Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
Secunia Stay Secure ^ | July 30, 2004

Posted on 08/01/2004 7:11:33 AM PDT by TomGuy

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Secunia Advisory: SA12188 Print Advisory  
Release Date: 2004-07-30

Critical:
Moderately critical
Impact: Spoofing
Where: From remote

Software: Mozilla 0.x
Mozilla 1.0
Mozilla 1.1
Mozilla 1.2
Mozilla 1.3
Mozilla 1.4
Mozilla 1.5
Mozilla 1.6
Mozilla 1.7.x
Mozilla Firefox 0.x

Choose a product and view comprehensive vulnerability statistics and all Secunia advisories affecting it.

Description:
A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.

The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

The Mozilla user interface is built using XUL files.

A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.

This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.

NOTE: This issue appears to be the same as Mozilla Bug 244965.

Solution:
Do not follow links from untrusted sites.

Provided and/or discovered by:
Reported in Mozilla Firefox by:
Jérôme ATHIAS (also created a PoC)

Reported in Mozilla by:
James Ross

Changelog:
2004-07-30: Added an additional Mozilla Bug reference.

Original Advisory:
Original Advisory and Proof of Concept:
http://www.nd.edu/~jsmith30/xul/test/spoof.html

Other References:
XUL Documentation:
http://www.xulplanet.com/

Mozilla Bug reference:
http://bugzilla.mozilla.org/show_bug.cgi?id=244965

Mozilla Bug reference:
http://bugzilla.mozilla.org/show_bug.cgi?id=252198


Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.


Found: 18 Related Secunia Security Advisories, displaying 10

- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing
- Mozilla / Firefox Certificate Store Corruption Vulnerability
- Mozilla Fails to Restrict Access to "shell:"
- Mozilla XPInstall Dialog Box Security Issue
- Multiple Browsers Frame Injection Vulnerability
- Mozilla Browser Address Bar Spoofing Weakness
- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability
- Mozilla / NSS S/MIME Implementation Vulnerability
- Mozilla Cross-Site Scripting Vulnerability
- Mozilla Status Bar Manipulation Weakness


TOPICS: Crime/Corruption; Miscellaneous
KEYWORDS: firefox; mozilla
Navigation: use the links below to view more comments.
first previous 1-2021-4041-56 next last
To: Bush2000
When subjected to the same kinds of attention, they break down similarly.

Sure. And when subjected to the same kinds of driving, a Mercedes will break down in similar ways to a Ford -- fuel pumps, starters, etc, all will break.

Just not as often.

That is what quality *means*. That's how we define "quality".

Are MS-only folks really so unfamiliar with the concept? (again, fill in your own punchline here)

21 posted on 08/01/2004 9:38:32 AM PDT by Dominic Harr
[ Post Reply | Private Reply | To 18 | View Replies]

To: thoughtomator; jakkknife; mhking; mlbford2; el_texicano; beckett; Dominic Harr
I think this may help till they release a patch, it allows you to see if someone is attempting to use the vulverability. Found if on the Firefox Forums: Post by RandomUser.

The prefs I changed were accessed through about:config. Open a new window. Type ABOUT:CONFIG into the address bar, then enter. Scroll down the list (it's in alphabetical order) and you'll find the entries

dom.disable_window_open_feature.location
dom.disable_window_open_feature.menubar
dom.disable_window_open_feature.status

(I changed these three, but there are other pref values you can change also)

Right click on each of those entries and select "modify" from the context menu. Then change the value "false" to "true" and enter. Then close the browser and restart firefox.

Now click on the spoof test (you can find them here http://www.nd.edu/~jsmith30/xul/test/spoof.html ) and you'll see that the scam is easy to recognize so that you won't fall for it.

22 posted on 08/01/2004 1:51:33 PM PDT by yhwhsman ("Never give in--never, never, never, never, in nothing great or small..." -Sir Winston Churchill)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Dominic Harr
Sure. And when subjected to the same kinds of driving, a Mercedes will break down in similar ways to a Ford -- fuel pumps, starters, etc, all will break. Just not as often. That is what quality *means*.

Nonsense. They're not being "subjected to the same kinds of driving". IE is a Humvee being driven through Mogadishu. Mozilla/FireFox is a rental car being driven through Kansas. Entirely different threat levels. Nobody is attacking Mozilla/FireFox; consequently, you can't define "quality" by comparing the number of times that the Humvee gets hit with enemy fire and patched -- and that which the Mozilla/FireFox rental car hits a glitch. Apples and oranges. Not even in the same universe.

That's how we define "quality".

No. That's how an anti-Microsoft whack-job inappropriately defines "quality".
23 posted on 08/01/2004 7:07:20 PM PDT by Bush2000
[ Post Reply | Private Reply | To 21 | View Replies]

To: TomGuy

Linux Sux.


24 posted on 08/01/2004 7:08:10 PM PDT by AmishDude
[ Post Reply | Private Reply | To 1 | View Replies]

To: thoughtomator
Untrue. Firefox, unlike IE, is not intimately tied into the OS, and thus is inherently less vulnerable to the most devastating attacks.

Non-sequitor. Does not follow.
25 posted on 08/01/2004 7:08:50 PM PDT by Bush2000
[ Post Reply | Private Reply | To 20 | View Replies]

To: Bush2000

firefox user bump for later


26 posted on 08/01/2004 7:12:51 PM PDT by Ulysses ("Most of us go through life thinking we're Superman. Superman goes through life being Clark Kent!")
[ Post Reply | Private Reply | To 23 | View Replies]

To: Bush2000
Sure. And when subjected to the same kinds of driving, a Mercedes will break down in similar ways to a Ford -- fuel pumps, starters, etc, all will break. Just not as often. That is what quality *means*.

Nonsense. They're not being "subjected to the same kinds of driving". IE is a Humvee being driven through Mogadishu. Mozilla/FireFox is a rental car being driven through Kansas. Entirely different threat levels. Nobody is attacking Mozilla/FireFox; consequently, you can't define "quality" by comparing the number of times that the Humvee gets hit with enemy fire and patched -- and that which the Mozilla/FireFox rental car hits a glitch. Apples and oranges. Not even in the same universe.

That's how we define "quality".

No. That's how an anti-Microsoft whack-job inappropriately defines "quality".

I think we may finally be reaching the point at which the "alternative browsers" have enough of a market slice to start attracting their own cadre of badboys to attack them.

The results will likely be of mixed irony-quotient. On the one hand, now that they're facing hostile fire for the first time, they're apt to drop like flies. On the other hand, they won't be around to have anyone rub their faces in it, since they'll be off the air, mumbling something about someone getting the number of that truck.

I guess that a drop in the noise level might make a decent metric for evaluating the lack of robustness of their platforms of choice.

27 posted on 08/01/2004 7:28:17 PM PDT by Don Joe (We've traded the Rule of Law for the Law of Rule.)
[ Post Reply | Private Reply | To 23 | View Replies]

To: Bush2000
They're not being "subjected to the same kinds of driving".

They drive the same information superhighways. Visit the same sites. Are subjected to exactly the same hazzards.

And quality *is* defined by how often something breaks.

IE breaks more often, on the same roads. :-D

28 posted on 08/01/2004 8:23:26 PM PDT by Dominic Harr
[ Post Reply | Private Reply | To 23 | View Replies]

To: TomGuy
As any browser or OS increases in popularity, so will virus attacks, vunerabilities, hacking, etc

After reading all the glowing testimonials here regarding Firefox I decided to download it and take it out for a spin. For me, it's not ready for prime time. There are too many annoyances and bugs at this stage in its development. I keep my firewall and anti-virus software and OS patches up to date and have not had any problems with IE. I'll keep Firefox, along with Netscape, to test web development. When it's is more mature I'll try it again.

29 posted on 08/01/2004 8:37:29 PM PDT by ItsForTheChildren
[ Post Reply | Private Reply | To 1 | View Replies]

To: TomGuy

Does it affect Camino?


30 posted on 08/01/2004 8:38:40 PM PDT by null and void (Nothing like a near-death experience to change bad habits...)
[ Post Reply | Private Reply | To 1 | View Replies]

Solution: Do not follow links from untrusted sites.

Gee, nice patch...

31 posted on 08/01/2004 8:45:34 PM PDT by Diddle E. Squat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dominic Harr
They drive the same information superhighways. Visit the same sites. Are subjected to exactly the same hazzards.

Wrong. The "hazards" are tuned specifically for IE -- not Mozilla/Firefox. Here's an analogy maybe even you can understand. It's as if there are vandals sitting on the side of the road. Whenever IE drives down the road, they throw out a nail strip. Or put a bullet through the front grill. Whenever Mozilla/Firefox comes down the road, they ignore it. Yawn. It isn't worth their trouble because most people drive IE.

And quality *is* defined by how often something breaks.

Look, bub, if some malicious SOB pours sugar in your gas tank, it ain't the car's fault. No matter what you'd like to believe.
32 posted on 08/01/2004 9:37:26 PM PDT by Bush2000
[ Post Reply | Private Reply | To 28 | View Replies]

To: Bush2000

Sure it does. A little knowledge of the difference between an application and an operating system is all you need to understand.


33 posted on 08/01/2004 10:30:42 PM PDT by thoughtomator (John Kerry reporting for duty - making sure that nobody interferes with Hillary's run in 2008)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Bush2000
Wrong. The "hazards" are tuned specifically for IE -- not Mozilla/Firefox.

Ah, so dramatic. But wrong. There are plenty of bad guys out there gunning for everyone, there are plenty of crackers out there trying to crack everything. Including Mozilla/Firefox. In fact, with the source code *open* like it is, you might even expect far more exploits on it than IE.

Well, you *might* expect that -- if you didn't know about one of the bennies of open-source . . .

34 posted on 08/01/2004 10:53:09 PM PDT by Dominic Harr
[ Post Reply | Private Reply | To 32 | View Replies]

To: Bush2000

"while marginal browsers don't have the same kinds of attacks"

Exactly why I've gone to Firefox! The exploit listed above is going to reside on how many websites? I've known the whole IIS and IE infrastructure has been broken since the Code Red virus. Just look in your software upgrade list andsee how many patch/kludges have been applied.


35 posted on 08/01/2004 11:23:33 PM PDT by FastCoyote
[ Post Reply | Private Reply | To 18 | View Replies]

To: thoughtomator
It's still 99% safer than IE. I'll take my chances with Mozilla any day.

In my office, there are Mozilla users and IE users. During my recent rounds checking workstation security, every single IE user was infected with at least one virus and at least two browser hijacks. Total viruses and hijacks for Mozilla users: zero.

I subscribe to Kim Komando's newsletters. She convinced me to switch to Mozilla's Firefox!
However, in her yesterday's newsletter she said after Microsoft's latest security patch she has now switched back to I.E. being more safe!!
To: The wizards here. How do you switch back to I.E.?
Thank you!!!
36 posted on 08/01/2004 11:32:49 PM PDT by danamco
[ Post Reply | Private Reply | To 3 | View Replies]

To: danamco

Simply start using IE again if you want it. You can't get rid of it without getting rid of the whole Microsoft OS. Type "iexplore" in the Run command line.


37 posted on 08/01/2004 11:41:01 PM PDT by thoughtomator (John Kerry reporting for duty - making sure that nobody interferes with Hillary's run in 2008)
[ Post Reply | Private Reply | To 36 | View Replies]

To: yhwhsman


Thank you for the tip !


38 posted on 08/02/2004 5:39:08 AM PDT by Jackknife (.......Land of the Free,because of the Brave.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: Bush2000
Let's assume your analogy is correct:
"Whenever IE drives down the road, they throw out a nail strip. Or put a bullet through the front grill.'
Why are you driving your IE?
39 posted on 08/02/2004 5:21:54 PM PDT by D-fendr
[ Post Reply | Private Reply | To 32 | View Replies]

To: C-Note
The most popular OS will attract the most hackers... it's just common sennse.

The analogy has more than one level though, to wit ...

Why do you rob banks? Because that is where the money is.
Why don't you rob Fort Knox?

40 posted on 08/02/2004 5:33:27 PM PDT by Cboldt
[ Post Reply | Private Reply | To 15 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-56 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson