Skip to comments.
Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
Secunia Stay Secure ^
| July 30, 2004
Posted on 08/01/2004 7:11:33 AM PDT by TomGuy
Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability |
|
Secunia Advisory: |
SA12188 |
|
Release Date: |
2004-07-30 |
|
Critical: |
Moderately critical |
Impact: |
Spoofing
|
Where: |
From remote
|
|
Software: |
Mozilla 0.x Mozilla 1.0 Mozilla 1.1 Mozilla 1.2 Mozilla 1.3 Mozilla 1.4 Mozilla 1.5 Mozilla 1.6 Mozilla 1.7.x Mozilla Firefox 0.x
|
|
Choose a product and view comprehensive vulnerability statistics and all Secunia advisories affecting it. |
|
Description: A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.
The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.
The Mozilla user interface is built using XUL files.
A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.
This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.
NOTE: This issue appears to be the same as Mozilla Bug 244965.
Solution: Do not follow links from untrusted sites.
Provided and/or discovered by: Reported in Mozilla Firefox by: Jérôme ATHIAS (also created a PoC)
Reported in Mozilla by: James Ross
Changelog: 2004-07-30: Added an additional Mozilla Bug reference.
Original Advisory: Original Advisory and Proof of Concept: http://www.nd.edu/~jsmith30/xul/test/spoof.html
Other References: XUL Documentation: http://www.xulplanet.com/
Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244965
Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=252198
|
|
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. |
|
|
|
Found: 18 Related Secunia Security Advisories, displaying 10 |
|
- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing |
- Mozilla / Firefox Certificate Store Corruption Vulnerability |
- Mozilla Fails to Restrict Access to "shell:" |
- Mozilla XPInstall Dialog Box Security Issue |
- Multiple Browsers Frame Injection Vulnerability |
- Mozilla Browser Address Bar Spoofing Weakness |
- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability |
- Mozilla / NSS S/MIME Implementation Vulnerability |
- Mozilla Cross-Site Scripting Vulnerability |
- Mozilla Status Bar Manipulation Weakness |
TOPICS: Crime/Corruption; Miscellaneous
KEYWORDS: firefox; mozilla
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-56 last
To: thoughtomator
Sure it does. A little knowledge of the difference between an application and an operating system is all you need to understand.
Again, how did integration directly contribute to some of these flaws? The courts have found that IE is an application that was bolted onto the operating system. At the end of the day, IE is still an application, even if it's welded into Windows; consequently, it's subject to the same kinds of flaws as any other application.
41
posted on
08/04/2004 8:08:51 AM PDT
by
Bush2000
To: Dominic Harr
There are plenty of bad guys out there gunning for everyone, there are plenty of crackers out there trying to crack everything. Including Mozilla/Firefox.
No, wrong. This isn't a difficult concept to understand -- even for you. If you're a cracker, you don't crack code running on Commodore 64s or Amigas or Apple IIs. You're going to go after the dominant platform -- the one that will create the most havoc and disruption. Since Mozilla/Firefox have less than 5% browser market share, few crackers would consider it worth their time. That may change over time, if there is a change in market share.
In fact, with the source code *open* like it is, you might even expect far more exploits on it than IE.
Nope. Security through obscurity isn't a protection.
42
posted on
08/04/2004 8:13:14 AM PDT
by
Bush2000
To: FastCoyote
Exactly why I've gone to Firefox! The exploit listed above is going to reside on how many websites? I've known the whole IIS and IE infrastructure has been broken since the Code Red virus. Just look in your software upgrade list andsee how many patch/kludges have been applied.
How many websites deployed the Download.Ject IE crack? How many people have actually been burned? Answer: Nobody. You're spewing nothing but FUD.
43
posted on
08/04/2004 8:15:40 AM PDT
by
Bush2000
To: Big Giant Head
44
posted on
08/04/2004 8:21:29 AM PDT
by
Marie Antoinette
(The same thing we do every day, Pinky. We're going to TAKE OVER THE WORLD!)
To: mhking
Let's see -- one major flaw in a work-in-progress as opposed to a production model that has had multiple flaws/exploits/problems/et.al. I use Firefox at home and many other open source tools, but this is a cop-out. Mozilla has been under development long enough that the "beta means never having to say you're sorry" excuse doesn't cut it.
There's a reason most open source tools never leave beta stage or get superceded by newer beta versions. Not having to accept responsibility for a finished product is one of them.
45
posted on
08/04/2004 8:28:22 AM PDT
by
vollmond
(DS2 CV-66 83-87)
To: D-fendr
Why are you driving your IE?
1. I don't blame the car when some malicious punk pours sugar in the gas tank or lays down a nail strip. I blame the perp.
2. Like most people, I don't visit visit malicious websites (hak0rz, war3s, p0rn); consequently, my risk (and that of most people) of encountering exploits is damn close to 0%. You're advocating getting a new car because of a theoretical threat. Ridiculous tripe. I say don't drive through known bad parts of town.
3. If you've ever bothered to study software engineering issues/concepts, you'd realize that the defect rates for both open and closed source products are essentially the same. Consequently, you can go with an obscure/marginal application such as Mozilla/Firefox in the hope that it will paint less of a bullseye on your forehead, but don't be surprised when you're hit with the same kinds of vulnerabilities (as evidenced by this article, of all things) when hackers/crackers turn their attention to you.
46
posted on
08/04/2004 8:31:37 AM PDT
by
Bush2000
To: vollmond
Mozilla has been under development long enough that the "beta means never having to say you're sorry" excuse doesn't cut it.If the FF release had been post-1.0, I'd agree with you, but the FF 1.0 milestone won't show until sometime in the middle to the end of the 4th quarter.
When comparing that to Microsoft's track record of vulnerabilities and fixes (or non-fixes as some might point to), I'd say that Mozilla has a pretty damn good track record.
