the fundamental security flaw in mozilla browsers
(updated 29/08/2004)
A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.
The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.
The Mozilla user interface is built using XUL files.Secunia Advisory
The recommended fix is "Do not follow links from untrusted sites."
Of course, switching to another browser that does not allow XUL scripting (such as Internet Explorer) will close off this avenue of attack completely.
How long has this bug been around? 5 years. At time of writing it has still not been fixed. It was marked "confidential" in the Mozilla bug tracker until 7-21-2004. You can find out more and view this flaw in action at http://www.nd.edu/~jsmith30/xul/test/spoof.html I have downloaded the latest version of firefox (0.9.3, at time of writing) and the spoof page works to shocking effect.
What makes XUL spoofing more significant than javascript/image spoofing? Well, XUL is a whole new game. According to Mozilla:
"The goal of XUL is to build cross platform applications, in contrast to DHTML which is intended for developing web pages."
"XUL blurs the distinction between desktop application and Internet browser apps because it is firmly entrenched in both worlds"
XUL exposes the core components that make up the Firefox interface (which was actually written in XUL). This means that a spoof will preserve the user's "look and feel" right down to the currently selected theme. This isn't a hacky "cardboard cutout" browser mockup. In XUL a real addressbar (with auto-complete etc) can be created with the minimum of code and any address value can be inserted. It's the spoofers dream. At the end of the day, if XUL wasn't significantly more powerful than DHTML why was it developed?
I just hope that the Mozilla community stops spouting Microsoft-bashing hype for a moment and does something about it. I'm glad to be using IE6.
12/08/04 12:44am
(5 years, 6 months ago)
19 comments
If you get this error (excuse the french, it wasn't me that uploaded it), your version of Firefox has choked on the spoof page. I will hopefully be re-writing the spoof myself to address the parsing errors
add photo
kinrowan:
"All of that said, I'm sure there are other known security holes in FireFox, and many more that haven't poked up yet. IE gets a bad security rap precisely because it is what most people use, so most of the shadier developers target it.
If FireFox ever got to be the 95% gorilla then I'm sure all kinds of holes would pop up."
Not so sure on this one
The Difference between IE's Developer Team and Mozilla's is that Mozilla's Team DOES listen and actually fix things.
I don't blame IE's dev team doesn't listen. They just can't change things, be as flexible as the open source Community.
The fact that Gecko (mozilla's browser engine) is open source does put YOU in charge.
Gecko is developed by the community. Everyone can join. the Source is FREE.
Don't scream on bugs, FIX them or find someone able fixing them (mozilla dev team). You can do
Hell they even pay you money for reporting bugs. Not worth it exploiting them anymore
04:33am
This sounds like zealotry.
I switched to FireFox after the Scob scare, and see no reason at all to go back. Both as a user and as a developer FireFox makes my online life much more fun and easy. I've seen the new IE6 release, and there's little there to draw me back in. I live for the tabs (they really make web browsing much easier to my mind), don't skin, and have about 20 extensions loaded and have never had any problems at all. It's a slick piece of work, and I have no problem using polished "Beta" code for a production app. If FireFox's popup-blocker is too stringent then I say great! If there are sites that I need to see the pop-ups in (and those are few, for me) then I load up IE for 3-5 minutes and close it right back down when I'm done.
All of that said, I'm sure there are other known security holes in FireFox, and many more that haven't poked up yet. IE gets a bad security rap precisely because it is what most people use, so most of the shadier developers target it. If FireFox ever got to be the 95% gorilla then I'm sure all kinds of holes would pop up. DOes that make it less worthy to use? Not if it doesn't make IE less worthy to use. This particular security hole has a really simple solution; don't allow web sites to install software. Simple as that, and no worse a solution than the oft suggested "Turn of JavaScript" idea. I only allow wites to load soaftware when I'm particularly looking for something (like when I'm installing an extension).
When it comes right down to it, though, I'll switch back to IE if/when it shows that it's a better browser. I don't care, I'm not religious about it. But that have to convince me first....
kinrowan
07:07am
this "bug" exists in practically any browser that can display fake browser-like XUL buttons and such. you could even fake an AOL window or a windows update window. it's not just firefox.
"do not follow untrusted links" is really the only advice you can give - think of all of the people who use IE who get POPUPS of fake internet explorer images? SP2 fixes the popup problem, but not a lot of people have downloaded the update, and even so... IE is still way behind with tons of other things.
there is a VerifyURL extension that allows you to right-click and see the true URL of any website (even the ones with fake buttons or within frames). this does more than solve the problem, it gives you a new tool to check other seemingly fake sites.
taking away a great feature because it can be abused is no good. that'd be like assuming your entire userbase is dumb and won't know that they're using a fake browser window.
