a bug-fixing farce
Mozilla have spent almost five years trying to solve the XUL spoofing vulnerability that affects their browsers. This hole affects the much-hyped Firefox, due for release this month. I've been having an look through Bugzilla to see how they're progressing:
Bug 22183, first raised in 1999:
There is a security vulnerability which allows window spoofing by using
downloadable XUL.
Bug 252198 (duplicate):
BUG DESCRIPTION:
Reproducible: Always
Steps to Reproduce:
1. Go to any site with some deceptive XUL files
2. Enter credit card number
3. p0wnd!
Actual Results:
The default installation of Firefox will display a spoofed login page so real that even seasoned Firefox users will have trouble seeing the evil.
2004-07-19: Confirmed, scary...Pascal Chevrel
2004-07-19: IMO it's at least criticalOleg Sidletskiy
And let's see how 22183 is doing:
2002-11-26: I get the impression from comments in this bug that 'any code is better than no code, so we should check this in" (my paraphrase). That's clearly wrong; just as a matter of historical fact, Mozilla has had "too much code" in too many areas where it would have been better to do less, well. We're still digging out from under the combined weight in human and footprint/performance terms of such code.Brendan (Mozilla Org)
2002-12-03: Do you really think that adding some lame-ass text to the window title bar is going to make even the slightest bit of difference, other than making us look like freaky geek morons?
Please, leave the uber-paranoia to Beonex, and let's get on with the REAL problems with our browser.Ian Hixie
I shudder to think what the "REAL" problems might be...
2002-12-03: We already say [Javascript Application] on alerts, we already allow the user to disable the disabling of the status bar, and so forth. Without making ourselves the laughing stock of the Web browser implementer community, there is little more we can do.Ian Hixie
2003-02-22: I fail to see how we can _ever_ fix this problem.Ian Hixie
2004-08-03: We can't fix these issues piecemeal, with different people fixing UI elements in different bugs. Someone needs to make a coherent decision and I believe that someone is Ben, at least for Firefox.Robert O'Callahan
2004-08-05: I am weary of allowing websites to display XUL at all, except maybe in a jailed environment as it seems a likely avenue for a security exploitKris Maglione
.. but hold on, isn't your browser UI built entirely from XUL? Would seem a shame to trash your own enabling technology.
The wonders of collaborative open-source development, eh? At least I've seen some recent references to Microsoft's innovative SP2 features, so hopefully they have a good role-model and a target to finally aim for..
written by Chris Beach
07/09/04 2:03am
(8 years, 9 months ago)
07/09/04 2:03am
(8 years, 9 months ago)
3 comments
add photo
more links 
more journal entries from tech journal
I'll say this once and only once. Microsoft's products have always and will always continue to be riddled with bugs that are either never reported - or suppressed so that noone nows of them. SP2? Funny - last I checked not everyone has the memory or System Resources to spare to other upgrading.
Please return to the company that time after time thumbs its nose at the Standards - in an attmept to make its own.
7:59pm
If someone wants to enter their credit card whenever a form tells them to then to do so!
I fail to see how XUL is can be so deceptive and other technologies are not! HTML can be far more deceptive as has the latest phising scams highlighted.. As for SP2 - it was needed as phising scams where so successful due to IE security flaws.
Its more of an issue regarding making the user aware of risks - rather than ranting about security flaws!
5:02pm
although software is always in the process of improvement, MS recieves large amounts of money. while computers and hardware - get cheap when it gets sold by the dozens - MS gets expensive all the while! and for that we have to put up with! we have had enough of MS, and we need SOME kind of alternative.
4:37pm