mailing list archives
Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Tue, 3 Aug 2004 09:42:28 +0200
On 2004-08-02 13:15:49 -0000, Justin Polazzo wrote:
In-Reply-To: <20040730210508.GT19188 () securityfocus com>
"The security implications of
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
Mozilla Foundation has kept the Bug confidential until recently,
when a researcher noted the problem and published a
particularly-effective demonstration, spoofing a "PayPal" login
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."
5 Years to fix a vuln? I am not sure if even Microsoft has been that
slow to confront a security flaw. Has anyone heard an explanation as
to why this was kept confidential and swept under the rug until now?
You can read the bug yourself, but here is a short history of the bug:
It looks like the original vulnerability required the user to download
and install some XUL, and nobody took that serious.
In 2002, people started discussion the paper by Zishuang Ye and Sean
Smith and general spoofing prevention. However, nobody came up with a
good idea, so the discussion sort of died off. (The problem with this
vulnerability is that it's a user interface problem: You need to come up
with some way to distinguish trusted from untrusted chrome in a way
which is intuitive, impossible to fake and unobtrusive at the same time.
People won't use a browser which puts a blinking border around each
window, and it doesn't help if they have to press some obscure key
sequence to find out whether a page is spoofed)
That's not that uncommon with Mozilla. You can find quite a few bugs
which are several years old and never fixed. Open source (and even an
open bug tracking system) is not a garantuee for quick fixes.
_ | Peter J. Holzer | Shooting the users in the foot is bad.
|_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't.
| | | hjp () wsr ac at | -- Gordon Schumacher,
__/ | http://www.hjp.at/ | mozilla bug #84128