Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Mozilla UI Spoofing Vulnerability

Comments Filter:
  • by Anonymous Coward on Saturday July 31, 2004 @06:08AM (#9851408)
    You think your Mozilla or FireFox has neat features like that?

    Well my friend, my IE can beat your browser many times over!

    HA!
    • by smallfries (601545)
      Actually this is nothing for me. Does it work for anyone else? The screenshot looks quite well done but the actual spoof just bombs out on my copy of firefox with an xml parsing error and a *huge* 5000 pixel wide yellow window. That didn't exactly take me in...
  • by Nermal6693 (622898) on Saturday July 31, 2004 @06:09AM (#9851410)
    I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.
    • Re:Not another one! (Score:2, Interesting)

      by Zeal17 (602971)
      I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.

      Does this make the point less valid? The open-source community seems to react quickly to criticism like this, so my guess is there will be a fix quickly.
    • by carlmenezes (204187) on Saturday July 31, 2004 @11:38AM (#9852503) Homepage
      What it does is mimic the interface of an UNMODIFIED Firefox. Install ANY exension that changes the menubar or toolbar and you'll notice all that gone in the new window.

      Heck, you don't even need to install any extensions...just customize your toolbar a little...place ANY icon after the help menu and try the proof of concept...it doesn't work - the difference is too obvious.

      Neat trick, definitely, but I don't see it as much more.
  • by Anonymous Coward on Saturday July 31, 2004 @06:09AM (#9851411)
    so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?
  • Vulnerability? (Score:3, Interesting)

    by insecuritiez (606865) on Saturday July 31, 2004 @06:11AM (#9851415)
    Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.
    • Re:Vulnerability? (Score:3, Informative)

      by kristofme (791986)
      I had the same opinion initally, but if you check out the spoofed Mozilla window [nd.edu] you have to admit this could prove to be dangerous..
      Having said that, I'll stick to Firefox nonetheless - let's just hope the Firefox team will find a way to fix it soon.
      • The only thing is that that window on the site doesn't have the web developer toolbar, the bookmark toolbar, and my 15 tabs, so for me it's easy to tell the difference. But it scares me too.
    • Re:Vulnerability? (Score:3, Insightful)

      by NetNifty (796376)
      It's probably possible to do with IE too, but the worrying part of this exploit is the fake security certificate it produces. Easy way to disable the exploit working is to disable allowing javascript to hide the status bar - the menus etc still comes up but you can tell it's fake because of the extra status bar.
    • Re:Vulnerability? (Score:5, Insightful)

      by pinny20 (415459) on Saturday July 31, 2004 @06:20AM (#9851448)
      No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.
      • Re:Vulnerability? (Score:3, Insightful)

        by KernelHappy (517524)
        At first I thought maybe it's more difficult for an observant person to be fooled. So I opened up a spoofed window and compared it to a real window to see how many differences I could find. Now as a child I was pretty damn good at the spot the difference cartoons in highlights magazine, apparently use it or lose it is valid. Only after I specifically looked for them did I realize that my bookmarks toolbar was missing, and from my navigation toolbar several icons were missing and the search control was pr
        • Re:Vulnerability? (Score:3, Interesting)

          by plj (673710)
          Interesting thing though, that on OS X nobody's fooled, as the fake menubar appears on the top of the window as an empty bar (without changing the actual menu bar), which will instantly reveal that everything is not as it should be.
    • Re:Vulnerability? (Score:5, Insightful)

      by MoogMan (442253) on Saturday July 31, 2004 @06:26AM (#9851469)
      You are right in the sense that it is not a "standard" vunerability as such, but as is the case for IE "spoofing", it is still valid. It could still cause users to think a spoofed page is a real page, so in essence the browser is "vunerable".

      As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example :)
    • Re:Vulnerability? (Score:5, Insightful)

      by FyRE666 (263011) * on Saturday July 31, 2004 @07:05AM (#9851578) Homepage
      Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

      Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.
      • by bcmm (768152)
        And here is a perfect reversal of how /. usually works. Someone says "I can do X with FireFox, but not in IE", and someone else points out how to do the same with IE...
      • Re:Vulnerability? (Score:5, Informative)

        by RzUpAnmsCwrds (262647) on Saturday July 31, 2004 @08:38AM (#9851815)
        "Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over."

        This hasn't worked since Internet Explorer 6.0SP1. You can no longer resize a fullscreen window.

        As of 6.0SP2 (due out soon, hopefully) you can no longer create a window without a statusbar.

        Moreover, it is difficult to "fake out" the UI using DHTML. You may be able to fool inexperienced users, but it is much harder than doing the same thing using Mozilla's XUL.
  • Marked confidential? (Score:5, Interesting)

    by Kristoffer Lunden (800757) on Saturday July 31, 2004 @06:16AM (#9851429) Homepage
    According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....
    • by Neophytus (642863) *
      If a fix would be hard and/or time consuming to create then isn't it fairer for the majority of users that it isn't known outside the development group rather than having them rush out a kludge that may introduce more bugs.

      That said, five years is a long time.
    • by archen (447353)
      I think the problem the Mozilla team has is the same problem that the IE team has, which is the same problem that the Opera team probably has - if you can make a blank window, you can redraw the interface pretty easy. But how do you fix it is the question? If you always draw the menu bar and the status bar you can still recreate the other elements. If you require that the browser always look like the parent window... well that would probably work, although many things on the web would look like crap.

      I'm
  • whoops (Score:4, Interesting)

    by ceejayoz (567949) <cj@ceejayoz.com> on Saturday July 31, 2004 @06:16AM (#9851430) Homepage Journal
    Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.

    Gotta love that security-by-obscurity...
    • "Confidential" bugs in an open source project. Really?
    • I use Opera (Score:3, Insightful)

      by rd_syringe (793064)
      I've always known Mozilla to be less than the perfection that Slashdotters have paraded it around as. Now that all these security vulnerabilities are being discovered...well, nothing's changed for me because I use Opera.

      No pointless XUL, no reimplemented widgets, no cute little XPI spoofs. Just a native web browser that is the fastest and leanest out there.

      It's interesting to watch the conflicts of posters today. On one hand, they want to keep using Firefox and supporting it. On the other hand, they k
      • Re:I use Opera (Score:3, Informative)

        by jesser (77961)
        I just tested this attack in Opera. You're right, Opera does two things that make this kind of spoofing attack a little harder:

        * "Window handling" defaults to "Prefer pages inside windows", so when a site tries to open a new window, it gets an MDI child window. This isn't nice for web applications or users who don't like tabbed browsing, but it is more secure against spoofing.

        * At least in the default theme, if I do javascript:window.open("", "", "scrollbars=no"); void 0, the content area is indented by
  • What the hell? (Score:4, Insightful)

    by King_of_Prussia (741355) on Saturday July 31, 2004 @06:17AM (#9851432)
    Of course, that won't stop me from using Firefox.

    What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.

    Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.

    PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).

    • by tirenours (583610) on Saturday July 31, 2004 @06:33AM (#9851488)

      And from the linked page, a gem that we shouldn't overlook:

      "if you don't have Firefox (you should get it!)"

    • Re:What the hell? (Score:2, Insightful)

      by Pharmboy (216950)
      <stupidity>
      This is why I use Windows, which is more secure because hackers can't search the code for vulnerabilities to exploit.
      </stupidity>

      But it does make me glad I have both installed on all computers. It is ironic tho, with all the MS bashing, and this is actually a more serious exploit the last few IE exploits. Firefox doesn't have the quantity of bugs that IE has, but it makes up for it with the quality I guess.

      As for me, I'm gonna start surfing in a shell with Lynx.
      • Re:What the hell? (Score:5, Interesting)

        by Spellbinder (615834) on Saturday July 31, 2004 @07:00AM (#9851568)
        i am not even sure if this shoud be called bug
        there is nothing it is not doing like it should
        it may be stupid to allow javascript to hide the toolbars etc.
        maybe it would be wise to disable those features in the next firefox version per default
        it is easy to change right now...
        and i don't see why this is worse than IE permitting execution of code on your machine
    • Re:What the hell? (Score:2, Interesting)

      by 4lex (648184)
      Since it doesn't affect the Mac OS X version (just checked), it won't stop me using Mozilla Firefox, for sure ;)
    • Re:What the hell? (Score:3, Insightful)

      by Threni (635302)
      > What kind of blind OSS zealotry is this? If somebody said something similar of
      > IE there would be a unanimous uproar of upbraids from the slashdot community
      > against whoever said it.

      Who cares what the `slashdot community` says? There's a mixture of people here. You don't have to listen to everyone. I'm not a zealot and i'm going to be sticking with Firefox, as I don't believe i'm at risk of this particular exploit, as I have a local webpage on my hard drive which is just a list of URLs to sites
    • If you're waiting for a web browser without serious faults, you'll be waiting a long time. Firefox is still the best, AFAIK, despite this weakness.
    • Re:What the hell? (Score:4, Insightful)

      by FooBarWidget (556006) on Saturday July 31, 2004 @07:41AM (#9851667)
      There are many, many people out there who continue to use IE, even after knowing there are alternatives and that IE has many security holes. So what? Why doesn't anybody label those people as "MS zealots"? But when someone says he still continues to use FireFox he gets flamed down for being a zealot?
      • There are many, many people out there who continue to use IE, even after knowing there are alternatives and that IE has many security holes. So what? Why doesn't anybody label those people as "MS zealots"?

        They do. You apparently missed the memo...

    • Re:What the hell? (Score:5, Insightful)

      by pebs (654334) on Saturday July 31, 2004 @08:32AM (#9851789) Homepage
      Of course, that won't stop me from using Firefox.
      What kind of blind OSS zealotry is this?


      You know, I never advocate using Mozilla/Firefox due to lack of vulnerabilities; because deep down inside, I know there are a ton of vulnerabilities just waiting to be found. This is a problem for any reasonably complex software. Two reasons to use Mozilla/Firefox:

      1. Feature-wise, it completely blows away IE
      2. Standards compliant, which will help make the web a better place for all browsers

      Also, it runs on many OS's, but that's not a good reason for everyone.

      Currently, most of the malware/viruses/etc are for IE. But I have seen sites that try to get you to install Mozilla extensions that could be potentially malicious. With Mozilla's new-found popularity, it's only a matter of time before Mozilla gets attention from the malware writers. Get ready for it.
      • Then using myIE. Now you have a feature set that blows away Firefox, and everything else, while still having IE under the covers (if you want that... I happen to like IE, and myIE makes it tremendously powerful, and even a little bit more secure).
  • by ElVirolo (738856) on Saturday July 31, 2004 @06:20AM (#9851446)
    Of course, that won't stop me from using Firefox But then how do you know you ARE using the 'proper' Firefox if the interface is spoofed ?
  • Doesnt do tabs (Score:3, Interesting)

    by isorox (205688) on Saturday July 31, 2004 @06:21AM (#9851452) Homepage Journal
    I use middle-click tab a lot (practically every link), the proof of concept doesnt show the tabs (still opens them though)
  • Double standards? (Score:5, Insightful)

    by bamf (212) on Saturday July 31, 2004 @06:24AM (#9851460)
    Of course, that won't stop me from using Firefox.

    If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?

    However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.
  • Bear in mind... (Score:5, Informative)

    by Aluminum Tuesday (317409) on Saturday July 31, 2004 @06:28AM (#9851475)
    Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

    It also fails to appear properly on the Macintosh.

    If someone wanted to make some kind of exploit with this, they'd want to target a specific platform and Firefox revision. (eg. 0.9 on Windows) Since Firefox is in constant development, it could well change between revisions and render these spoofs obsolete.

    I don't really see this as a Firefox vulnerability. Use any browser without a popup blocker, and you'll see a lot of popup ads pretending to be legitimate OS windows and dialogs. This is really just a variation of that.
    • Re:Bear in mind... (Score:3, Insightful)

      by JRIsidore (524392)
      Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

      Sure, if a toolbar suddenly looks like the default config all users will suspect a faked UI and get alerted instantly... you expect too much. IMHO many will simply assume the browser messed up their config and keep on browsing. Even if the majority gets suspicious, the small percentage that is fooled is most likely to be profitabl
  • by AC-x (735297) on Saturday July 31, 2004 @06:29AM (#9851478)
    Without disabling XUL, I mean it's the equivilent of using images and text forms to spoof the IE menu bar, it just so happens that Firefox gives you tools that can be used to do a better job of it.

    At any rate this can be overcome quite easily by changing the javascript prefs so that sites can't hide things like the status bar and menus.
  • by Ianoo (711633) on Saturday July 31, 2004 @06:29AM (#9851479) Journal
    The real problem here is not so much XUL, but Javascript!

    Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.

    Without this Javascript, you couldn't turn the real menubars and toolbars off, and the problem would be much less severe since although you'd have a second set of interface controls within the browser window, the real status bar would be at the bottom, and the real menubar would be at the top.

    Firefox already has a way to block JS from doing this and using several other of its most annoying features, and indeed I personally have these limits switched on already. Put about:config in the address bar, and change these entires to the following values (or look up how to make a user.js file on Google):

    dom.disable_window_move_resize = true
    dom.disable_window_open_feature.close = true
    dom.disable_window_open_feature.directories = true
    dom.disable_window_open_feature.location = true
    dom.disable_window_open_feature.menubar = true
    dom.disable_window_open_feature.minimizable = true
    dom.disable_window_open_feature.personalbar = true
    dom.disable_window_open_feature.resizable = true
    dom.disable_window_open_feature.scrollbars = true
    dom.disable_window_open_feature.status = true
    dom.disable_window_open_feature.titlebar = true
    dom.disable_window_open_feature.toolbar = true
    dom.disable_window_status_change = true


    Now try the example given in the summary again [nd.edu].
    • I've used javascript to open windows without toolbar, status bar, etc. in an app where I think it is a quite useful feature.

      Situation is web interface to a database. Popup windows are used to search database and fill in parts of the main form (product search, customer search, etc).

      It saves a lot of screen real estate turning off those unnecessary things--and it's helpful for the user to have both the main form as well as any search windows open at the same time.
    • XP SP2 does this (Score:4, Interesting)

      by spideyct (250045) on Saturday July 31, 2004 @10:26AM (#9852184)
      Good suggestion.

      Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.

      http://www.microsoft.com/technet/prodtechnol/win xp pro/maintain/sp2brows.mspx#XSLTsection137121120120

    • Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.

      This feature is useful:

      1) Whenever you have to show the user some information that is not directly related to the task at hand. Example: you have a multi-page "wizard" style form allowing a user to enter information into a database. It is a

  • by cyclop (780354) on Saturday July 31, 2004 @06:29AM (#9851480) Homepage Journal
    And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.

    (1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
    I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.

    (2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!

    The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
    • by AC-x (735297) on Saturday July 31, 2004 @06:44AM (#9851517)
      I certainly think having confidential bugs was a very bad idea (who gets to see them I wonder?) but running XUL code is hard not to without making it quite useless, at work we plan to look at it with the view to using it in our web applications instead of HTML (which I think is one of the things it was originally for).

      I mean, it's basically the same as using images to spoof the IE toolbars, Firefox just gives you the tools to do a better job of it.

