Someone on Slashdot posted a quick and dirty fix which is extremely useful. This fix basically ensures that the Menu bar, Status bar and Tool bar are always visible, even on popups. (Frankly, I believe this is good design. I don't see why site designers should be allowed to hide these things. To often some moron site designer decides that I shouldn't be able to close a window, resize a window, or view the status bar. As I user, I should at least have an option to always keep these on if I want to.) Here is the fix:
- Start Firefox and enter
about:configin the URL bar
- This should open a special page, the Firefox equivalent of a registry
- In the filter bar on top, type dom.disable and hit enter to filter down to the entries we are interested in modifying
- For the following entries, double click on them one at a time, and change false to true in the ensuing popup:
After doing this, any attempt to spoof the browser interface will be obvious, and you'll see multiple menubars, multiple statusbars and multiple toolbars.
No fix is available from the Mozilla Foundation yet. However, here is the real bad news. This has been a known bug for 5 years! Yes, that's right 5 years! It was marked as confidential, meaning that the developers knew how bad it was but chose to hide it from everyone anyway. This is the antithesis of Open Source. The reason Open Source software is supposed to be more secure is that all bugs are disclosed to the public. Making a bug confidential is exactly the approach taken by closed source companies. Security through obscurity doesn't work. Right now, there is a scramble to fix it but that's after it was disclosed to the public by an external bughunter. This whole situation has been, at least in my eyes, the first serious blemish on the Mozilla Foundation. Another couple of goof ups like this and I will seriously consider switching back to Internet Explorer after Windows XP Service Pack 2. (And the version of IE shipping in XPSP2 does ensure that the status bar is always visible). And if that's not secure enough, there's always Opera.
Update (August 1, 2004): According to this post on MozillaZine, this vulnerability has been fixed in the "nightlies" and a patch or a new release should hopefully be out soon containing the fix. Quoting tojofb's post on MozillaZine:
Using 7/19 nightly the spoof didn't work. I received a warning and also the address bar at the top displayed in yellow background.