comment on journal entry: the fundamental security flaw in Mozilla browsers
:-
I'm confused
What's the difference between this and using javascript with bitmaps? Wouldn't it work in IE just as well, or better, since I can't middle-click on the link to open it in a new tab? That right there tells me it's not a web page, but a javascript window.
Can someone please inform me. [Brad] [reply] -
javascript vs xul
You are probably thinking of a javascript technique as described here:
http://www.siteexperts.com/tips/techniques/ts05/page1.asp
However, this javascript/html would never recreate the real look and feel of the user's browser. The behaviour of javascript elements would be slow and clunky, and the page would be rendered bit by bit. Most importantly, it would not match the individual setup of the user's browser. Right-clicking on anything would produce the wrong context menu. Experienced users would instantly know it was fake.
With the huge bug in Mozilla, one is allowed to use all the core components of the browser, even assuming the user's current theme. It's a ghastly situation because not even an experienced user would be able to spot the spoof until it was too late.
The Firefox browser is written in XUL, and will execute remote XUL from any website without so much as a flicker of warning. XUL is very different from html/javascript:
According to Mozilla:
"The goal of XUL is to build cross platform applications, in contrast to DHTML which is intended for developing web pages."
"XUL blurs the distinction between desktop application and Internet browser apps because it is firmly entrenched in both worlds" [Chris Beach] [reply] -
...And Repeat...
XUL uses JavaScript to open new windows, so the difference in that respect is non-existent. In IE, the speed of opening a new dialog via JS is no different to the system opening one.
You would only need to spoof the status bar and address in IE, so right-clicking doesn't factor. In fact, you would use JavaScript to deactivate selections and right-clicking on the spoofed bar.
Therefore, the equivalent 'huge bug' in IE also allows you to use the default theme and customised system colours of IE. IE will display remote HTML, CSS and JS without a warning -- because this is what it was made to do. An experienced user wouldn't be able to spot the spoof in IE, because there would be no indication it's happening. [Marcus] [reply] -
clarification
"You would only need to spoof the status bar and address in IE, so right-clicking doesn't factor"
There's no simple one-step way to "spoof the address" in IE. This may once have been a vulnerability but I certainly can't find any ways to make it happen in the current version of IE. In Mozilla it's easy, just pop a reference to the core component into your XUL and then you can give it any string you want to display as an address. It's too easy.
With XUL we're not talking about cloning the featureset of DHTML. It's more powerful than that, it's more difficult to distinguish a spoof Firefox browser than a spoof DHTML IE. XUL was designed from day 1 to be the language in which the Firefox UI was written. If DHTML had the same sophistication, why bother coming up with XUL as a new standard?
I have seen many claims that IE's interface can be spoofed. I have seen no evidence. Present something as convincing as this and then we can conclude this thread:
http://www.nd.edu/~jsmith30/xul/test/spoof.html [Chris Beach] [reply]
[view more replies on journal entry the fundamental security flaw in mozilla browsers]