Saturday, July 31, 2004

Secunia announced a fairly serious UI spoofing vulnerability in Mozilla Firefox and Mozilla. Essentially an attacker could popup a window with a disabled status bar, menu bar and tool bar and draw his own versions using XUL (XUL is the XML based UI design language that powers Mozilla). Here is a proof of concept, and you have to admit it's pretty scary. Try clicking on the padlock icon in the bottom left corner to see just how scary this is.

Someone on Slashdot posted a quick and dirty fix which is extremely useful. This fix basically ensures that the Menu bar, Status bar and Tool bar are always visible, even on popups. (Frankly, I believe this is good design. I don't see why site designers should be allowed to hide these things. To often some moron site designer decides that I shouldn't be able to close a window, resize a window, or view the status bar. As I user, I should at least have an option to always keep these on if I want to.) Here is the fix:

  • Start Firefox and enter about:config in the URL bar

  • This should open a special page, the Firefox equivalent of a registry

  • In the filter bar on top, type dom.disable and hit enter to filter down to the entries we are interested in modifying

  • For the following entries, double click on them one at a time, and change false to true in the ensuing popup:

  • dom.disable_window_open_feature.close
    dom.disable_window_open_feature.directories
    dom.disable_window_open_feature.location
    dom.disable_window_open_feature.menubar
    dom.disable_window_open_feature.minimizable
    dom.disable_window_open_feature.personalbar
    dom.disable_window_open_feature.resizable
    dom.disable_window_open_feature.scrollbars
    dom.disable_window_open_feature.titlebar
    dom.disable_window_open_feature.toolbar
    dom.disable_window_flip
    dom.disable_window_move_resize
    dom.disable_window_status_change

  • The last three entries might already be true if you've visited Tools | Options ... | Web Features | Javascript | Advanced ... and unchecked all but the last check box. (According to me it's a good idea if you do.)

After doing this, any attempt to spoof the browser interface will be obvious, and you'll see multiple menubars, multiple statusbars and multiple toolbars.

No fix is available from the Mozilla Foundation yet. However, here is the real bad news. This has been a known bug for 5 years! Yes, that's right 5 years! It was marked as confidential, meaning that the developers knew how bad it was but chose to hide it from everyone anyway. This is the antithesis of Open Source. The reason Open Source software is supposed to be more secure is that all bugs are disclosed to the public. Making a bug confidential is exactly the approach taken by closed source companies. Security through obscurity doesn't work. Right now, there is a scramble to fix it but that's after it was disclosed to the public by an external bughunter. This whole situation has been, at least in my eyes, the first serious blemish on the Mozilla Foundation. Another couple of goof ups like this and I will seriously consider switching back to Internet Explorer after Windows XP Service Pack 2. (And the version of IE shipping in XPSP2 does ensure that the status bar is always visible). And if that's not secure enough, there's always Opera.

And lest any Internet Explorer users reading this are feel the need to gloat or be smug, need I remind you that Internet Explorer has been vulnerable to this for a long time. Here is a simple spoof page, a lot more can obviously be done using DHTML and Javascript. And more common examples are those particular popup ads which pretend to be Windows popups and present "Ok" / "Cancel" buttons.

Update (August 1, 2004): According to this post on MozillaZine, this vulnerability has been fixed in the "nightlies" and a patch or a new release should hopefully be out soon containing the fix. Quoting tojofb's post on MozillaZine:
Using 7/19 nightly the spoof didn't work. I received a warning and also the address bar at the top displayed in yellow background.

No comments: