Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Secunia Stay Secure ^ | July 30, 2004

[TomGuy]

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Secunia Advisory:	SA12188
Release Date:	2004-07-30
Critical:	Moderately critical
Impact:	Spoofing
Where:	From remote
Software:	Mozilla 0.x Mozilla 1.0 Mozilla 1.1 Mozilla 1.2 Mozilla 1.3 Mozilla 1.4 Mozilla 1.5 Mozilla 1.6 Mozilla 1.7.x Mozilla Firefox 0.x
	Choose a product and view comprehensive vulnerability statistics and all Secunia advisories affecting it.
Description: A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface. The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees. The Mozilla user interface is built using XUL files. A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website. This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected. NOTE: This issue appears to be the same as Mozilla Bug 244965. Solution: Do not follow links from untrusted sites. Provided and/or discovered by: Reported in Mozilla Firefox by: Jérôme ATHIAS (also created a PoC) Reported in Mozilla by: James Ross Changelog: 2004-07-30: Added an additional Mozilla Bug reference. Original Advisory: Original Advisory and Proof of Concept: http://www.nd.edu/~jsmith30/xul/test/spoof.html Other References: XUL Documentation: http://www.xulplanet.com/ Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244965 Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=252198
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Found: 18 Related Secunia Security Advisories, displaying 10

- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing

- Mozilla / Firefox Certificate Store Corruption Vulnerability

- Mozilla Fails to Restrict Access to "shell:"

- Mozilla XPInstall Dialog Box Security Issue

- Multiple Browsers Frame Injection Vulnerability

- Mozilla Browser Address Bar Spoofing Weakness

- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability

- Mozilla / NSS S/MIME Implementation Vulnerability

- Mozilla Cross-Site Scripting Vulnerability

- Mozilla Status Bar Manipulation Weakness

[Dominic Harr]

When subjected to the same kinds of attention, they break down similarly.

Sure. And when subjected to the same kinds of driving, a Mercedes will break down in similar ways to a Ford -- fuel pumps, starters, etc, all will break.

Just not as often.

That is what quality *means*. That's how we define "quality".

Are MS-only folks really so unfamiliar with the concept? (again, fill in your own punchline here)

[yhwhsman]

I think this may help till they release a patch, it allows you to see if someone is attempting to use the vulverability. Found if on the Firefox Forums: Post by RandomUser.

The prefs I changed were accessed through about:config. Open a new window. Type ABOUT:CONFIG into the address bar, then enter. Scroll down the list (it's in alphabetical order) and you'll find the entries

dom.disable_window_open_feature.location
dom.disable_window_open_feature.menubar
dom.disable_window_open_feature.status

(I changed these three, but there are other pref values you can change also)

Right click on each of those entries and select "modify" from the context menu. Then change the value "false" to "true" and enter. Then close the browser and restart firefox.

Now click on the spoof test (you can find them here http://www.nd.edu/~jsmith30/xul/test/spoof.html ) and you'll see that the scam is easy to recognize so that you won't fall for it.

[Bush2000]

Sure. And when subjected to the same kinds of driving, a Mercedes will break down in similar ways to a Ford -- fuel pumps, starters, etc, all will break. Just not as often. That is what quality *means*.

Nonsense. They're not being "subjected to the same kinds of driving". IE is a Humvee being driven through Mogadishu. Mozilla/FireFox is a rental car being driven through Kansas. Entirely different threat levels. Nobody is attacking Mozilla/FireFox; consequently, you can't define "quality" by comparing the number of times that the Humvee gets hit with enemy fire and patched -- and that which the Mozilla/FireFox rental car hits a glitch. Apples and oranges. Not even in the same universe.

That's how we define "quality".

No. That's how an anti-Microsoft whack-job inappropriately defines "quality".

[AmishDude]

Linux Sux.

[Bush2000]

Untrue. Firefox, unlike IE, is not intimately tied into the OS, and thus is inherently less vulnerable to the most devastating attacks.

Non-sequitor. Does not follow.

[Ulysses]

firefox user bump for later

[Don Joe]

Sure. And when subjected to the same kinds of driving, a Mercedes will break down in similar ways to a Ford -- fuel pumps, starters, etc, all will break. Just not as often. That is what quality *means*.

Nonsense. They're not being "subjected to the same kinds of driving". IE is a Humvee being driven through Mogadishu. Mozilla/FireFox is a rental car being driven through Kansas. Entirely different threat levels. Nobody is attacking Mozilla/FireFox; consequently, you can't define "quality" by comparing the number of times that the Humvee gets hit with enemy fire and patched -- and that which the Mozilla/FireFox rental car hits a glitch. Apples and oranges. Not even in the same universe.

That's how we define "quality".

No. That's how an anti-Microsoft whack-job inappropriately defines "quality".

I think we may finally be reaching the point at which the "alternative browsers" have enough of a market slice to start attracting their own cadre of badboys to attack them.

The results will likely be of mixed irony-quotient. On the one hand, now that they're facing hostile fire for the first time, they're apt to drop like flies. On the other hand, they won't be around to have anyone rub their faces in it, since they'll be off the air, mumbling something about someone getting the number of that truck.

I guess that a drop in the noise level might make a decent metric for evaluating the lack of robustness of their platforms of choice.

[Dominic Harr]

They're not being "subjected to the same kinds of driving".

They drive the same information superhighways. Visit the same sites. Are subjected to exactly the same hazzards.

And quality *is* defined by how often something breaks.

IE breaks more often, on the same roads. :-D

[ItsForTheChildren]

As any browser or OS increases in popularity, so will virus attacks, vunerabilities, hacking, etc

After reading all the glowing testimonials here regarding Firefox I decided to download it and take it out for a spin. For me, it's not ready for prime time. There are too many annoyances and bugs at this stage in its development. I keep my firewall and anti-virus software and OS patches up to date and have not had any problems with IE. I'll keep Firefox, along with Netscape, to test web development. When it's is more mature I'll try it again.

[null and void]

Does it affect Camino?

[Diddle E. Squat]

Solution: Do not follow links from untrusted sites.

Gee, nice patch...

[Bush2000]

They drive the same information superhighways. Visit the same sites. Are subjected to exactly the same hazzards.

Wrong. The "hazards" are tuned specifically for IE -- not Mozilla/Firefox. Here's an analogy maybe even you can understand. It's as if there are vandals sitting on the side of the road. Whenever IE drives down the road, they throw out a nail strip. Or put a bullet through the front grill. Whenever Mozilla/Firefox comes down the road, they ignore it. Yawn. It isn't worth their trouble because most people drive IE.

And quality *is* defined by how often something breaks.

Look, bub, if some malicious SOB pours sugar in your gas tank, it ain't the car's fault. No matter what you'd like to believe.

[thoughtomator]

Sure it does. A little knowledge of the difference between an application and an operating system is all you need to understand.

[Dominic Harr]

Wrong. The "hazards" are tuned specifically for IE -- not Mozilla/Firefox.

Ah, so dramatic. But wrong. There are plenty of bad guys out there gunning for everyone, there are plenty of crackers out there trying to crack everything. Including Mozilla/Firefox. In fact, with the source code *open* like it is, you might even expect far more exploits on it than IE.

Well, you *might* expect that -- if you didn't know about one of the bennies of open-source . . .

[FastCoyote]

"while marginal browsers don't have the same kinds of attacks"

Exactly why I've gone to Firefox! The exploit listed above is going to reside on how many websites? I've known the whole IIS and IE infrastructure has been broken since the Code Red virus. Just look in your software upgrade list andsee how many patch/kludges have been applied.

[danamco]

It's still 99% safer than IE. I'll take my chances with Mozilla any day.

In my office, there are Mozilla users and IE users. During my recent rounds checking workstation security, every single IE user was infected with at least one virus and at least two browser hijacks. Total viruses and hijacks for Mozilla users: zero.

I subscribe to Kim Komando's newsletters. She convinced me to switch to Mozilla's Firefox!
However, in her yesterday's newsletter she said after Microsoft's latest security patch she has now switched back to I.E. being more safe!!
To: The wizards here. How do you switch back to I.E.?
Thank you!!!

[thoughtomator]

Simply start using IE again if you want it. You can't get rid of it without getting rid of the whole Microsoft OS. Type "iexplore" in the Run command line.

[Jackknife]

Thank you for the tip !

[D-fendr]

Let's assume your analogy is correct:

"Whenever IE drives down the road, they throw out a nail strip. Or put a bullet through the front grill.'

Why are you driving your IE?

[Cboldt]

The most popular OS will attract the most hackers... it's just common sennse.

The analogy has more than one level though, to wit ...

Why do you rob banks? Because that is where the money is.
Why don't you rob Fort Knox?