Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Mozilla The Internet

Spoofing Flaw Resurfaces in Mozilla Browsers 258

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.
This discussion has been archived. No new comments can be posted.

Spoofing Flaw Resurfaces in Mozilla Browsers

Comments Filter:
  • So secure (Score:4, Funny)

    by Anonymous Coward on Tuesday June 07, 2005 @10:26AM (#12746466)
    Oh, damn IE for being so insecure. Wait, this is about an Open Source browser---damn IE for being so insecure!
    • Re:So secure (Score:4, Insightful)

      by ZephyrXero ( 750822 ) <zephyrxero.yahoo@com> on Tuesday June 07, 2005 @10:43AM (#12746640) Homepage Journal
      " Oh, damn IE for being so insecure. Wait, this is about an Open Source browser---damn IE for being so insecure!"

      There will never be such a thing as a 100% secure browser. It's all about which one is "more" secure... Even with the holes found in Firefox it's still many times safer than IE. Not only that, but these holes are usually patched in a matter of days, while with MS your lucky if it gets fixed in a few months.
    • Re:So secure (Score:2, Insightful)

      by camcorder ( 759720 )
      You can dump FireFox if you want not to use it because of security problems. But what's your chance with IE?
    • I wonder if the comments in this article will be of the same tone as the comments posted in this [slashdot.org] article.

      *waits for the flamebait mod
    • Re:So secure (Score:5, Informative)

      by Anonymous Coward on Tuesday June 07, 2005 @10:53AM (#12746768)
      IE has the same flaw also, so parent should not be moderated as funny, but as informative.

      http://secunia.com/advisories/11966/ [secunia.com]
      • Re:So secure (Score:2, Informative)

        by rbochan ( 827946 )
        Indeed it does. I just found that to be the case on fully updated/patched Win2k and 9x systems when I just tested them.
    • Re:So secure (Score:4, Insightful)

      by Mant ( 578427 ) on Tuesday June 07, 2005 @11:10AM (#12746939) Homepage

      IE has this issue, want to bet which browser will fix it first? (hint, Mozilla fixed it before)

    • Use konqueror instead then. It's not affected by this :) (oh, and it's open source too)
  • Exploits? (Score:4, Insightful)

    by /ASCII ( 86998 ) on Tuesday June 07, 2005 @10:27AM (#12746468) Homepage
    The number of Firefox vulnerabilities that have been exposed is frightening. But I wonder when the first actual exploit will be found...
    • Re:Exploits? (Score:3, Informative)

      by strider44 ( 650833 )
      It is very unlikely that this would really be worth exploiting. It relies on the person opening this up in a new window (not a tab), leaving it open then coming back and clicking on another link. The links have to be clicked first one then the other.

      Before anyone could think of a way to exploit this this'd be fixed I think.
      • Re:Exploits? (Score:4, Informative)

        by unformed ( 225214 ) on Tuesday June 07, 2005 @10:47AM (#12746683)
        Did you even read the article?


        NOTE: Exploitation can easily be made "automatic". However, since this example only serves as a test to give users an understanding of how it works, we have chosen not to do so.


        Regardless, I don't consider this to be too big of deal. Th exploit can be used for a phishing attack, when a trusted site is using frames. A nontrusted site then replaces one of the inner pages with a fake lookalike, but the user can't tell, becasuse the address isn't shown in the address bar.

        Banks using frames for the trusted portion of their sites is extremely bad design, and I don't know of any that does that anyways.
      • Comment removed based on user account deletion
    • Does the Firefox team use any automated testing on the project? Seems like these sort of errors could stay dead, if so.

      Software testing automation tools [tigris.org]
      • Does the Firefox team use any automated testing on the project?

        Either they don't have automated testing, or they do have, but it didn't look for this bug.
        Finding bugs (and squashing them) is a good thing, but I'm curious about how this bug got reintroduced in FireFox. I hope they analyse this problem, and improve their operational procedures to prevent other reintroductions of old bugs.

    • Re:Exploits? (Score:5, Insightful)

      by ZephyrXero ( 750822 ) <zephyrxero.yahoo@com> on Tuesday June 07, 2005 @10:46AM (#12746672) Homepage Journal
      frightening??? I'm a big fan of open source, and i'm actually pretty amazed the number has been so small. It's just about the first open source program to really become popular and I think Mozilla's doing a damn find job of keeping up with the hax0rz...
    • Re:Exploits? (Score:2, Insightful)

      by rubycodez ( 864176 )
      really? I'd say the number is very tiny given the size of the code. On the other hand, given the age and size of a certain other browser, the number of vulnerabilities and the number of known exploits is HUGE, as is the estimated cost of damage done to business.
  • what about tabs? (Score:5, Interesting)

    by farker haiku ( 883529 ) on Tuesday June 07, 2005 @10:27AM (#12746472) Journal
    from TFA:
    For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows.

    So, uh, what about tabs? 'Cause I never have 2 windows open at the same time.
    • Re:what about tabs? (Score:5, Informative)

      by Punkrokkr ( 592052 ) on Tuesday June 07, 2005 @10:33AM (#12746544) Homepage
      I tried it in tabs, spoof does not work across tabs; just seperate windows.
      • I tried that, the parent poster is correct.

        This means a simple work around is to install TabBrowserPreferences or any of the other extensions which capture new window commands and make them open in tabs.

        I was already using this anyway, but if you're running in a corporate environment or something this could be a quick fix.
      • Re:what about tabs? (Score:3, Interesting)

        by whoever57 ( 658626 )
        I tried it in tabs, spoof does not work across tabs; just seperate windows.

        In Galeon, it does work across tabs.

    • The Secunia test does not work if you open the sites as tabs as opposed to new browser 'windows'. Mind you this is the first time I've seen one of the Secunia advisories actually work on a machine. The potential for badness is quite high with this one methinks..
    • 'Cause I never have 2 windows open at the same time.
      Unless they use JS to pop one up (and yes, there do exist scripts which will circumvent the built in popup blocker.) I suppose if you have JS and Flash disabled you all set in that case.
      • I use the tabbed browsing extension that disables all of that bullcrap. Find it. Love it. /too lazy to google it for you.
      • In that case this becomes nearly useless as an exploit. It's only good if the attacker can trick you into thinking you're at a site you want to input sensitive information on. If you're willing to type your bank login info in a popup window, you're going to get phished anyway.
        • I believe the issue was that a malicious site can pop up a window to control a frame in an already opened window. This will probably work with default browser settings. Fortunately for those in the know, there is a workaround--redirect ALL new window requests to tabs. Unfortunately this is a workaround and requires action on the part of the user.
    • From TFA:

      "For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time."

      The whole notion of a trusted web site is bogus. Many large and popular web sites are not maintained well enough to prevent them from

  • The exploit (Score:5, Funny)

    by k4_pacific ( 736911 ) <k4_pacific@yCOUGARahoo.com minus cat> on Tuesday June 07, 2005 @10:28AM (#12746484) Homepage Journal
    Type: Spoofing
    Exploit: Local
    Effects: All browsers

    Description:
    A 7 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

    The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.

    Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.

    Solution:
    Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.
    • Re:The exploit (Score:4, Informative)

      by /ASCII ( 86998 ) on Tuesday June 07, 2005 @10:31AM (#12746528) Homepage
      Avoid using Windex on flat screens. It may damage the anti-glare coating. If possible, use only a damp cloth to wipe away any tape residue.
    • See, that would be funny, except the address bar shows the URL of the "trusted" site. Even looking at the source of an exploited web page does not reveal that anything is wrong.

      If you have a "trusted" site open in one window, clicking on a malicious link in another window, can cause any frame in the "trusted" website to be replaced with a spoofed page. There are no clues in the address bar and it's not in the HTML source. The best I could do is, in FireFox, look at the page info box (Tools -> Page info)
  • by It doesn't come easy ( 695416 ) * on Tuesday June 07, 2005 @10:29AM (#12746488) Journal
    Recycling old bugs...I have to say that the Mozilla code base is losing some credibility with mistakes like this. Seems like a code audit is called for guys...
  • Am I remembering right when I recall that MoFo is pretty much end-of-lifing the Suite? I use Suite 1.7.8, and have no desire or intention of switching to Firefox and Thunderbird.

    Is the Moz community going to release a fix for Suite?

  • Why - Oh why (Score:2, Interesting)

    by Anonymous Coward
    is it impossible to test new releases against old bugs?
    • Re:Why - Oh why (Score:3, Informative)

      by /ASCII ( 86998 )
      It is not impossible, Testing new releases against old bugs is called regression testing, and everybody pretends to do it. But the problem is that it is so boring and hard that very few people write working regression tests against the more complex bugs.
  • Automated Testing (Score:4, Interesting)

    by drewfuss ( 872683 ) on Tuesday June 07, 2005 @10:31AM (#12746526) Homepage
    Does the firefox community have any regression testing? They need fully automated test [slashdot.org]like the linux kernel has now.
    • Does the firefox community have any regression testing? They need fully automated test like the linux kernel has now.

      Automated testing is helpful, though mainly for known errors or conditions. It can be used to find some unknown problems, but it is not entirely effective at this class of problems.

      • "Automated testing is helpful, though mainly for known errors or conditions."

        But in this case it was a known error. If the nature of the bug allowed it to be generated and verified using an automated test, you could add it to your regression test. Then if the bug showed up again, the regression test would catch it. This assumes that the automated test isn't dependent on the exact code snippet that caused the orginal problem but rather on the behavior.
  • The Debian package of Firefox 1.0.4, with the extension tabbrowser preferences installed isn't, for example. As a result of this extension, the frame isn't injected into the frameset that is being targetted, and is opened in a new tab instead.

    It is surprising, though, that a security vulnerability like this goes unnoticed for so long. On the other hand, I very much doubt that anybody has actually used this to exploit users.
    • Ditto for Windows, Firefox 1.0.4 + Tabbrowser Prefs 1.2.5. The injected content opens in a new tab rather than one of the MSDN frames. Since the behavior of this bug can be influenced by an extension, and it is a regression to start with, expect a patch very shortly.

      The Tabbrowser Prefs extension r00lz. Don't leave your homepage without it.
  • Ehmm. (Score:2, Interesting)

    by Psionicist ( 561330 )
    Just one problem - the example "exploit" doesn't work. I press the MSDN link, it opens up in a new tab, press the demonstration link... And nothing happens.

    So what do I do wrong?
  • by ttfkam ( 37064 ) * on Tuesday June 07, 2005 @10:36AM (#12746585) Homepage Journal
    The exposure of this older bug in new software is perhaps a good jumping off point for an argument about constructing new browser technologies from scratch, rather than simply developing existing (by the laws of probability, flawed) software to incorporate extended functionality; which is by far the industry norm as it stands. Is this a viable alternative?
    Anyone that knows the history of the Mozilla project has to see the idiocy in this statement.

    Or are they supposed to scrap it all and rewrite from scratch every few years? I sure hope not. Anyone else out remember M13, M14, M15, etc.? *shudder*
    • When I read the article, I thought they meant the opposite. Since I belive the bug was reintroduced because large parts of the old Netscape codebase was ripped out and replaced with shiny, new and unsecure code, this arguments seems to fall flat on it's face.
  • by mogrify ( 828588 ) on Tuesday June 07, 2005 @10:38AM (#12746606) Homepage
    It appears that if you have the Tabbrowser Preferences extension installed, then this exploit doesn't work.
    • Does the code in your sig work?
      I would think you'd need main() { exit(1); }
    • This is the first time IN MY LIFE that I see a browser add-on INCREASING its security, and not otherwise.

      (hypothetical) Secunia advisory

      blablablah... bug.
      Versions affected: Firefox v1.04 etc....
      Workaround: Install the tabbrowser preferences extension.

      w00t.
  • by null etc. ( 524767 ) on Tuesday June 07, 2005 @10:41AM (#12746628)
    I must say that there should be a clean, concise list of security flaws that should never appear within a web browser, and each browser should be forced to undergo testing against that list before being released.

    To have such fundamental flaws appear, whether by accident or negligence, is unacceptable.

    Furthermore, the browser "industry" and the commercial sector NEED to come up with some guidelines as to how to promote and ensure online security for financial transactions and personal data.

    For example, it's almost impossible for the casual or sophisticated user to easily determine whether a frame that appears within a website actually belongs to that website, or another. For example, if you have an online account with MBNA credit card, and make an online purchase, some vendors will display an MBNA authentication page which asks you to login to your online account to verify the purchase.

    The problem is that this authentication page appears as a frame within the online vendor. How can you tell whether that frame is a legitimate MBNA page, or just a clever phishing attack? The browser gives no indication as to whether the frame belongs to MBNA or the vendor.

    PayPal suffers from the same thing. I hate clicking on the "Make a Donation" button of some sites, and then seeing the PayPal login appear within a frame of the original site. That prevents me from making a donation - with today's complicated scripting invocations and what not, I don't feel trusting enough to type my account info and password into some frame which happens to appear in the middle of some other organization's website.

    I can't BELIEVE that MBNA and PayPal would promote such idiotic practices, much less allow them to happen.

    • I think the way that paypal expects sites to use their automated pages is to redirect the whole window, because at the end of the process paypal usually sends you back to a page on the original site, usually a thankyou/confirmation page. When people use the frames, they are probably doing it against paypal's directions, because otherwise, why would paypal redirect back to the original site?...
    • by lanroth ( 186573 )
      The problem is that this authentication page appears as a frame within the online vendor. How can you tell whether that frame is a legitimate MBNA page, or just a clever phishing attack?

      I click RMB->This Frame->Open Frame In New Tab

      As you'd expect this opens the frame in a new tab where you can easily see the URL.

      You can also find information about an embedded frame by clicking RBS->This Frame->Frame Info

    • To find the origin of a frame in Mozilla or Firefox:
      • Access context menu for the frame (right click inside the frame
      • select "This Frame"
      • select "View Frame Info"
      It gives you all the details.
  • by interJ ( 653180 ) on Tuesday June 07, 2005 @10:49AM (#12746713)
    See here [secunia.com].

    The bug in IE was reported almost a year ago, and it is still unpatched.

    The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.

    • It's not the same kind of thing, though, as this can be done with just one Mozilla/Firefox frame. It is somewhat similar.
      • Nevermind, I should have RTFA. Wish I could retract that comment now.

        The reason why this hasn't been patched in IE and might never get patched in IE is because a user would have to be extremely stupid to not noticed the website INSIDE their other website. We've all seen this before, and occasionally deal with it from time to time. The only security risk here is having something like the "Help and Support Center" open in Windows XP and having IE or Firefox control the frames to try to load an application to
    • If you read the page on secunia that you linked, you would see that this *has* been patched more than 2 years ago.

      http://www.microsoft.com/technet/security/bulletin /ms98-020.mspx [microsoft.com]

      Also since IE5, there has been protection against this type of attack.

      1. Click Start, point to Settings, click Control Panel, and then double-click Internet.
      2. Click the Security tab.
      3. Under Select a Web content zone to specify its security settings, click Internet.
      4. Click Custom Level.
      5. Under Navigate sub-frames across di
  • Now...take how many bugs have been exposed in Firfox and how many have been exploited.

    How many bugs have been exposed in IE and exploited? (Especially because for IE it's almost a 1:1 ratio)
  • Is this truely a bug?

    I tried the exploit with a W2k box that has IE Version 6.0.2800.1106CO with SP1 and several Q### patches installed and it produces the same result.

    I see how this could be used as an exploit but is it really a bug? I have written code for a game website which used multiple windows with frames and the information in the frames came from two different web servers. Yeah, I know, it sounds like a web surfing nightmare, but fret not, it was an experiment. But my point is that this may not a
  • by cahiha ( 873942 ) on Tuesday June 07, 2005 @11:00AM (#12746832)
    The applications don't check whether the frames displayed in a single window all originate from the same Web site.

    And they shouldn't check that because often frames do not originate on the same web site (e.g., Google, Hotmail). The problem is if you try to frame something low security inside something high security; the other direction is OK.

    What they should check (according to Secunia) is something different: when code attempts to put content into a target, the browser should check whether that code actually created that frame and otherwise refuse.

    A simple way of fixing this problem might be to prefix the name of any frame with the host that created it, so that "target=foobar" actually means "target=www.host-of-this-page.com::foobar"; that also helps avoid confusing name conflicts between web sites. But that suffers from the same problem as anything else that relies on host names: you can't tell which ones are supposed to "belong together".

    Alternatively, you might require that if any frame in a window uses https, then all of them must, and they all must use the same certificate.

    The best solution is probably just to abolish frames altogether; they cause many other problems as well.

    A slightly less drastic solution would be to prohibit the display of any https content in a frame.
  • by tsa ( 15680 ) on Tuesday June 07, 2005 @11:24AM (#12747090) Homepage
    You see? Another security fault in an open sores program. This is what you get if you don't pay your developers. Opening the source so that everyone can see the flaws is just asking for trouble. I'm going back to IE.
  • Thank God that we don't get as many security bugs as I.E., dontcha think?
  • by kassemi ( 872456 )

    What about placing a small colored box in the corner of each frame... If a frame's box differs in color from the surrounding frames, this would indicate the frame was on a different domain. That way the developers wouldn't have to worry about breaking the legitimate use of this technique.

  • If you are using the TabBrowser Preference extension for Firefox, the exploit site will just open in a new tab, and the MSDN site will remain unaffected. https://addons.mozilla.org/extensions/moreinfo.php ?id=158&application=firefox [mozilla.org]
  • This just in, putting your picture inside a frame may cause an unfavorable reaction to whoever is looking at it. The results can range from shreeks of horror, to nausea and an look of disdain on the viewers face. The fix is to burn the picture with the frame....

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...