Mozilla UI Spoofing Vulnerability 583
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
What the hell? (Score:4, Insightful)
What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.
Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.
PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).
Fix the Colors! (Score:1, Insightful)
http://slashdot.org/article.pl?sid=04/07/31/00372
(I sound like a broken record. I know that. But if it gets said enough times perhaps someone will notice and change something.)
Re:Vulnerability? (Score:3, Insightful)
Re:Vulnerability? (Score:5, Insightful)
Confidential bugs in open source projects (Score:2, Insightful)
Double standards? (Score:5, Insightful)
If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?
However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.
Re:Vulnerability? (Score:5, Insightful)
As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example
There's something rotten in Firefox. (Score:5, Insightful)
(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.
(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!
The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.
Re:Javascript should be enabled. (Score:5, Insightful)
what sort of moron would let a webpage run code on his machine anyway?
The average user.
Re:What the hell? (Score:2, Insightful)
This is why I use Windows, which is more secure because hackers can't search the code for vulnerabilities to exploit.
</stupidity>
But it does make me glad I have both installed on all computers. It is ironic tho, with all the MS bashing, and this is actually a more serious exploit the last few IE exploits. Firefox doesn't have the quantity of bugs that IE has, but it makes up for it with the quality I guess.
As for me, I'm gonna start surfing in a shell with Lynx.
Re:This is nothing... (Score:3, Insightful)
Rat never thought this thru. I think his trying to gain attention over something which he never bothered contemplating that there was no possible solution anyway.
Thanks to him now, his given just about every credit card frauder on the planet new ideas (and even implemented the paypal clone code for it too). They made it confidential to just stop ppl panicing about something which has always been possible and to try to stop frauders from adding this technique to their arsenal.. Now, Rat has done an incredibly smart move and gave spammers, credit card frauders, script kiddies some new ideas.. And for that, we have to thank him
Damn.. (Score:1, Insightful)
I used to say the same about IE 2-3 months ago, you insensitive clod!
Re:What the hell? (Score:3, Insightful)
> IE there would be a unanimous uproar of upbraids from the slashdot community
> against whoever said it.
Who cares what the `slashdot community` says? There's a mixture of people here. You don't have to listen to everyone. I'm not a zealot and i'm going to be sticking with Firefox, as I don't believe i'm at risk of this particular exploit, as I have a local webpage on my hard drive which is just a list of URLs to sites I use regularly, so unless that gets hacked i'm going to end up where I expect.
> Is it somehow tolerable for OS software to have faults, even serious ones?
All software has faults. IE has loads, Firefox has a few. On balance, it would appear that users of non-microsoft software are less at risk than microsoft users, and the problems get fixed more quickly. Or do you think this most recent security issue tips the balance back in favour of IE being the safest browser to use?
Re:Doesnt do tabs (Score:3, Insightful)
Re:There's something rotten in Firefox. (Score:4, Insightful)
I fully agree this is a very bad idea. All it takes is someone to get hacked, or in another way disclosing information about these secret bugs, and then they might start circulating among "underground" hackers without us knowing it, and voila we have an exploit for an issue a very large group of the developers didn't even know exist.
If they did know, they could of course have offered help in resolving the bug much earlier.
They need to start thinking about these things now as the browser might start to gain momentum. Even if it's not huge problems revealed, merely the fact that secret bugs exists and are revealed now and then (I have no doubt we'll see more in the future since this is probably not the only one), is severe negative publicity for the Mozilla products. It wouldn't be nearly as bad if the bugs weren't secret.
Re:Too much zealotry (Score:3, Insightful)
As for ActiveX, that's actually running code on your computer, XUL is just an interface language. You can't run XUL that'll install spyware on your machine for example.
Re:Vulnerability? (Score:5, Insightful)
Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.
don't allow pop-ups without menu/location/etc (Score:5, Insightful)
user_pref("dom.disable_window_open_feature.locati
user_pref("dom.disable_window_open_feature.menuba
user_pref("dom.disable_window_open_feature.minimi
user_pref("dom.disable_window_open_feature.resiza
user_pref("dom.disable_window_open_feature.scroll
user_pref("dom.disable_window_open_feature.status
This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.
It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.
With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.
Re:What the hell? (Score:4, Insightful)
Re:This is nothing... (Score:3, Insightful)
You have to think logically, to do something like this you have to give someone a link too, thats where most likely the best place to do a check.. Make sure that if a hyperlink on a page says its http://www.paypal.com, make sure it doesn't go to http://killme.com
I still think that something like that something like this in javascript would affect just as many ppl as the XUML version.. But be more dangerous because it affects every browser
Re:What the hell? (Score:2, Insightful)
Yep, you are absolutely right. We would be blasting IE from every (virtual) rooftop.
That this bug was hidden away in the Bugzilla annals for over 4 years as Confidential is really intolerable. It reeks of trying to sweep an embarassing problem under the rug, which is the complete antithesis of Open Source development.
One of my coworkers who recently defected from I.E. to Firefox stated, upon the last Firefox vulnerability, that if he had to frequently upgrade his Firefox because of security issues, he may as well just stay with IE. And he unfortunately has a valid point.
If a person, or group, can't be mature enough to admit a big, "oops, I/we made a really big design mistake. We'll fix it because many people are depending on us," then that person or group has no business working on such a fundamentally important piece of software as a web browser.
A workable solution to this kind of problem has been around for many years. Java applets, when run from appletviewer, display a very prominent notice telling the user that very thing.
I hate Javascript with a passion, and disable it except for those crucial sites (broken as they are) that will not work without it. But for those sites, it's just common sense for the browser to to inform the user from within all Javascript popup windows that the window is a result of Javascript.
Actually, every user interface that is not a built-in part of the application should contain an unremovable notice (ala appletviewer) to make user interface spoofing (a very well known security risk) unworkable.
Re:Bear in mind... (Score:3, Insightful)
Sure, if a toolbar suddenly looks like the default config all users will suspect a faked UI and get alerted instantly... you expect too much. IMHO many will simply assume the browser messed up their config and keep on browsing. Even if the majority gets suspicious, the small percentage that is fooled is most likely to be profitable enough for the phishers.
Any fresh Firefox installation asks about sending unencrypted form data, but not about executing arbitrary XUL stuff? This is a serious design flaw.
Re:What the hell? (Score:5, Insightful)
What kind of blind OSS zealotry is this?
You know, I never advocate using Mozilla/Firefox due to lack of vulnerabilities; because deep down inside, I know there are a ton of vulnerabilities just waiting to be found. This is a problem for any reasonably complex software. Two reasons to use Mozilla/Firefox:
1. Feature-wise, it completely blows away IE
2. Standards compliant, which will help make the web a better place for all browsers
Also, it runs on many OS's, but that's not a good reason for everyone.
Currently, most of the malware/viruses/etc are for IE. But I have seen sites that try to get you to install Mozilla extensions that could be potentially malicious. With Mozilla's new-found popularity, it's only a matter of time before Mozilla gets attention from the malware writers. Get ready for it.
Expect this to get more prevalent (Score:4, Insightful)
This kind of spoofing is going to become more problematic, not less.
It's not just a bug, it's a bad user interface! (Score:5, Insightful)
There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.
Re:There's something rotten in Firefox. (Score:4, Insightful)
If you want to view your web applications internally using XUL, having a whitelist akin to the popup blocker seems the best way (don't bother user unless he figures out something is missing and he clicks on the disabled-window icon). For all us people just wanting to browse some HTML, automatically (or even after prompting) running XUL from a remote server is a flaw and potentially dangerous, and should be considered as such. I'm amazed this hasn't received more attention.
Re:Vulnerability? (Score:1, Insightful)
Re:Double standards? (Score:4, Insightful)
a) If you use anything Microsoft, you're an idiot.
b) If you use anything Linux, you're a maniac.
Sort of like slow-driver/fast-driver syndrome.
Signed Xul or trusted XUL sites (Score:3, Insightful)
I realize we now have dialogs that warn us about everything AND that most people just click through but having trusted XUL sites or signing it somehow would be just fine by me.
What really annoys me is that:
A) The bug was marked confidential for 5 freaking years!
B) The people saying that it isn't a big deal.
It IS a big deal or else the damn thing wouldn't have been marked confidential for 5 years. Sure it doesn't allow you to overwrite system files but I can recover from a virus. It's harder to recover from having a bank account wiped out because you used and unprotected debit card on a spoofed website ( forgetting that anyone who uses a debit card instead of a real credit card online is just asking to be screwed ).
Really the best route for this is to disallow remote XUL execution by default with an option to enable it in the prefs with a list of trusted XUL sites.
what? (Score:5, Insightful)
I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.
But there's a very simple solution, and I can explain it in one sentence.
Never let anything, popup windows, javascript, etc., hide any part of the browser interface.
That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.
Re:Marked confidential? (Score:3, Insightful)
I'm not making excuses for the Mozilla team (I mean this sort of freaks me out) , but I have no idea how to fix it. You could make all the bars "collapsed" on a "blank" window which would allow the user to always click them and look at the mormal UI again, but then you sort of expect that the user would know what those collapseable bars are for. Well it's better than nothing so maybe that's not such a bad idea... Anyway it's a problem with the way web browsers work as much as anything.
Why is this article specific to Mozilla? (Score:4, Insightful)
What am I missing when I don't understand why this problem is specific to XUL in Mozilla?
Re:This is nothing... (Score:2, Insightful)
I don't want any website to ever be able to hide the status bar, for any reason.
For that matter, I don't want any website to be able to hide my address bar, toolbar, or menu bar either.
Period. Why is THIS not an option in Mozilla or Firefox. This is my computer why is that not an option?
Re:Vulnerability? (Score:3, Insightful)
The point being that even though I do fancy myself a pretty observant person (honestly I usually am) I didn't notice right off the bat what was missing from my usual interface and I bet most users wouldn't unless they looked for them on EVERY page load.
Re:This is nothing... (Score:3, Insightful)
> it's pretty obvious actually.
So how do these experts have any idea what will affect the end user? From their non-javascript Ivory Tower, they survey the scene and see all is good. meanwhile, Joe Dickwad sends his credit card info to the Ukraine, thinking he's just bought his momma a bouquet for mothers' day.
To secure the end user's experience, you need to experience things from an end-user perspective.
[this comment is nitpicking the post, not the experts, by the way]
Re:whoops (Score:1, Insightful)
Re:Marked confidential? (Score:1, Insightful)
Here the fake page can use the exact same XUL UI controls as the real browser, instead of emulating them with DHTML. That lowers the bar significantly.
Re:Why is this article specific to Mozilla? (Score:1, Insightful)
With XUL, you can use the EXACT SAME UI controls as the real application (no artistic talent required!).
I use Opera (Score:3, Insightful)
No pointless XUL, no reimplemented widgets, no cute little XPI spoofs. Just a native web browser that is the fastest and leanest out there.
It's interesting to watch the conflicts of posters today. On one hand, they want to keep using Firefox and supporting it. On the other hand, they know that if this was an IE vulnerability, they'd be all over it and crying out about "why would anybody still be using IE, especially if this was known for five years!!"
Just an amusing illustration of double-standards on some people's parts. Not everyone...just the hardcore zealots who like to post here. This trend of Mozilla holes is a nice way for them to gain a little perspective on the matter.
Now, imagine if Mozilla had IE's marketshare right now! These holes would be blown apart by hackers, and I imagine dozens more would be discovered. Already, the trend is rising.
Re:Marked confidential? (Score:4, Insightful)
Uh-huh (Score:2, Insightful)
Re:what? (Score:3, Insightful)
Exactly...I don't know why javascript even allows popup windows, or altering the browser interface. The browser should contain a save, self-contained viewport on the world wide web. Anything that a webpage does should *only* occur within the viewport.
Thing is........ (Score:2, Insightful)
Re:Javascript window "features" (Score:3, Insightful)
1) Whenever you have to show the user some information that is not directly related to the task at hand. Example: you have a multi-page "wizard" style form allowing a user to enter information into a database. It is a fairly complex process, in which the options offered on later pages will depend on which options were selected on earlier pages. Scattered across each page, you have links that open a glossary to define a particular term. Opening the glossary information in a new window (one without toolbars, etc), allows you to provide that information to the user without interrupting their workflow. Toolbars are extraneous to the window, since it never shows anything but the glossary page. Showing them would be pointless, and would detract from the look-and-feel of the application.
2) When you want to offer a user the ability to view an arbitrary item from a list without reloading the page. Example: you have a bunch of images, and you want to let a user preview each one. You list each filename and other file details, then you have a link entitle "Preview", which opens up a new window (with no toolbar, etc) showing that image. Subsequent previews will resize the existing preview window and change its url rather than opening an entirely new one. If the preview button left the index page to preview each picture, it would increase the amount of traffic on your web server, with each new request for the index page. This may seem trivial, but if the index page is generated using information from a database, that can mount up fast, especially if you have multiple concurrent users. Again, toolbars are extraneous to the function of the window in this situation.
3) In any situation where you want to make two windows easily distinguishable from one another. If you have ever watched inexperienced or non-proficient web users, you will note that they frequently become confused when dealing with multiple browser windows, and this is especially true when the page author adds a target="_blank" attribute to a link. The new window opens, taking up all the available screen real estate, and looking exactly like the previous window, so the user naturally tries to use the "Back" button to return to what they were just looking at. But it doesn't work, and so they have to stop and study their open programs to figure out what happened. If, on the other hand, that content were opened in a smaller window with no toolbars overlaid on the parent window, it is instantly obvious that it's a new window, and the user is much less likely to get confused, leading to a better experience with the web site.
The first and second examples come from real life uses of window.open() -- both in my own pages. The third is applicable to virtually any proper use of JavaScript window control. I hate pop-up ads as much as anyone, and I'm profoundly grateful that FireFox blocks unsolicited calls to window.open(). Two other things make me glad: firstly, that you have the option of turning all that stuff off because you hate it; and secondly, I am glad that you're not in charge of FireFox development, because I suspect that a lot of "annoying" pages might not function properly in FireFox if you were.