Mozilla UI Spoofing Vulnerability 583
Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."
Vulnerability? (Score:3, Interesting)
Re:Not another one! (Score:2, Interesting)
Does this make the point less valid? The open-source community seems to react quickly to criticism like this, so my guess is there will be a fix quickly.
Marked confidential? (Score:5, Interesting)
whoops (Score:4, Interesting)
Gotta love that security-by-obscurity...
Doesnt do tabs (Score:3, Interesting)
Re:Not another one! (Score:3, Interesting)
Re:There's something rotten in Firefox. (Score:4, Interesting)
I mean, it's basically the same as using images to spoof the IE toolbars, Firefox just gives you the tools to do a better job of it.
The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like
"Do you want this site to create an interface in XUL (phishing warning blah blah blah).
[Yes] [No] [x] remember this for xyz.com
Too much zealotry (Score:4, Interesting)
That's it... (Score:2, Interesting)
This is pretty bad... but... (Score:2, Interesting)
It's pretty bad because it has the end results of several techniques rolled into one handy package - URL spoofing, fake certs, browser highjacking...
Several workarounds being mentioned - using a non-standard toolbar (add at least one extra button/menu-item so you can identify a fake version...), and possibly a non-standard theme would work (though I'm not so sure about this one...)
Anyway, net result - firefox has a pretty bad security problem, with a fairly easy workaround, and no doubt a fix in the works... - how about not allowing remote sites to run XUL without first warning the user (with the option to turn this warning feature off of course - it's all about choice, right?)
Dave
Re:What the hell? (Score:2, Interesting)
I'm protected in three ways... (Score:2, Interesting)
2. I've cutomised my toolbars to reduce them into one (plus bookmarks)
3. I have Tab Browser Extensions installed and I run in Single Window mode so all pop-up windows get opened inside my one browser window.
This is the power of Firefox!
Re:What the hell? (Score:5, Interesting)
there is nothing it is not doing like it should
it may be stupid to allow javascript to hide the toolbars etc.
maybe it would be wise to disable those features in the next firefox version per default
it is easy to change right now...
and i don't see why this is worse than IE permitting execution of code on your machine
Re:This is nothing... (Score:5, Interesting)
Oh, and there's no excuse for "security through obscurity", especially when you've spent the past five years ridiculing the evil empire for it and thumping your chest singing the praises of being open and honest about the same thing. I don't care if this particular issue is interpreted as a bug, a vuln, a feature or anything else. The Mozilla folks kept this jewel mum for five years as far as I can tell. You know what? That means that XUL is probably flawed in some fundamental way and they know it. And if that's not the case, the fact that they hid it sure makes it seem that way.
I suspect we're going to start seeing many more of these as Mozilla gains a foothold. Perhaps all our retarded zealot fanboys will being the understand that actual vulnerabilities aside (which affect all code), plain user stupidity and the fundamental problems of the browser as an application platform make up for a large percentage of the perceived problems with IE. Heck, the other day I rain into a page that wanted me to install some XPI malware.
Maybe we're not so superior after all when people actually use what we do. Reality intrudes on the best laid plans, I guess.
Re:This is nothing... (Score:4, Interesting)
Re:There's something rotten in Firefox. (Score:2, Interesting)
The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style.
The problem isn't that it was confidential - very few people advocate *immediate* full disclosure without warning the vendor first. The problem is that the confidential bug report wasn't addressed.
I would like to see confidential bugs viewable within BugZilla, but with the actual report itself hidden (just the metadata like title, reporter, date reported, etc visible). I would also like to see confidential bugs have a time limit of a month before they become publically viewable (with email reminders to the proper parties of course).
I agree that there should be a warning before rendering a XUL interface without normal toolbars, etc.
Re:This is nothing... (Score:3, Interesting)
XP SP2 does this (Score:4, Interesting)
Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.
http://www.microsoft.com/technet/prodtechnol/wi
Re:This is nothing... (Score:5, Interesting)
YOU CANNOT DO THE SAME THING WITH IE!! (Score:4, Interesting)
This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root.
Re:Marked confidential? (Score:5, Interesting)
And aren't a thousand eyes suppose to be looking at the code and fixing it? So shouldn't the fix come quickly? Isn't that the strength of OpenSource? If in theory it sounds good but in reality it doesn't work, what good is it to have a thousand eyes looking at the code for security purposes?
Re:Vulnerability? (Score:3, Interesting)
XUL is bloated and slow (Score:4, Interesting)
I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets [wxwidgets.org]. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.
And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...
BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.
Re:Marked confidential? (Score:3, Interesting)
Re:Marked confidential? (Score:1, Interesting)
Re:what? (Score:3, Interesting)
He played a prank on another colleague that involved making the desktop background a centered image of a windows error message - one of those serious looking "illegal exception" things if I recall correctly.
Naturally when the victim clicks on the OK or Cancel it doesn't work. Then the victim actually got rather worried...
My colleague got pretty worried when I installed the bluescreen screen saver on his PC as an april fool's joke.
I dunno about you but I sometimes find myself clicking the OK/Cancel buttons on example images on some websites. This even tho I set my personal colour scheme different from the normal windows standard (to intentionally help combat this problem).
Re:XUL is a bad idea (Score:2, Interesting)
Re:Marked confidential? (Score:2, Interesting)
Good point, but chances are people aren't going to work their way full the source of a program on the off chance of finding a critical issue. With awareness of a problem, it's much more likely that J. random developer will take a look at it.
Anyway, as another poster stated, this is a problem with the XUL design, not really a coding error. I like the solution of just alerting the user that a website is attempting to run a custom XUL interface, and leave the decision whether to trust the site or not up to the user.