01:37am
I love the way they even spoof the padlock icon and the certification screen you get when double-clicking on it.
02:57am
Agreed with Andrew. What's the point of being able to do such things in javascript ? It's only a feature, nothing really of a flaw.. And it require to click to open the window. So It really depend on the user. If there is a flaw, it's the user.
But a nice thing is that it shows me how firefox is powerfull.
Still think firefox's safe.
Etienne.
11:47am
I think it's very important for people to draw attention to security flaws that might compromise Firefox (so do they--they're offering a cash bounty to people who find new security related bugs).
But I'm afraid that "Chris Beach", deliberately or not, has misrepresented the facts. I get an XUL error on the test page--not a spoof at all. You can see what the error looks like at the bottom of "Chris Beach"'s page--mine's in English. I'm using today's very latest branch build, the new release candidate. So, sorry, I can't "try a more up-to-date version of Firefox".
"Chris Beach" is wise to worry about security problems with his browser, but perhaps if he worried about new ones that need fixing, rather than old ones that have already been fixed, he'd appear less loony and uptight. He'd be richer too--he could claim the Mozilla bounty.
02:48pm
I think it's laughable that you're pointing out a bug in firefox that, incidentely, has been fixed, when there's much greater risks in internet explorer, such as the scrollbar exploit that can be found here: http://www.mikx.de/scrollbar/
Basically if you use the scrollbar on IE the site can install whatever file it wants to on your computer.
BTW if you use IE then don't go to that site!!! At least, definitely don't use the scrollbar. Though it doesn't hurt your computer, it does modify your registry and install a (blank) exe file on your system. Use Firefox instead :)
05:57am
I'm a webdesigner working for now 5 years and it's now 1 year i am using Firefox. Clearly, i only use IE now to check if my code is rendered well under it. Only.
). I'm sure even my grand ma would love it.
Tab browsing and bookmarking, quick search textfield (i have here 16 search engine just in a polldown menu), password and downlaod manager, popup killer, frame browsing by right clic, skin support, W3C total compatibility (except for xHtml 2.0 where IE deals those new things better), better specials caracters rendering (korean, japan, russian and chinese) ... and i don't talk about the availability of the browser under Win, OS X, Linux, BeOS, .... everywhere you can use the same (very user friendly) interface.
All my friends who have tryed it (and they do dress designing, marketing, sciences, translation, teacher, .... for the most of them not geeks !) are totally in love in it. Specially cause they don't have those "casino" or "playboy" popups (and no they don't do warez or aldult website browsing) and use tabs (even some do more than me
If you are happy with IE, just use FF or Moz as your main browser for 1 week and then come tell me again that you still want to use only IE ;)
Even the french internet provider "Free.fr" told to their customer at hotline to install Mozilla ... if a commercial company tells to his customer to use Moz insteed of IE, it's not just for fun, it really means something ... nope ?
05:27am
It's actually quite funny - considering the attitude of Mozilla supporters when a similar (but not nearly so bad) problem was discovered with IE (where you could put a certain character in links and anything after that would not be displayed in the address bar)
03:07am
02:52am
I just prefer the look of Internet Explorer
12:32pm
This problem also exists in Internet Explorer. Its called HTA. Using an HTA document, you could do the same exact thing in IE.
07:32pm
You can create a similar thing in HTML, and have it work for Internet Explorer. They have only addressed this in SP2: blogs.msdn
09:06pm
What's the difference between this and using javascript with bitmaps? Wouldn't it work in IE just as well, or better, since I can't middle-click on the link to open it in a new tab? That right there tells me it's not a web page, but a javascript window.
Can someone please inform me.
09:24am
"I feel sorry for the computer industry as a whole to suffer at the hands of such self-serving zealots" - this cracked me up! 'the computer industry as a whole' suffering! Like progress hasn't been stifled by Bill and the boys lately? Wake up.
09:49pm
(i enjoy the nature of argument, do not take anything personally, just that IE/firefox makes one hell of an argument
... )
http://browsehappy.com/why/
especially this one from slate magazine owned by microsoft, quite incredibly !!!!
http://slate.msn.com/id/2103152/
09:20am
http://secunia.com/internet_explorer_command_execution_vulnerability_test/
\"I just hope that the Mozilla community stops spouting Microsoft-bashing hype for a moment and does something about it. I\'m glad to be using IE6.\"
Glad that I am using Firefox.
01:13pm
http://secunia.com/advisories/12889/
http://www.jmcardle.com/?postid=77
01:10pm
02:43am