Mozilla firefox vulnerability!

Discussion of general topics about Mozilla Firefox
User avatar
MORA
Posts: 1192
Joined: May 17th, 2003, 1:30 pm
Location: The Netherlands

Post by MORA »

Whatever it is, bug or feature, it is bad publicity.

http://it.slashdot.org/it/04/07/31/0037 ... 28&tid=172
They're funny things, Accidents. You never have them till you're having them - Winnie the Pooh
RandomUser
Posts: 727
Joined: July 7th, 2004, 10:52 am

Post by RandomUser »

I'm VERY disappointed in the Mozilla development team. Not so much for the existence of the bug as much as the attempted dishonest cover-up. According to that Slashdot discussion, this bug was discovered 5yrs ago and labeled CONFIDENTIAL for 5 yrs.

At the very least, the default behavior should disallow hiding the menubar and location bar. I've just done as the a poster in this thread suggested and gone into my about:config to change the pref value to "true" for disallowing removing the Menubar and URL bar. I shouldn't have had to do mess around with the guts of the system to do that. This won't stop the exploit, but makes it more obvious and harder to fall prey to scammers using it. This setting should be the default, and I hope it is in the next version of Firefox. Especially since there's no way to patch this bug because it's a "feature."

And saying that this same bug/feature exists in IE and any other browser, and is not patchable, is not an excuse. We EXPECT IE to have this type of crap.
michaell522
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK
Contact:

Post by michaell522 »

RandomUser wrote:I'm VERY disappointed in the Mozilla development team. Not so much for the existence of the bug as much as the attempted dishonest cover-up. According to that Slashdot discussion, this bug was discovered 5yrs ago and labeled CONFIDENTIAL for 5 yrs.

Apparently all the recent comments in the old bug are arguing about whether it should be opened up or not. The discussion/argument about security policy has been going on for years. The policy is that bugs about security issues stay closed until they are published elsewhere, or until there has been a release of all the products containing the fix. And even then, it can take a while for them to get around to opening the bugs up.

At the very least, the default behavior should disallow hiding the menubar and location bar.
...
And saying that this same bug/feature exists in IE and any other browser, and is not patchable, is not an excuse. We EXPECT IE to have this type of crap.

The trouble is that having the URL bar always showing will screw up some web apps which pop-up small windows as "dialogs" to control the web app. Making the status bar show always is less of a problem in that respect. Anyway, I imagine they'll change something before the next release - exactly what will change is still under discussion.
RandomUser
Posts: 727
Joined: July 7th, 2004, 10:52 am

Post by RandomUser »

Well, I guess I can take comfort in the fact that this same bug/feature exists in IE :)
User avatar
Robert S.
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post by Robert S. »

Are there any browsers that don't usually allow this to one degree or another? I've always used products like Proxomitron to prevent this behaviour and truly don't know if there are browsers that don't allow this by default.
Tradnor
Posts: 22
Joined: June 6th, 2004, 4:51 am

Post by Tradnor »

If this isn't a vulnerability, why was it kept confidential?
If this is a vulnerability, it should be fixed.
User avatar
scratch
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post by scratch »

RandomUser wrote:Well, I guess I can take comfort in the fact that this same bug/feature exists in IE :)


...and Opera, and Safari, and Konqueror, and K-Meleon, and Netscape, and every other browser that supports javascript.
User avatar
BenBasson
Moderator
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK
Contact:

Post by BenBasson »

Christ, will you people stop bumping this thread constantly? This is soooo not a vulnerability in any way, although I support preventing the hiding of the statusbar by default.
User avatar
Insurgent
Posts: 17
Joined: November 5th, 2002, 3:04 am

Post by Insurgent »

This is a vulnerability though it's also a useful capability.
I think the easiest solution is just like what has been done with applet windows since forever. Any detached window should be marked with "Warning: XUL Application window" on a non-hideable, non-coverable bar at the top/bottom.
I also think that any bugs still marked "confidential" need to be adressed and made public before the final 1.0 release. Keeping them confidential while they are being fixed is one thing, but 5 years...either it's a vulnerability or it not, but don't keep it secret for 5 years. That's the MS way and I feel it's very unbecoming of the Moz team and will cause people to rapidly lose confidence in them.
The rapid response to the Shell: problem was excellent and confidence inspiring. This is not.
User avatar
Robert S.
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post by Robert S. »

I personally prefer that any potential vulnerabilities are not made public until after they appear in the wild... this keeps anyone that doesn't know about it from trying to exploit it. As far as this particular vulnerability goes - I agree with Scratch and Cusser. I personally see it along the same lines as receiving an executable as an email attachment... and I am quite aware that everyone else may see it differently.
brianstop
Posts: 92
Joined: July 18th, 2004, 10:55 pm

Post by brianstop »

What bothers me is the lack of information of any use to Firefox's users. I know it's a volunteer effort and respect these people have lives away from firefox--but at times like these I wonder how that model can really work? Who's in charge? How do you allocate resources in a crisis? The typical hierarchal structure of a work environment--no matter how pagan or unwieldy--sure is more efficient when things go wrong.

I've searched for news on this (perhaps I'm not looking in the right place--I used Google). I found an article dated the 27th where Mozilla said there would be a fix in about a week (cnet or news.com) and I found an article where Mozilla had promised to pay a bounty if you found a bug (that will be a mess).

So what's going on so far as Joe User is concerned?
User avatar
Freyr
Posts: 81
Joined: July 17th, 2004, 11:34 am
Location: Missouri,USA

Post by Freyr »

Please post in this message about this subject.It's the same and it's been around longer.
http://forums.mozillazine.org/viewtopic ... 4&start=45
RandomUser
Posts: 727
Joined: July 7th, 2004, 10:52 am

Post by RandomUser »

I'll post in the older thread as requested, but I want to answer a direct question in this thread first.

mart44 wrote:Regarding the preferences that need changing to stop the bars being altered. Are these the ones found in: Tools > Options > Web Features > Advanced. Then you untick the boxes in the Advanced JavaScript Options?



The prefs I changed were accessed through about:config. Open a new window. Type ABOUT:CONFIG into the address bar, then enter. Scroll down the list (it's in alphabetical order) and you'll find the entries

dom.disable_window_open_feature.location
dom.disable_window_open_feature.menubar
dom.disable_window_open_feature.status

(I changed these three, but there are other pref values you can change also)

Right click on each of those entries and select "modify" from the context menu. Then change the value "false" to "true" and enter. Then close the browser and restart firefox.

Now click on the spoof test (you can find them here http://www.nd.edu/~jsmith30/xul/test/spoof.html ) and you'll see that the scam is easy to recognize so that you won't fall for it.
User avatar
scratch
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post by scratch »

Tools > Options > Web Features > Advanced accomplishes exactly the same thing as those about:config prefs.
RandomUser
Posts: 727
Joined: July 7th, 2004, 10:52 am

Post by RandomUser »

scratch wrote:Tools > Options > Web Features > Advanced accomplishes exactly the same thing as those about:config prefs.


Not all of them. Of the three prefs I changed, I don't see menubar or address bar there. I do see the status bar pref and others there. But of the specific three options I changed, only one of them could have been changed through tools>options>web features> advanced.
Post Reply