47
posted on
08/04/2004 9:14:37 AM PDT
by
mhking
To: Bush2000
You're advocating getting a new car because of a theoretical threat.I was accepting your analogy as I understood it in your post true not theoretical:
"Whenever IE drives down the road, they throw out a nail strip. Or put a bullet through the front grill."
don't be surprised when you're hit with the same kinds of vulnerabilities (as evidenced by this article, of all things) when hackers/crackers turn their attention to you.
Perhaps, but until, if, or when that happens, why drive ( anymore than absolutely necessary) the vehicle that's the major target right now?
I trust that you can take good care of yourself. However as a general policy, I still think it more prudent to minimize security risk, particularly when the cost of doing so is so low.
thanks very much for your reply.
48
posted on
08/04/2004 9:34:08 PM PDT
by
D-fendr
To: D-fendr
I was accepting your analogy as I understood it in your post true not theoretical
I don't drive through bad parts of town; therefore, my risk of getting hit with random gunfire, bottles, etc from those parts of town is non-existent. There's a theoretical risk -- but only if you choose to traverse those roads.
Perhaps, but until, if, or when that happens, why drive ( anymore than absolutely necessary) the vehicle that's the major target right now?
Because the risk is practically non-existent. That's why.
49
posted on
08/05/2004 12:07:34 AM PDT
by
Bush2000
To: mhking
When comparing that to Microsoft's track record of vulnerabilities and fixes (or non-fixes as some might point to), I'd say that Mozilla has a pretty damn good track record.
Mozilla/Firefox doesn't have any appreciable market share. As it gains in market share, its vulnerabilities will explode.
50
posted on
08/05/2004 12:08:39 AM PDT
by
Bush2000
To: Bush2000
Yo guys,
Version 0.9.3 of Firefox is already out. Go grab it and be happy.
No matter what you think about all these vulnerabilities, Firefox has been patched within 24 hours almost every time. And it's a small painless download. So far a better experience than IE. I'm a computer tech for a living, and I used to be a big IE fan. The idea is, why use a browser that isn't supported everywhere? Well, times have changed. We spend half our day working on systems that have been infected with just about every kind of virus and spyware you can imagine. Most people simply have no idea how to protect themselves, and even the ones who say "I'm carefull" still don't have a clue. I'm not trying to be hard on people who aren't computer literate, just realistic. We need a larger spread of web browsers and applications, just so these damn hackers can't screw up the whole world with one virus. I used to think MS would get it worked out, but as people have said above, MS isn't continuing browser development in a good way. And it's hurting everyone.
Get Firefox web browser. (free)
Get Ad-Aware. (free)
Get Spybot. (free)
Get Spyware Blaster. (free)
Get Norton Internet Security (Or at least Norton Antivirus)
www.mozilla.com for Firefox browser.
www.majorgeeks.com (left column, spyware tools)
www.symantec.com for info on Norton. (buy it at your favorite software store or computer shop)
ABOVE ALL:
CHECK FOR UPDATES TO ALL THESE PROGRAMS EVERY TWO WEEKS, AND RUN THE AD/ANTIVIRUS SCANNERS AT LEAST ONCE EVERY TWO WEEKS.
51
posted on
08/05/2004 12:34:04 AM PDT
by
Advil
To: Bush2000
I don't drive through bad parts of town; therefore, my risk of getting hit with random gunfire, bottles, etc from those parts of town is non-existent.You don't have to drive thru bad parts anymore.. and there's email, and p2p, etc...
Again, I'm sure you can take care of yourself, but in general it's easier and prudent to recommend that others drive a safer vehicle as much as possible as part of basic security measures..
thanks for the discussion and best wishes...
52
posted on
08/08/2004 10:49:45 PM PDT
by
D-fendr
To: D-fendr
You don't have to drive thru bad parts anymore.. and there's email, and p2p, etc...
Great. Cite some major-traffic websites that are providing malicious content. I'll wait while you decide...
and there's email, and p2p, etc...
I don't use HTML mail. Nor p2p. Try again.
Again, I'm sure you can take care of yourself, but in general it's easier and prudent to recommend that others drive a safer vehicle as much as possible as part of basic security measures..
Oh, right. "Everyone, please buy a M1A1 Abrams tank because you may encounter the possibility of malicious traffic..." /SARCASM
53
posted on
08/10/2004 9:21:24 AM PDT
by
Bush2000
To: smith288
*whew*...im glad im running IE. Im safe!LOL!
54
posted on
08/10/2004 9:23:27 AM PDT
by
LTCJ
(God Save the Constitution.)
To: danamco
I subscribe to Kim Komando's newsletters. She convinced me to switch to Mozilla's Firefox! However, in her yesterday's newsletter she said after Microsoft's latest security patch she has now switched back to I.E. being more safe!!I believe it. On Saturday I tried installing that patch. The installation froze half way through and now I can't connect to the internet at all without booting SuSE. Safer? Yep, but not quite what I had in mind.
Maybe I'll fix it one of these days. But right now I'm still too PO'ed.
55
posted on
08/10/2004 9:35:22 AM PDT
by
LTCJ
(God Save the Constitution.)
To: jakkknife
Firefox is MUCH MUCH faster than my IE.
I originally was just going to Firefox part of the time, but I have now switched for good (unless I get that weird "the file / could not be found" error when I try to load a page I saw before in the same day....but that should be fixed with my downloading of 9.3.
It is ridiculous how fast pages load on Firefox vs. IE.
It just loads up almost immediately.
56
posted on
08/13/2004 11:26:48 PM PDT
by
rwfromkansas
(BYPASS FORCED WEB REGISTRATION! **** http://www.bugmenot.com ****)
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-56 last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson