Mozilla UI Spoofing Vulnerability

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

Vulnerability?

[insecuritiez]

Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

Re:Not another one!

[Zeal17]

I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.

Does this make the point less valid? The open-source community seems to react quickly to criticism like this, so my guess is there will be a fix quickly.

Marked confidential?

[Kristoffer Lunden]

According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....

whoops

[ceejayoz]

Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.

Gotta love that security-by-obscurity...

Doesnt do tabs

[isorox]

I use middle-click tab a lot (practically every link), the proof of concept doesnt show the tabs (still opens them though)

Re:Not another one!

[Pahalial]

You -do- realize they've known for 5 years, right? We're only hearing now because it's apparently starting to be used in the wild, not to mention someone published research about using chrome spoofing.

Re:There's something rotten in Firefox.

[AC-x]

I certainly think having confidential bugs was a very bad idea (who gets to see them I wonder?) but running XUL code is hard not to without making it quite useless, at work we plan to look at it with the view to using it in our web applications instead of HTML (which I think is one of the things it was originally for).

I mean, it's basically the same as using images to spoof the IE toolbars, Firefox just gives you the tools to do a better job of it.

The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

"Do you want this site to create an interface in XUL (phishing warning blah blah blah).
[Yes] [No] [x] remember this for xyz.com

Too much zealotry

[brainnolo]

Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.

That's it...

[canavan]

now I'll go back to browsing with telnet and openssl s_client.

This is pretty bad... but...

[ravydavygravy]

Well, I have to say that this exploit is particularly serious - but not the end of the world. I've every faith we'll see a fix fairly soon...

It's pretty bad because it has the end results of several techniques rolled into one handy package - URL spoofing, fake certs, browser highjacking...

Several workarounds being mentioned - using a non-standard toolbar (add at least one extra button/menu-item so you can identify a fake version...), and possibly a non-standard theme would work (though I'm not so sure about this one...)

Anyway, net result - firefox has a pretty bad security problem, with a fairly easy workaround, and no doubt a fix in the works... - how about not allowing remote sites to run XUL without first warning the user (with the option to turn this warning feature off of course - it's all about choice, right?)

Dave

Re:What the hell?

[4lex]

Since it doesn't affect the Mac OS X version (just checked), it won't stop me using Mozilla Firefox, for sure ;)

I'm protected in three ways...

[Mr. Smoove]

1. I use a custom theme (Qute as it happens) with small icons

2. I've cutomised my toolbars to reduce them into one (plus bookmarks)

3. I have Tab Browser Extensions installed and I run in Single Window mode so all pop-up windows get opened inside my one browser window.

This is the power of Firefox!

Re:What the hell?

[Spellbinder]

i am not even sure if this shoud be called bug
there is nothing it is not doing like it should
it may be stupid to allow javascript to hide the toolbars etc.
maybe it would be wise to disable those features in the next firefox version per default
it is easy to change right now...
and i don't see why this is worse than IE permitting execution of code on your machine

Re:This is nothing...

[dedazo]

That's nice, except that when "blackhats" do the same thing to people who use IE then it's Microsoft's fault.

Oh, and there's no excuse for "security through obscurity", especially when you've spent the past five years ridiculing the evil empire for it and thumping your chest singing the praises of being open and honest about the same thing. I don't care if this particular issue is interpreted as a bug, a vuln, a feature or anything else. The Mozilla folks kept this jewel mum for five years as far as I can tell. You know what? That means that XUL is probably flawed in some fundamental way and they know it. And if that's not the case, the fact that they hid it sure makes it seem that way.

I suspect we're going to start seeing many more of these as Mozilla gains a foothold. Perhaps all our retarded zealot fanboys will being the understand that actual vulnerabilities aside (which affect all code), plain user stupidity and the fundamental problems of the browser as an application platform make up for a large percentage of the perceived problems with IE. Heck, the other day I rain into a page that wanted me to install some XPI malware.

Maybe we're not so superior after all when people actually use what we do. Reality intrudes on the best laid plans, I guess.

Re:This is nothing...

[auzy]

actually, you can make javascript almost as interactive.. The only advantage for this one is the theme is the same, and the bookmarks are there.. I'm actually thinking about whether its worth making a javascript clone which would fool 90% of people, and be actually a higher risk because it would work on IE too, and safari, and whatever else available.. Of course, I believe in reusable programming and the only people who would look at the code for such a thing, would be the last people you want to see it

Re:There's something rotten in Firefox.

[Anonymous Coward]

The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style.

The problem isn't that it was confidential - very few people advocate *immediate* full disclosure without warning the vendor first. The problem is that the confidential bug report wasn't addressed.

I would like to see confidential bugs viewable within BugZilla, but with the actual report itself hidden (just the metadata like title, reporter, date reported, etc visible). I would also like to see confidential bugs have a time limit of a month before they become publically viewable (with email reminders to the proper parties of course).

I agree that there should be a warning before rendering a XUL interface without normal toolbars, etc.

Re:This is nothing...

[smallfries]

Actually this is nothing for me. Does it work for anyone else? The screenshot looks quite well done but the actual spoof just bombs out on my copy of firefox with an xml parsing error and a *huge* 5000 pixel wide yellow window. That didn't exactly take me in...

XP SP2 does this

[spideyct]

Good suggestion.

Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.

http://www.microsoft.com/technet/prodtechnol/win xp pro/maintain/sp2brows.mspx#XSLTsection137121120120

Re:This is nothing...

[Michalson]

You should really read the Mozilla vuln. list. While they only allow things that have been reported, *already fixed*, and *gone for 2 versions already*, it does provide a pretty scare look at Mozilla's "security", or lack there of. While I will be the first to admit this model of secrecy has worked in the past, it doesn't look like it will in the future. First, a lot of people are moving to Mozilla and Firefox, making it a viable target (I've already seen several instances xpi spyware/trojans ["please install me to make your clock run accurately"] being used in place of traditional ActiveX), and second, security reporting has been changing. In the past Mozilla security bugs where reported directly to Mozilla, where they could be kept secret as long as it took Mozilla to fix them - I've only seen a few rare cases of someone actually taking their grievances about Mozilla's slow bug fixing public (like the 1 line Javascript exploit for taking down every Mozilla window and tab at once, which took a year to fix, finally being done when the vulnerability was reposted to a public board, which prompted it to be fixed silently shortly after 1.7 came out). With Mozilla and Firefox "mainstream" browsers now, real security experts are starting to look at them, and they don't play Mozilla's game. They want credit for their discovery, so they don't want to have it shuffled under the rug while Mozilla pretends it never existed. This means publicly announcing exploits, which not only forces Mozilla to radically change how quickly they respond to security bugs, but also forces them to publicly inform users that they should upgrade to the latest build (before of course they just kept fixes secret and let everyone who doesn't download a 12MB build everyday browse with arbitrary code execution vulnerabilities, since saving their own face was more important). The fact that Mozilla vulnerabilities are going to start getting announced within days or hours of them being patched means you're going to start getting exactly what you get in IE - hackers take the bug, make a working exploit, and deploy it a week or month later against the 90% of people who didn't download Mozilla's daily bugfix (perhaps a bigger problem then IE, since Mozilla demands you download the whole 12MB thing, instead of just a little 100KB patch file). Remember Blaster - easy, 56k friendly made available more then a month before it hit. Now try "easy, 12MB patch made available on a weekly basis" and see how few people are keeping ahead of the hackers.

YOU CANNOT DO THE SAME THING WITH IE!!

[skidoo2]

At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.

This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root. :-)

Re:Marked confidential?

[GoofyBoy]

So its ok for Mozilla/Firebird to utilize security through obscurity, yet when a closed source application?

And aren't a thousand eyes suppose to be looking at the code and fixing it? So shouldn't the fix come quickly? Isn't that the strength of OpenSource? If in theory it sounds good but in reality it doesn't work, what good is it to have a thousand eyes looking at the code for security purposes?

Re:Vulnerability?

[plj]

Interesting thing though, that on OS X nobody's fooled, as the fake menubar appears on the top of the window as an empty bar (without changing the actual menu bar), which will instantly reveal that everything is not as it should be.

XUL is bloated and slow

[ngunton]

XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).

I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets [wxwidgets.org]. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.

And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...

BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.

Re:Marked confidential?

[Creedo]

It is there to allow you to use Mozilla/Firefox as an actual application development platform. For more information, look here [xulplanet.com].

Re:Marked confidential?

[Anonymous Coward]

Fix it the same way Java fixed it many many years ago. If the user creates a window which is not a browser window, display a security warning at the bottom of it. I'm sure there are plenty of other ways to mark it as well (change window frame color, warning in titlebar, etc.)

Re:what?

[TheLink]

Heck, my excolleague has done similar things years ago too.

He played a prank on another colleague that involved making the desktop background a centered image of a windows error message - one of those serious looking "illegal exception" things if I recall correctly.

Naturally when the victim clicks on the OK or Cancel it doesn't work. Then the victim actually got rather worried...

My colleague got pretty worried when I installed the bluescreen screen saver on his PC as an april fool's joke.

I dunno about you but I sometimes find myself clicking the OK/Cancel buttons on example images on some websites. This even tho I set my personal colour scheme different from the normal windows standard (to intentionally help combat this problem).

Re:XUL is a bad idea

[mcsmurf]

The idea was/is: If you focus on web browsing only, you always have to see what other browsers (esspecially IE) do and always jump after them if they create some cool new thing or introduce a new successful tag (also it's not in the specs). So the idea is to create a surplus value like XUL in combination with other things, like access to Mozilla internal interfaces or RDF,XUL,SOAP,XML support, which makes it easy to create some web-apps (a application development platform). So here you are the challenger then and don't have to follow the other browsers all the time.

Re:Marked confidential?

[FuzzyBad-Mofo]

Good point, but chances are people aren't going to work their way full the source of a program on the off chance of finding a critical issue. With awareness of a problem, it's much more likely that J. random developer will take a look at it.

Anyway, as another poster stated, this is a problem with the XUL design, not really a coding error. I like the solution of just alerting the user that a website is attempting to run a custom XUL interface, and leave the decision whether to trust the site or not up to the user.