Skip to comments.
Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
Secunia Stay Secure ^
| July 30, 2004
Posted on 08/01/2004 7:11:33 AM PDT by TomGuy
Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability |
|
Secunia Advisory: |
SA12188 |
|
Release Date: |
2004-07-30 |
|
Critical: |
Moderately critical |
Impact: |
Spoofing
|
Where: |
From remote
|
|
Software: |
Mozilla 0.x Mozilla 1.0 Mozilla 1.1 Mozilla 1.2 Mozilla 1.3 Mozilla 1.4 Mozilla 1.5 Mozilla 1.6 Mozilla 1.7.x Mozilla Firefox 0.x
|
|
Choose a product and view comprehensive vulnerability statistics and all Secunia advisories affecting it. |
|
Description: A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.
The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.
The Mozilla user interface is built using XUL files.
A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.
This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.
NOTE: This issue appears to be the same as Mozilla Bug 244965.
Solution: Do not follow links from untrusted sites.
Provided and/or discovered by: Reported in Mozilla Firefox by: Jérôme ATHIAS (also created a PoC)
Reported in Mozilla by: James Ross
Changelog: 2004-07-30: Added an additional Mozilla Bug reference.
Original Advisory: Original Advisory and Proof of Concept: http://www.nd.edu/~jsmith30/xul/test/spoof.html
Other References: XUL Documentation: http://www.xulplanet.com/
Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244965
Mozilla Bug reference: http://bugzilla.mozilla.org/show_bug.cgi?id=252198
|
|
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. |
|
|
|
Found: 18 Related Secunia Security Advisories, displaying 10 |
|
- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing |
- Mozilla / Firefox Certificate Store Corruption Vulnerability |
- Mozilla Fails to Restrict Access to "shell:" |
- Mozilla XPInstall Dialog Box Security Issue |
- Multiple Browsers Frame Injection Vulnerability |
- Mozilla Browser Address Bar Spoofing Weakness |
- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability |
- Mozilla / NSS S/MIME Implementation Vulnerability |
- Mozilla Cross-Site Scripting Vulnerability |
- Mozilla Status Bar Manipulation Weakness |
TOPICS: Crime/Corruption; Miscellaneous
KEYWORDS: firefox; mozilla
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-56 next last
For Mozilla/Firefox users who think they are above the vunerabilities, etc.
As any browser or OS increases in popularity, so will virus attacks, vunerabilities, hacking, etc.
1
posted on
08/01/2004 7:11:33 AM PDT
by
TomGuy
To: TomGuy
*whew*...im glad im running IE. Im safe!
2
posted on
08/01/2004 7:13:58 AM PDT
by
smith288
(Kerry salutes like a girlyman.)
To: TomGuy
It's still 99% safer than IE. I'll take my chances with Mozilla any day.
In my office, there are Mozilla users and IE users. During my recent rounds checking workstation security, every single IE user was infected with at least one virus and at least two browser hijacks. Total viruses and hijacks for Mozilla users: zero.
3
posted on
08/01/2004 7:14:31 AM PDT
by
thoughtomator
(John Kerry reporting for duty - making sure that nobody interferes with Hillary's run in 2008)
To: smith288
*whew*...im glad im running IE. Im safe! I know you are kidding, but I was not too thrilled when I took the secunia website vulnerability test yesterday, and realized that my IE, despite running NIS could be taken over in a heartbeat.
4
posted on
08/01/2004 7:21:18 AM PDT
by
sockmonkey
(Prayers for the repose of the soul of my Dad)
To: TomGuy
I'll keep my firefox. Since using this; plus redundant firewall, anti-virus, and spyware programs which I run almost religiously; my PC on high-speed dial up runs very fast......and with no viruses or hijackers.
5
posted on
08/01/2004 7:21:45 AM PDT
by
Jackknife
(.......Land of the Free,because of the Brave.)
To: TomGuy
Let's see -- one major flaw in a work-in-progress as opposed to a production model that has had multiple flaws/exploits/problems/et.al.
