Mozilla have spent almost five years trying to solve the XUL spoofing vulnerability that affects their browsers. This hole affects the much-hyped Firefox, due for release this month. I've been having an look through Bugzilla to see how they're progressing:
Bug 22183, first raised in 1999:
There is a security vulnerability which allows window spoofing by using
Bug 252198 (duplicate):
Steps to Reproduce:
1. Go to any site with some deceptive XUL files
2. Enter credit card number
The default installation of Firefox will display a spoofed login page so real that even seasoned Firefox users will have trouble seeing the evil.
2004-07-19: Confirmed, scary...Pascal Chevrel
2004-07-19: IMO it's at least criticalOleg Sidletskiy
And let's see how 22183 is doing:
2002-11-26: I get the impression from comments in this bug that 'any code is better than no code, so we should check this in" (my paraphrase). That's clearly wrong; just as a matter of historical fact, Mozilla has had "too much code" in too many areas where it would have been better to do less, well. We're still digging out from under the combined weight in human and footprint/performance terms of such code.Brendan (Mozilla Org)
2002-12-03: Do you really think that adding some lame-ass text to the window title bar is going to make even the slightest bit of difference, other than making us look like freaky geek morons?
Please, leave the uber-paranoia to Beonex, and let's get on with the REAL problems with our browser.Ian Hixie
I shudder to think what the "REAL" problems might be...
2003-02-22: I fail to see how we can _ever_ fix this problem.Ian Hixie
2004-08-03: We can't fix these issues piecemeal, with different people fixing UI elements in different bugs. Someone needs to make a coherent decision and I believe that someone is Ben, at least for Firefox.Robert O'Callahan
2004-08-05: I am weary of allowing websites to display XUL at all, except maybe in a jailed environment as it seems a likely avenue for a security exploitKris Maglione
.. but hold on, isn't your browser UI built entirely from XUL? Would seem a shame to trash your own enabling technology.
The wonders of collaborative open-source development, eh? At least I've seen some recent references to Microsoft's innovative SP2 features, so hopefully they have a good role-model and a target to finally aim for..
(9 years, 10 months ago)
add a photo
last links (total: 15)
|created||link||hits received||interest in site|