Saturday, July 31, 2004

Secunia announced a fairly serious UI spoofing vulnerability in Mozilla Firefox and Mozilla. Essentially an attacker could popup a window with a disabled status bar, menu bar and tool bar and draw his own versions using XUL (XUL is the XML based UI design language that powers Mozilla). Here is a proof of concept, and you have to admit it's pretty scary. Try clicking on the padlock icon in the bottom left corner to see just how scary this is.

Someone on Slashdot posted a quick and dirty fix which is extremely useful. This fix basically ensures that the Menu bar, Status bar and Tool bar are always visible, even on popups. (Frankly, I believe this is good design. I don't see why site designers should be allowed to hide these things. To often some moron site designer decides that I shouldn't be able to close a window, resize a window, or view the status bar. As I user, I should at least have an option to always keep these on if I want to.) Here is the fix:

  • Start Firefox and enter about:config in the URL bar

  • This should open a special page, the Firefox equivalent of a registry

  • In the filter bar on top, type dom.disable and hit enter to filter down to the entries we are interested in modifying

  • For the following entries, double click on them one at a time, and change false to true in the ensuing popup:

  • dom.disable_window_open_feature.close
    dom.disable_window_open_feature.directories
    dom.disable_window_open_feature.location
    dom.disable_window_open_feature.menubar
    dom.disable_window_open_feature.minimizable
    dom.disable_window_open_feature.personalbar
    dom.disable_window_open_feature.resizable
    dom.disable_window_open_feature.scrollbars
    dom.disable_window_open_feature.titlebar
    dom.disable_window_open_feature.toolbar
    dom.disable_window_flip
    dom.disable_window_move_resize
    dom.disable_window_status_change

  • The last three entries might already be true if you've visited Tools | Options ... | Web Features | Javascript | Advanced ... and unchecked all but the last check box. (According to me it's a good idea if you do.)

After doing this, any attempt to spoof the browser interface will be obvious, and you'll see multiple menubars, multiple statusbars and multiple toolbars.

No fix is available from the Mozilla Foundation yet. However, here is the real bad news. This has been a known bug for 5 years! Yes, that's right 5 years! It was marked as confidential, meaning that the developers knew how bad it was but chose to hide it from everyone anyway. This is the antithesis of Open Source. The reason Open Source software is supposed to be more secure is that all bugs are disclosed to the public. Making a bug confidential is exactly the approach taken by closed source companies. Security through obscurity doesn't work. Right now, there is a scramble to fix it but that's after it was disclosed to the public by an external bughunter. This whole situation has been, at least in my eyes, the first serious blemish on the Mozilla Foundation. Another couple of goof ups like this and I will seriously consider switching back to Internet Explorer after Windows XP Service Pack 2. (And the version of IE shipping in XPSP2 does ensure that the status bar is always visible). And if that's not secure enough, there's always Opera.

And lest any Internet Explorer users reading this are feel the need to gloat or be smug, need I remind you that Internet Explorer has been vulnerable to this for a long time. Here is a simple spoof page, a lot more can obviously be done using DHTML and Javascript. And more common examples are those particular popup ads which pretend to be Windows popups and present "Ok" / "Cancel" buttons.

Update (August 1, 2004): According to this post on MozillaZine, this vulnerability has been fixed in the "nightlies" and a patch or a new release should hopefully be out soon containing the fix. Quoting tojofb's post on MozillaZine:
Using 7/19 nightly the spoof didn't work. I received a warning and also the address bar at the top displayed in yellow background.

Thursday, July 29, 2004

So why is it that my generation and my time seems such a let down? Am I just romanticizing achievements of the past too much or is something really wrong with us? Why have the Nineties and Two Thousand And Somethings brought with them such short attention spans that we never follow up on what outraged or excited us a few hours ago? Some say that the reason that this is happening is that our brains simply have too much information to process and not enough time. Is that the reason or are we as a generation getting dumber? Yes, we do process more information than our fathers and mothers used too, but they too processed much more that their parents used too. After all, it was in the Sixties that television and FM radio really took off. Of course we have the Internet and cable TV, and maybe that's what is rotting our brains, or rather flooding them with too much crap. Saturation is the word in charge.

The scary thought that follows from all this how easy it is for us to be manipulated by the owners of the media infrastructure. Our minds face DDOS attacks every time we turn on the television, radio or computer (DDOS attack: (n), Distributed Denial Of Service attack, a way of disrupting the normal operation of a computer system connected to a network by making multiple requests for processed information from multiple locations.) Democracy was always a good deal for the rabble-rousers and now the rabble waits on a sofa with cola and chips.

