. It's already excellent. I could care less. I would like to stop flinching when I bring up a page, however.)

Re:going home - read this... (0)

Anonymous Coward | more than 10 years ago | (#9851512)

Changing the third level domain only works if you have a numeric sid. At least get it right.

Re:going home - read this... (1)

arcanumas (646807) | more than 10 years ago | (#9851527)

So those who actually like the colors should mod you down?

Use 0.8 (0)

Anonymous Coward | more than 10 years ago | (#9851439)

Firefox 0.9+ are ugly-ass. Stay in the dark ages with me! All I got was an XML Parsing Error: undefined entity.

firsxt pOst?! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9851443)

Spot whr3n done For a full-time GNAA knows for sure what there are some

Firefox, huh ? (4, Funny)

ElVirolo (738856) | more than 10 years ago | (#9851446)

Of course, that won't stop me from using Firefox But then how do you know you ARE using the 'proper' Firefox if the interface is spoofed ?

Doesnt do tabs (2, Interesting)

isorox (205688) | more than 10 years ago | (#9851452)

I use middle-click tab a lot (practically every link), the proof of concept doesnt show the tabs (still opens them though)

Re:Doesnt do tabs (1)

NetNifty (796376) | more than 10 years ago | (#9851455)

Doesn't javascript opened windows not go to tabs anyway?

Re:Doesnt do tabs (2, Insightful)

Sancho (17056) | more than 10 years ago | (#9851544)

Not with the Tabextensions module. You can make EVERYTHING go to tabs..

Re:Doesnt do tabs (1)

isorox (205688) | more than 10 years ago | (#9851482)

Doesnt do address bar stuff either, but he says that's cause he's lazy and could do it.

Double standards? (4, Insightful)

bamf (212) | more than 10 years ago | (#9851460)

Of course, that won't stop me from using Firefox.

If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?

However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.

Re:Double standards? (0)

Anonymous Coward | more than 10 years ago | (#9851567)

If you RTF bug report you'll see that this bug can also be used with other browsers such as IE.

how is the specific to firefox? (1)

Daniel Ellard (799842) | more than 10 years ago | (#9851468)

Couldn't someone hack together a javascript program that mimics the UI of IE/Safari/Opera/etc just as easily? Maybe XUL makes this easier but that's about it.

Bear in mind... (5, Informative)

Aluminum Tuesday (317409) | more than 10 years ago | (#9851475)

Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

It also fails to appear properly on the Macintosh.

If someone wanted to make some kind of exploit with this, they'd want to target a specific platform and Firefox revision. (eg. 0.9 on Windows) Since Firefox is in constant development, it could well change between revisions and render these spoofs obsolete.

I don't really see this as a Firefox vulnerability. Use any browser without a popup blocker, and you'll see a lot of popup ads pretending to be legitimate OS windows and dialogs. This is really just a variation of that.

Not sure how they'll fix this... (2, Informative)

AC-x (735297) | more than 10 years ago | (#9851478)

Without disabling XUL, I mean it's the equivilent of using images and text forms to spoof the IE menu bar, it just so happens that Firefox gives you tools that can be used to do a better job of it.

At any rate this can be overcome quite easily by changing the javascript prefs so that sites can't hide things like the status bar and menus.

Javascript window "features" (5, Informative)

Ianoo (711633) | more than 10 years ago | (#9851479)

The real problem here is not so much XUL, but Javascript!

Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.

Without this Javascript, you couldn't turn the real menubars and toolbars off, and the problem would be much less severe since although you'd have a second set of interface controls within the browser window, the real status bar would be at the bottom, and the real menubar would be at the top.

Firefox already has a way to block JS from doing this and using several other of its most annoying features, and indeed I personally have these limits switched on already. Put about:config in the address bar, and change these entires to the following values (or look up how to make a user.js file on Google):

dom.disable_window_move_resize = true
dom.disable_window_open_feature.close = true
dom.disable_window_open_feature.directories = true
dom.disable_window_open_feature.location = true
dom.disable_window_open_feature.menubar = true
dom.disable_window_open_feature.minimizable = true
dom.disable_window_open_feature.personalbar = true
dom.disable_window_open_feature.resizable = true
dom.disable_window_open_feature.scrollbars = true
dom.disable_window_open_feature.status = true
dom.disable_window_open_feature.titlebar = true
dom.disable_window_open_feature.toolbar = true
dom.disable_window_status_change = true


Now try the example given in the summary again [nd.edu] .

How about webapps (1, Informative)

Anonymous Coward | more than 10 years ago | (#9851537)

The issue is that Firefox/gecko is advertised as a way to make a popup look and act like a real app : if you don't allow scripts to remove the browser part, a xul application wouldn't look like a real application anymore, would it ?
At work, I have managed to convince my bosses to use xul/php/postgres/soap instead of java/.net for our core project partly because of that (though i don't really care about that, portability and ease of devellopment is the main reason i pushed xul).
If you remove that, I don'think xul really stands out as a framework ; it would be too much tied to a browser.

Re:Javascript window "features" (0)

Anonymous Coward | more than 10 years ago | (#9851541)

I was only thinking about changing these to true only yesterday. I don't know why these are not enabled by defualt.

Well atleast .location and .status and possibably .titlebar, .close, directories, .toolbar and .personalbar

For more info
http://kb.mozillazine.org/index.phtml?title=Firefo x_:_FAQs_:_About:config_Entries [mozillazine.org]

-AC

There's something rotten in Firefox. (5, Insightful)

cyclop (780354) | more than 10 years ago | (#9851480)

And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.

(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.

(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!

The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.

Re:There's something rotten in Firefox. (3, Interesting)

AC-x (735297) | more than 10 years ago | (#9851517)

I certainly think having confidential bugs was a very bad idea (who gets to see them I wonder?) but running XUL code is hard not to without making it quite useless, at work we plan to look at it with the view to using it in our web applications instead of HTML (which I think is one of the things it was originally for).

I mean, it's basically the same as using images to spoof the IE toolbars, Firefox just gives you the tools to do a better job of it.

The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

"Do you want this site to create an interface in XUL (phishing warning blah blah blah).
[Yes] [No] [x] remember this for xyz.com

Re:There's something rotten in Firefox. (1)

cyclop (780354) | more than 10 years ago | (#9851557)

I'm not too much inside the XUL thing, but AFAIK you can use it for rapidly creating plugins and extensions to the browser. And OK,this is cool. But why in the hell it should be automatically loaded and executed? The pop-up dialogue you propose is IMHO useless. How can the user know if it's a Good XUL interface or an Evil XUL interface? Everyone would click OK,and get somehow spoofed.

Re:There's something rotten in Firefox. (1)

smitty_one_each (243267) | more than 10 years ago | (#9851580)

How about a fundamental question: how can you dynamically tweak an interface using <insert technology here> without opening up the possibility that Bad Things will creep in?

Re:There's something rotten in Firefox. (1)

October_30th (531777) | more than 10 years ago | (#9851547)

The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug.

Me neither. The exploit itself appears to be relatively insignificant, but the way it has been kept buried for 4 years is not.

If this cover-up is indeed true, how can we be sure that there aren't other, confidential and perhaps even more serious bugs and exploits in all Mozilla family products?

Re:There's something rotten in Firefox. (3, Insightful)

Jugalator (259273) | more than 10 years ago | (#9851565)

The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy.

I fully agree this is a very bad idea. All it takes is someone to get hacked, or in another way disclosing information about these secret bugs, and then they might start circulating among "underground" hackers without us knowing it, and voila we have an exploit for an issue a very large group of the developers didn't even know exist.

If they did know, they could of course have offered help in resolving the bug much earlier.

They need to start thinking about these things now as the browser might start to gain momentum. Even if it's not huge problems revealed, merely the fact that secret bugs exists and are revealed now and then (I have no doubt we'll see more in the future since this is probably not the only one), is severe negative publicity for the Mozilla products. It wouldn't be nearly as bad if the bugs weren't secret.

Not really an exploit.. Not really new either (0)

auzy (680819) | more than 10 years ago | (#9851481)

This is basically a screenshot of a toolbar at the top of the browser.. I barely think its classed as a true exploit anyway, so the author got it wrong really..

The good thing is that I'm guessing people will fix it, but regardless, the only way to get tricked by it would be to click something on a webpage, so its unlikely that theres an easy way to give the link to the user without them noticing its dodgy.. Either way, its probably something which should be fixed, but its not something which can be fixed easily..

Either way, even if its fixed, its pretty trivial to make something with javascript that does exactly the same effect but does it better.. so I'm not worried at all.. Something like this can be done on any browser, so I think rat144 is using very poor judgement, and at the end, is:
-Causing ppl to worry about something which can be done in other ways anyway almost as well..

-Has now given a bad idea to blackhat crackers around the world, which is great, especially because there is no effective way of fixing this other then forcing a taskbar at the bottom with the effective address, which wont help everyone, and at the very least informing script kiddies of attacks like these will encourage them to attack every server..

I wonder why people like announcing problems like these without trying to implement a solution themselves, so at least they know if its possible before causing havoc online for everyone..

Re:Not really an exploit.. Not really new either (1)

auzy (680819) | more than 10 years ago | (#9851499)

Actually, just read the discussion and seems they agree with what I thought.. So seems Rat's just trying to get some attention..

Re:Not really an exploit.. Not really new either (1)

Anonymous Coward | more than 10 years ago | (#9851513)

Either way, even if its fixed, its pretty trivial to make something with javascript that does exactly the same effect but does it better.

Have you got proof-of-concept of that hidden away somewhere? The padlock-icon spoofing was damn scary.

Re:Not really an exploit.. Not really new either (1)

auzy (680819) | more than 10 years ago | (#9851559)

You can pretty much just use javascript to open a new window anyway.. For the people who are unthemed, javascript works just as well, and ppl who are, most would just assume that its a bug which causes the theme to change back.. Throw in precaching and HELLO.. those buttons load instantly

Same thing, just different implementation, and cant be stopped either without disabling javascript.. My issue with this is that attacks like these have been known throughout the community for years, but not many people knew about it. because of their nature, they can even be implemented in html without javascript, so they cant be stopped.. Now these geniuses have made it a big enough issue so that every spammer and script kiddie in the world knows, so has informed spammers of an easy way to harvest emails, frauders an easy way to pretend that their purchases are valid and credit card kiddies with a credit card harvester..

Basically, thanks to him, from this time on, we'll probably see a massive increase in spam and online fraud..

Re:Not really an exploit.. Not really new either (1)

AC-x (735297) | more than 10 years ago | (#9851550)

> I wonder why people like announcing problems like these without trying to implement a solution themselves, so at least they know if its possible before causing havoc online for everyone..

Oh dear, the old "if you can't fix it yourself don't complain about it" attitude.

If he can figure it out on his own then so can hackers, not telling anyone just means that *no-one* can work on a fix (which is why no bugs should ever be maked as confidential unless one of the main developers plans to release a fix for it very soon, eg not after 5 years).

At any rate I can't see how this could possibly create havoc, the spoof didn't look anything like my toolbar and I think most phishermen (or whatever they're being called these days) will still be targeting IE while it's userbase is +90% (and there are plenty of ways of spoofing with IE just as well)

MouseGestures! (1)

ptarjan (593901) | more than 10 years ago | (#9851486)

I guess this is another triumph for mouse gestures.

If you try to do any gesture on that page with the "All-In-One Gestures" extension installed, a bright red bar apears at the top and grows with each gesture.

Maybe they didn't code for this, but is sure is noticeable.

