Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Secunia Stay Secure ^ | July 30, 2004

[TomGuy]

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Secunia Advisory:	SA12188
Release Date:	2004-07-30
Critical:	Moderately critical
Impact:	Spoofing
Where:	From remote
Software:	Mozilla 0.x Mozilla 1.0 Mozilla 1.1 Mozilla 1.2 Mozilla 1.3 Mozilla 1.4 Mozilla 1.5 Mozilla 1.6 Mozilla 1.7.x Mozilla Firefox 0.x
	Choose a product and view comprehensive vulnerability statistics and all Secunia advisories affecting it.
Description: A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface. The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees. The Mozilla user interface is built using XUL files. A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website. This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected. NOTE: This issue appears to be the same as Mozilla Bug 244965. Solution: Do not follow links from untrusted sites. Provided and/or discovered by: Reported in Mozilla Firefox by: Jérôme ATHIAS (also created a PoC) Reported in Mozilla by: James Ross Changelog: 2004-07-30: Added an additional Mozilla Bug reference. Original Advisory: Original Advisory and Proof of Concept: http://www.nd.edu/~jsmith30/xul/test/spoof.html Other References: XUL Documentation: http://www.xulplanet.com/ Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244965 Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=252198
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Found: 18 Related Secunia Security Advisories, displaying 10

- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing

- Mozilla / Firefox Certificate Store Corruption Vulnerability

- Mozilla Fails to Restrict Access to "shell:"

- Mozilla XPInstall Dialog Box Security Issue

- Multiple Browsers Frame Injection Vulnerability

- Mozilla Browser Address Bar Spoofing Weakness

- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability

- Mozilla / NSS S/MIME Implementation Vulnerability

- Mozilla Cross-Site Scripting Vulnerability

- Mozilla Status Bar Manipulation Weakness

[TomGuy]

For Mozilla/Firefox users who think they are above the vunerabilities, etc.

As any browser or OS increases in popularity, so will virus attacks, vunerabilities, hacking, etc.

[smith288]

*whew*...im glad im running IE. Im safe!

[thoughtomator]

It's still 99% safer than IE. I'll take my chances with Mozilla any day.

In my office, there are Mozilla users and IE users. During my recent rounds checking workstation security, every single IE user was infected with at least one virus and at least two browser hijacks. Total viruses and hijacks for Mozilla users: zero.

[sockmonkey]

*whew*...im glad im running IE. Im safe!

I know you are kidding, but I was not too thrilled when I took the secunia website vulnerability test yesterday, and realized that my IE, despite running NIS could be taken over in a heartbeat.

[Jackknife]

I'll keep my firefox. Since using this; plus redundant firewall, anti-virus, and spyware programs which I run almost religiously; my PC on high-speed dial up runs very fast......and with no viruses or hijackers.

[mhking]

Let's see -- one major flaw in a work-in-progress as opposed to a production model that has had multiple flaws/exploits/problems/et.al.

I'm not saying that FF is bulletproof, but overall, it's a better browser than IE is at the present time. And until MS begins to go back into active browser development instead of the ongoing stagnation they've engaged in, then Mozilla & Opera will remain head and shoulders above them in the development department.

[steveegg]

As any browser or OS increases in popularity, so will virus attacks, vunerabilities, hacking, etc.

Bingo.

[mlbford2]

FF read later

[happydogdesign]

Dealing with Spyware and Adware

[TomServo]

Ping!

[Victor]

bump

[el_texicano]

Likewise, reading later and marking for reference

[beckett]

Haha! I'm using Firefox and find it a great browser, but it's funny that it took only weeks after Mozilla's popularity soared due to IE vulnerabilities for Mozilla itself to become vulnerable.

The problem was never Microsoft. The problem is the hackers themselves. The Microsoft bashers will someday find Linux hacked too.

[Bush2000]

It's still 99% safer than IE.

Surrrrrrrre you are. Just keep telling yourself that...

[C-Note]

tom Guy,
You are 100% correct. The most popular OS will attract the most hackers... it's just common sennse.


C

[Dominic Harr]

For Mozilla/Firefox users who think they are above the vunerabilities, etc.

What is this ignorance on the part of some MS-only computer users that makes this so hard for some to comprehend?

A Mercedes breaks down far, far less often than a Chevy. But can you imagine a Chevy-only devotee getting out there seeing a Merc broken down and saying, "See, it's no better than any other car".

• Only MS-only folks defending MS say Firefox is invulnerable. Firefox users say it breaks far less often.

  For God's sake, I've had to patch my IE how many times this year already?

It's as if MS-only folks have absolutely no idea what "quality" even means . . . (fill in your own joke here).

[D-fendr]

This is likely true:

"As any browser increases in popularity, so will virus attacks."

However, this does not follow:

"so will vunerabilities."

[Bush2000]

A Mercedes breaks down far, far less often than a Chevy.

Bogus analogy. IE has tons of malicious people trying to dismantle the "engine" while it's running -- while marginal browsers don't have the same kinds of attacks. To attribute this to differences in quality is just ridiculous. As we see from this posting, Mozilla/Firefox ain't Mercedes. When subjected to the same kinds of attention, they break down similarly.

[thoughtomator]

Don't have to tell myself that. Actual hands-on experience tells me.

[thoughtomator]

Untrue. Firefox, unlike IE, is not intimately tied into the OS, and thus is inherently less vulnerable to the most devastating attacks.