Everybody agrees that democracy is a better system than fascist dictatorships (Everybody other than fascist dictators of course!), but is it really the best system? It was invented by the Greeks a really long time ago. Why hasn't anyone invented something better than that? Something that will protect the intellectual and the common man from themselves and each other. Something that will perhaps tackle the root of the problems with all systems of politics - man's tendency to not think? Perhaps it's because our rulers need their subjects who tend not to think. After all if they started to think, the rulers could very quickly lose their jobs.

All the news that I have read seems to point to the fact that the IQ of the human race has risen over the years. But perhaps we also need to factor in the fact that the set of problems and potential killer booboos we have to face, has also risen (killer booboo: (n), event which could lead to the mass extinction of the human race, or at least kill an awful bloody lot of us.) So, is there any hope for my generation at all, or are we simply going to be content with rants on blogs with 5 page hits a day and the next channel on the TV? We are a generation of cowardly cynics and are being ruled by a generation of idiotic control freaks. Pointy haired bosses are funny in Dilbert's cubicle but fairly chilling if they are going to run your life the way they seem fit. Forever. What we really need is a way to prevent our rulers from handing over our reins to the next generation of morons (And believe me the next generation is dumber and more controlling), and a way to get hold of them ourselves. I think we're going to be too busy to bother.

Wednesday, July 28, 2004

Just this morning, the hit count for this blog was 999, now it's 1001! Thank you whoever you were mysterious 1000th visitor. (Look in the bottom right corner if you have no clue.)

(And yes, post count also went to 50 posts with that previous post about spell checkers. This is cause for celebration, I am going to party tonight and would advise all readers of this blog to do the same. Elvis has left the building.)

Tuesday, July 27, 2004

I just discovered a very very useful extension for Firefox, Spellbound, a spelling checker for anything you type into a web form.

What's shameful is that this is not listed on any of the usual Firefox extension sites, neither Texturizer, Extension Room nor Firefox Update list it. And it's so useful it should probably be a part of the basic browser. One more example of open source's tendency of smashing it's own toes with glee!

(Now you have no excuses for bad spelling)

Thursday, July 22, 2004

Finally found a book (a normal book, not a comic book) which I can read without falling asleep and dreaming of comic books - The Long Dark Tea-Time of the Soul, by Douglas Adams. I just wish that Mr. Adams hadn't gone to the Happy Place where dead writers go, so early in life.

Tuesday, July 13, 2004

Just a little addendum to the previous post.

Maybe I should change that sidebar of mine to read, "Save Yourself From A Horrible Fiery Death"...

Any comments and flames are welcome.

Saturday, July 10, 2004

This is the longest I time I have spent without writing, and for some reason it's not really bothering me as much as it should. I think this is happening because I am busy enough with work and algorithms and commuting. It's strange but I believe my creativity is simply finding more outlets at work.

I can write about mundane things I suppose such as Spiderman 2 and Fahrenheit 9/11, but I don't really think that will be in the spirit of this blog. So instead I'll just talk about how more and more people I know seem to be shifting to Firefox from IE. It was inevitable I guess. Microsoft last released the last version of IE in 2001 and there haven't been any features added since. Add to that the fact that malcontents on the Internet seem to be eager to find vulnerabilities in IE and exploit them.

I switched browsers when the URL phishing vulnerability for IE was announced. Microsoft took a whole month to fix that. Until they did the recommended workaround in the Microsoft Knowledge Base was to type out the URL for each link that you were planning to click! (If you don't believe me read the third bulleted point in the Knowledge Base Article.) The phishing vulnerability allowed malicious users to fool you into believing you were browsing on a trusted site (like Microsoft.com) when in fact you were getting pages from a malicious site (like some criminal server in Russia intent on getting you to enter you credit information.) Microsoft took a week to fix the Download.Ject vulnerability and even then they did not fix it properly. Download.Ject exploited a IE vulnerability and allowed people get infected by trojan software by simply visiting a malicious website. The Download.Ject trojan software would then find and send sensitive information (bank account numbers, credit card numbers) to the malicious website owners. The Mozilla shell vulnerability, which would allow for the execution of arbitrary EXE files on you computer if you followed a "shell:" link, was patched within 24 hours of it's announcement.

I don't really care if software is open source or not as long as the price is right - Internet Explorer and Mozilla Firefox are both free. I do care that the software I use is secure enough to protect my privacy and my money. Internet Explorer and Microsoft have failed in that respect. I'll go back to them when Firefox and the Mozilla Foundation fail. I don't use a cheap, easily breakable lock on my door, why should I use a cheap, easily breakable browser.

Wednesday, July 07, 2004

"Who found the tail?"
"I", said Pooh,
"At a quarter to two"
"(Only it was a quarter to eleven really)"
"I found the tail!"