How to spot the spoof! (0)

Anonymous Coward | more than 10 years ago | (#9851496)

Just customize your tool bar. If you right click on the toolbar and choose customize, you can add/remove and move your buttons and what not around. If you hit a spoofed site and your buttons have been moved about, you know your being had.

Too much zealotry (4, Interesting)

brainnolo (688900) | more than 10 years ago | (#9851521)

Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.

Re:Too much zealotry (2, Insightful)

AC-x (735297) | more than 10 years ago | (#9851566)

Using XUL through HTTP can be _very_ useful, we're looking at it to replace using HTML in our web applications and it looks like it would be do a very good job at it (I think that's one of the things it was built for).

As for ActiveX, that's actually running code on your computer, XUL is just an interface language. You can't run XUL that'll install spyware on your machine for example.

PostBlock censorship devise spoofing for fun (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9851525)

& because IT's the YRO/'stuff that matters' thing to do, isn't IT?

no contest.

corepirate nazi gangster felon kode re-examined? (Score:mynuts won, should have their heads re-examined)
by Anonymous Coward on Saturday July 31, @06:40AM (#9851507)
eye gas sumbodIE has to do it?

what about those googlers, trying to steal the .com (froogles) away from some disabled person? yuk. eye gas every pennIE couNTs when you're becoming soul DOWt.

consult with/trust in yOUR creators.... using newclear powered crystal 'vision' since/until forever. see you there?

& by the way, lookout bullow. the creators' planet/population rescue initiative remains on high crisis alert. many are saying that unprecedented evile et AL, may have peaced off the creators/finally be doomed?

Damn.. (1, Insightful)

sw155kn1f3 (600118) | more than 10 years ago | (#9851526)

> Of course, that won't stop me from using Firefox.
I used to say the same about IE 2-3 months ago, you insensitive clod!

That's it... (2, Interesting)

canavan (14778) | more than 10 years ago | (#9851528)

now I'll go back to browsing with telnet and openssl s_client.

This is pretty bad... but... (2, Interesting)

ravydavygravy (230429) | more than 10 years ago | (#9851530)

Well, I have to say that this exploit is particularly serious - but not the end of the world. I've every faith we'll see a fix fairly soon...

It's pretty bad because it has the end results of several techniques rolled into one handy package - URL spoofing, fake certs, browser highjacking...

Several workarounds being mentioned - using a non-standard toolbar (add at least one extra button/menu-item so you can identify a fake version...), and possibly a non-standard theme would work (though I'm not so sure about this one...)

Anyway, net result - firefox has a pretty bad security problem, with a fairly easy workaround, and no doubt a fix in the works... - how about not allowing remote sites to run XUL without first warning the user (with the option to turn this warning feature off of course - it's all about choice, right?)

Dave

Re:This is pretty bad... but... (0)

Anonymous Coward | more than 10 years ago | (#9851564)

I've every faith we'll see a fix fairly soon...

Perhaps not. It's been five years since this vulnerability's been known by the Mozilla devs [mozilla.org] . That disturbs me. Methinks there might be something fundamentally flawed with the XUL architecture.

I'm protected in three ways... (2, Interesting)

Mr. Smoove (160347) | more than 10 years ago | (#9851549)

1. I use a custom theme (Qute as it happens) with small icons

2. I've cutomised my toolbars to reduce them into one (plus bookmarks)

3. I have Tab Browser Extensions installed and I run in Single Window mode so all pop-up windows get opened inside my one browser window.

This is the power of Firefox!

OK (1)

sw155kn1f3 (600118) | more than 10 years ago | (#9851570)

These funny colors at slashdot, broken IE, broken Firefox...
Bye bug-infested and eye-sore world, I'm going to live in a cave and use text-based browsers on good ol' green 300 baud terminal.

ThanNO CARRIER

What is all the fuss about? (1)

Ath (643782) | more than 10 years ago | (#9851577)

That's not a bug, it's a feature.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?