      The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

      "Do you want this site to create an interface in XUL (phishing warning blah blah blah).
      [Yes] [No] [x] remember this for xyz.com
      • by AlXtreme (223728) on Saturday July 31, 2004 @09:23AM (#9851939) Homepage Journal
        The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like
        How about just disabling the execution of remotely-retrieved XUL files from within Firefox by default? I'm surprised Firefox didn't warn before loading the spoof from the remote site, it clearly should as a minimum. However as more and more new users with the click-before-you-read syndrome try out Firefox having it disabled by default seems the only sane thing to do.

        If you want to view your web applications internally using XUL, having a whitelist akin to the popup blocker seems the best way (don't bother user unless he figures out something is missing and he clicks on the disabled-window icon). For all us people just wanting to browse some HTML, automatically (or even after prompting) running XUL from a remote server is a flaw and potentially dangerous, and should be considered as such. I'm amazed this hasn't received more attention.

    • by Jugalator (259273) on Saturday July 31, 2004 @06:59AM (#9851565) Journal
      The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy.

      I fully agree this is a very bad idea. All it takes is someone to get hacked, or in another way disclosing information about these secret bugs, and then they might start circulating among "underground" hackers without us knowing it, and voila we have an exploit for an issue a very large group of the developers didn't even know exist.

      If they did know, they could of course have offered help in resolving the bug much earlier.

      They need to start thinking about these things now as the browser might start to gain momentum. Even if it's not huge problems revealed, merely the fact that secret bugs exists and are revealed now and then (I have no doubt we'll see more in the future since this is probably not the only one), is severe negative publicity for the Mozilla products. It wouldn't be nearly as bad if the bugs weren't secret.
  • Too much zealotry (Score:4, Interesting)

    by brainnolo (688900) on Saturday July 31, 2004 @06:45AM (#9851521) Homepage
    Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.
    • by AC-x (735297)
      Using XUL through HTTP can be _very_ useful, we're looking at it to replace using HTML in our web applications and it looks like it would be do a very good job at it (I think that's one of the things it was built for).

      As for ActiveX, that's actually running code on your computer, XUL is just an interface language. You can't run XUL that'll install spyware on your machine for example.
  • That's it... (Score:2, Interesting)

    by canavan (14778)
    now I'll go back to browsing with telnet and openssl s_client.
  • Well, I have to say that this exploit is particularly serious - but not the end of the world. I've every faith we'll see a fix fairly soon...

    It's pretty bad because it has the end results of several techniques rolled into one handy package - URL spoofing, fake certs, browser highjacking...

    Several workarounds being mentioned - using a non-standard toolbar (add at least one extra button/menu-item so you can identify a fake version...), and possibly a non-standard theme would work (though I'm not so sure abo
  • 1. I use a custom theme (Qute as it happens) with small icons

    2. I've cutomised my toolbars to reduce them into one (plus bookmarks)

    3. I have Tab Browser Extensions installed and I run in Single Window mode so all pop-up windows get opened inside my one browser window.

    This is the power of Firefox!
  • by frankie (91710) on Saturday July 31, 2004 @07:10AM (#9851588) Journal
    We fans of the "bloated" original Mozilla are once again left in the dust by Firefox. Loading the test page results in:
    XML Parsing Error: undefined entity
    Location: http://www.nd.edu/~jsmith30/xul/test/browser.xul
    Line Number 20, Column 1:
    <window id="main-window"
    ^
    In seriousness, that's probably just an artifact of Firefox-specific XUL in the example, and could be fixed by a dedicated black hat. I agree with Lanoo [slashdot.org], all versions of Moz should disable javascript toolbar-hiding by default.
  • by orabidoo (9806) on Saturday July 31, 2004 @07:17AM (#9851613) Homepage
    in about:config, or in user.js:

    user_pref("dom.disable_window_open_feature.locatio n", true);
    user_pref("dom.disable_window_open_feature.menubar ", true);
    user_pref("dom.disable_window_open_feature.minimiz able", true);
    user_pref("dom.disable_window_open_feature.resizab le", true);
    user_pref("dom.disable_window_open_feature.scrollb ars", true);
    user_pref("dom.disable_window_open_feature.status" , true);

    This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.

    It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.

    With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.

    • You can put this right next to the section where you disable blinking text and other stupidities.

      Really, there should be a single preferences option that turns all this off though. Of course when Netscape does their re-release of Mozilla *their* version won't have that option. :)
  • by nothings (597917) on Saturday July 31, 2004 @07:40AM (#9851665) Homepage
    Although there are other strategic fixes discussed in the bugzilla discussion, it seems to me the first point of order is to NOT allow disabling/hiding of the toolbars and status line. These are tools for the user; there's no reason for "untrusted" sites to be able to do this. There seems to be a strange mentality of trusting the remote site's opinion over that of the user, rather than "sandboxing" the remote site's control into a limited part of the browser (the "client area" aka the "content area").

    Some site authors may say "but I really want to author a popup that doesn't have all that crap etc," but I don't see how it can be that important, especially given all the consequent badness. The only case I can see for this is that sometimes you do trust the content author--that there is a notion of Mozilla as a platform for application development. And, hey, ok, code reuse is good, but using Mozilla as a platform for a company-internal application is a totally different scenario; can't we recognize that as a different scenario and give it different rules instead of using one browser to rule them all?

    Now, without being able to disable the location bar, you can't spoof the location bar trivially. You could put up a second one and hope people don't notice, and yeah, some people won't. Unfortunately, as pointed out on bugzilla, there's a case that this won't stop: you create an entire faux window, one that appears to be in front of the main one, but is actually just a part of it. So in the middle of your page you have a seeming popup window with a seeming location bar with a faux address. It wouldn't be draggable outside of the client area of the main window, but some people wouldn't notice it.

    It's hard to see how to defend against that, although I am a wacky retro guy who thinks all of this DHTML stuff has given content creators way more power than they really need, and there would be nothing wrong with just pushing back on the standards until things weren't spoofable. (Remember when standards meant you wrote an RFC about something you had already implemented and figured out really worked; it didn't become a standard until people had exercised it in the field? Whatever happened to that?) Or maybe Ian Hickson is right and we're all just raving paranoic nutjobs. But it seems like exactly the sort of 'power before security' attitude that's gotten MS in a lot of trouble.

    An entirely different way of looking at the problem of spoofing is that we transmit our secrets "in the clear" to the remote site. (Obviously encrypted by https or whatever.) If the remote site is spoofing, they get our password (and can maybe even open a connection to paypal or whatever and pass through everything so we don't know it's been spoofed). There's no need for us to give the secret to the remote site, though; just prove that we know it. For example, the server can give us some random data, and we use a non-reversible encryption algorithm to combine the random data and the password, and return the result of that. The server can verify that it's the right result without anyone transmitting the actual password (though the server must store the actual password, and not a hash of it). If this were the technology we were using, a spoofer wouldn't be able to use the password, unless the spoofer DID open a connection to the real site first, and get the challenge; then it could pass it through, but then the spoofer would have only this one chance to make use of the spoofed data, since the next time the real site challenged, the spoofer is stuck; whereas currently a spoofer just captures the user/password combo and keeps it around for later processing. This would raise the complexity bar for making effective use of spoofing (including email phishing!), although I don't know if it's high enough. But good luck getting it into browsers AND making it impossible for spoofers to create what looks like a login prompt of this kind but actually is just a plain old plaintext submit.

  • by gedhrel (241953) on Saturday July 31, 2004 @08:37AM (#9851810)
    It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.

    This kind of spoofing is going to become more problematic, not less.
  • The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.

    There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.
  • by tweek (18111) on Saturday July 31, 2004 @09:49AM (#9852036) Homepage Journal
    I'm wondering why the moz team doesn't just implement signed XUL. We love using XUL for our internal applications at our company but somehow having to sign it wouldn't be a problem.

    I realize we now have dialogs that warn us about everything AND that most people just click through but having trusted XUL sites or signing it somehow would be just fine by me.

    What really annoys me is that:
    A) The bug was marked confidential for 5 freaking years!
    B) The people saying that it isn't a big deal.

    It IS a big deal or else the damn thing wouldn't have been marked confidential for 5 years. Sure it doesn't allow you to overwrite system files but I can recover from a virus. It's harder to recover from having a bank account wiped out because you used and unprotected debit card on a spoofed website ( forgetting that anyone who uses a debit card instead of a real credit card online is just asking to be screwed ).

    Really the best route for this is to disallow remote XUL execution by default with an option to enable it in the prefs with a list of trusted XUL sites.
  • by jdkane (588293) on Saturday July 31, 2004 @10:26AM (#9852187)
    I don't understand why this cannot be done without XUL/Mozilla. E.g. Why can this spoof not happen through Mozilla & plain DHTML (no XUL), or in IE too? Without XUL I can also pop up a new window without any chrome and then create my own fake chrome elements through DHTML (including drop-down menus, status bar acorss bottometc etc)

    What am I missing when I don't understand why this problem is specific to XUL in Mozilla?

  • by skidoo2 (650483) on Saturday July 31, 2004 @10:47AM (#9852273)
    At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.

    This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root. :-)
  • by ngunton (460215) on Saturday July 31, 2004 @12:14PM (#9852691) Homepage
    XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).

    I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets [wxwidgets.org]. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.

    And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...

    BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.
  • I wasn't vulnerable! (Score:5, Informative)

    by Dwonis (52652) * on Saturday July 31, 2004 @12:23PM (#9852732)
    I couldn't figure out why I wasn't vulnerable, until I looked in my user.js file:
    // More DOM/JavaScript options

    // Make sure all pop-up windows are resizable:
    user_pref("dom.disable_window_open_fea ture.resizable", true);

    // Make sure all pop-up windows are minimizable:
    user_pref("dom.disable_window_open_f eature.minimizable", true);

    // Always display the menu in pop-up windows:
    user_pref("dom.disable_window_open_featu re.menubar", true);

    // Always display the Navigation Toolbar in pop-up windows:
    user_pref("dom.disable_window_open_featu re.location", true);

    That didn't prevent the statusbar hack, but it made everything else *really* obvious.

    Have a look at about:config. There's a lot of useful stuff in there.

  • Bad, but not as bad (Score:3, Informative)

    by jhylkema (545853) on Saturday July 31, 2004 @02:57PM (#9853566)
    Okay, so somebody essentially builds a Javascript replica of the Firefox browser which activates as a popup when somebody clicks on a link. For this, the Mozilla folks are being raked over the coals. This is like saying a bank vault is insecure because it can be breached with explosives. Any browser could be spoofed this way and this has been going on with IE for a long time ("Your computer is infected with spyware, click OK to install more spyware^W^Wour software.")

    Granted, I'd like to see it more secure by default , e.g., it doesn't install software by default, Javascript disabled, etc. This also isn't uniquely a Mozilla problem as the first versions of Red Hat shipped with telnet and rlogin ports open by default. It all goes back to the age old debate about security versus functionality.
  • Javascript issue (Score:3, Informative)

    by HermanAB (661181) on Saturday July 31, 2004 @03:07PM (#9853615)
    This is a Javascript configuration issue.

    As others have mentioned, you can change the Javascript behaviour to ensure that all new windows will always retain their title and control bars. Consequently it is amtter of configuring your browser properly.

    The FF team made an admirable effort to come up with a default configuration in prefs.js that mostly works and adding a few lines to it is a matter of concientious system administration.

    My son told me he did a screen capture on the computer of his comp sci teacher, then installed it as a background and had the poor guy futz around for a long time trying to figure out why all his icons and taskbar is dead - we cannot honestly say that such an exploit is a bug in Windows now can we?

Truly simple systems... require infinite testing. -- Norman Augustine

Working...