I'm not saying that FF is bulletproof, but overall, it's a better browser than IE is at the present time. And until MS begins to go back into active browser development instead of the ongoing stagnation they've engaged in, then Mozilla & Opera will remain head and shoulders above them in the development department.
6
posted on
08/01/2004 7:24:47 AM PDT
by
mhking
(John Kerry & Al Gore: Cut from the same tree.)
To: TomGuy
As any browser or OS increases in popularity, so will virus attacks, vunerabilities, hacking, etc. Bingo.
7
posted on
08/01/2004 7:25:32 AM PDT
by
steveegg
(John F'em Ke(rr)y - I was against liberating Grenada before I was for it (WSJ - 7/29/2004))
To: steveegg
8
posted on
08/01/2004 7:27:25 AM PDT
by
mlbford2
(Sorry for spelling errors, I'm a product of a state university)
To: TomGuy
To: Bush2000
10
posted on
08/01/2004 7:42:32 AM PDT
by
TomServo
("I'm so upset that I'll binge on a Saltine.")
To: happydogdesign
11
posted on
08/01/2004 8:07:05 AM PDT
by
Victor
To: mlbford2
Likewise, reading later and marking for reference
12
posted on
08/01/2004 8:13:43 AM PDT
by
el_texicano
(Liberals are the real Mind-Numbed Robots - No Brains, No Guts, No Character...Just hate)
To: TomGuy
Haha! I'm using Firefox and find it a great browser, but it's funny that it took only weeks after Mozilla's popularity soared due to IE vulnerabilities for Mozilla itself to become vulnerable.
The problem was never Microsoft. The problem is the hackers themselves. The Microsoft bashers will someday find Linux hacked too.
13
posted on
08/01/2004 8:24:26 AM PDT
by
beckett
To: thoughtomator
It's still 99% safer than IE.
Surrrrrrrre you are. Just keep telling yourself that...
14
posted on
08/01/2004 8:48:56 AM PDT
by
Bush2000
To: TomGuy
tom Guy,
You are 100% correct. The most popular OS will attract the most hackers... it's just common sennse.
C
15
posted on
08/01/2004 8:53:12 AM PDT
by
C-Note
To: TomGuy
For Mozilla/Firefox users who think they are above the vunerabilities, etc. What is this ignorance on the part of some MS-only computer users that makes this so hard for some to comprehend?
A Mercedes breaks down far, far less often than a Chevy. But can you imagine a Chevy-only devotee getting out there seeing a Merc broken down and saying, "See, it's no better than any other car".
It's as if MS-only folks have absolutely no idea what "quality" even means . . . (fill in your own joke here).
To: TomGuy
This is likely true:
"As any browser increases in popularity, so will virus attacks."
However, this does not follow:
"so will vunerabilities."
17
posted on
08/01/2004 9:10:58 AM PDT
by
D-fendr
To: Dominic Harr
A Mercedes breaks down far, far less often than a Chevy.
Bogus analogy. IE has tons of malicious people trying to dismantle the "engine" while it's running -- while marginal browsers don't have the same kinds of attacks. To attribute this to differences in quality is just ridiculous. As we see from this posting, Mozilla/Firefox ain't Mercedes. When subjected to the same kinds of attention, they break down similarly.
18
posted on
08/01/2004 9:15:01 AM PDT
by
Bush2000
To: Bush2000
Don't have to tell myself that. Actual hands-on experience tells me.
19
posted on
08/01/2004 9:26:51 AM PDT
by
thoughtomator
(John Kerry reporting for duty - making sure that nobody interferes with Hillary's run in 2008)
To: Bush2000
Untrue. Firefox, unlike IE, is not intimately tied into the OS, and thus is inherently less vulnerable to the most devastating attacks.
20
posted on
08/01/2004 9:28:52 AM PDT
by
thoughtomator
(John Kerry reporting for duty - making sure that nobody interferes with Hillary's run in 2008)
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-56 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson