A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.
The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.
The Mozilla user interface is built using XUL files.Secunia Advisory
The recommended fix is "Do not follow links from untrusted sites."
Of course, switching to another browser that does not allow XUL scripting (such as Internet Explorer) will close off this avenue of attack completely.
How long has this bug been around? 5 years. At time of writing it has still not been fixed. It was marked "confidential" in the Mozilla bug tracker until 7-21-2004. You can find out more and view this flaw in action at http://www.nd.edu/~jsmith30/xul/test/spoof.html I have downloaded the latest version of firefox (0.9.3, at time of writing) and the spoof page works to shocking effect.
"The goal of XUL is to build cross platform applications, in contrast to DHTML which is intended for developing web pages."
"XUL blurs the distinction between desktop application and Internet browser apps because it is firmly entrenched in both worlds"
XUL exposes the core components that make up the Firefox interface (which was actually written in XUL). This means that a spoof will preserve the user's "look and feel" right down to the currently selected theme. This isn't a hacky "cardboard cutout" browser mockup. In XUL a real addressbar (with auto-complete etc) can be created with the minimum of code and any address value can be inserted. It's the spoofers dream. At the end of the day, if XUL wasn't significantly more powerful than DHTML why was it developed?
I just hope that the Mozilla community stops spouting Microsoft-bashing hype for a moment and does something about it. I'm glad to be using IE6.
(8 years, 10 months ago)
add a photo
last links (total: 191)
|created||link||hits received||interest in site|