Latest Firefox reintroduces 7-year-old security flaw
Results 1 to 9 of 9

Thread: Latest Firefox reintroduces 7-year-old security flaw

  1. #1
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912

    Latest Firefox reintroduces 7-year-old security flaw

    Under which category does this falw introduction fall?

    Actually, I liked the part of the countermeasure, in which they advise users to close all windows/tabs before the phase {Session} of entering sesetive data ....

    Any comments?
    New versions of the Mozilla Foundation's browsers have reintroduced a 7-year-old flaw that makes them vulnerable to spoofing attacks, security advisory company Secunia said yesterday.
    Secunia first publicized the flaw last summer, warning that a feature built into most browsers for years was a security liability. The firm argued that a feature allowing one Web page to load arbitrary content into a frame of another page could allow an attacker to, for example, substitute his own log-in window on a bank's Web site. The feature was found in Internet Explorer, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror.

    "We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such 'functionality' against the possible consequences for their customers," said Secunia Chief Technology Officer Thomas Kristensen last summer at the time of the flaw. "In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not."

    Most browser vendors, including Mozilla, agreed and updated their products to remove the feature. But it has been reintroduced in Firefox 1.0.4, Mozilla 1.7.8 and Camino 0.x, according to the firm. Secunia has published an online demonstration of the flaw.

    The new vulnerability is a slight variation of the flaw fixed last year, Secunia said.

    The Mozilla Project said it is investigating the report, and a moderator of the organization's online support site said the flaw had not been exploited. "To protect yourself, close all other windows/tabs before accessing a site where you routinely put in a secure password (your bank or PayPal account), or your bank or credit card details (e.g., Amazon), or other sensitive data," the moderator said.
    Source
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  2. #2
    Senior Member
    Join Date
    Jan 2005
    Posts
    217

    scary again

    Black Cluster,

    Hi mate! How are you?

    Indeed a great read again... It is a scary scenario finding out that someone could fall into some trap of phishing if not informed or aware of this vulnerability. Especially people who do business online. I have tried it with my IE and it really works. SCARY INDEED.

    Thanks for the info.

    Yo!
    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)
    http://www.geocities.com/sebeneleben/SOTBMulti.gif

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    It's sad that something lauded by several large security groups as being far superior to IE had to go and make such a large mistake. For a few months now I've been pushing Firefox as a superior browser, and to an extent it probably still is, but it doesn't bode well for the group to have made such a serious (image-wise) blunder.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Software development is hard, especially testing and debugging. You'd think they'd go over all known vuln's before a release to make sure nothing opened up. :/

    They have a lot of pressure on them to be quicker with patches, it's part of the benefit of using their browser.

  5. #5
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Testing is a pain in the nick for all programmers .... but falling in the same mistake twice is no good for the reputation of the company ....

    The pitfalls of this sort of things can be exploited against the company on a very larg scale .... Especially the compteition in the browser market is becoming fiercer and fiercer .... and you know MS is really great i this sort of things .. I mean PR campaigns against competitors
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  6. #6
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    A little more about this, for now if you haven't patched, just don't have any tabs open if you're logging into your bank or something. The reason it ws put there was functionality, which is of course no excuse, but it wasn't there to be a problem, and the area it hurts you is if you have open tabs.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    This tells me that the Mozilla folks have a flawed code check-in/check-out process. Typically, when one coder works on a section of the tree, it has to be QAed before it's checked back in. Looks like this didn't happen.

    I'm willing to bet that the product is still superior and once this operational issue is cleared up, things should be back on track.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Originally posted here by thehorse13
    This tells me that the Mozilla folks have a flawed code check-in/check-out process. Typically, when one coder works on a section of the tree, it has to be QAed before it's checked back in. Looks like this didn't happen.
    No, I don't believe anything of the sort.

    The fact that their test suite didn't contain a test for this particular elderly vulnerability doesn't surprise me in the least. They (i.e. Netscape) probably didn't use that level of diligence 7 years ago (When Gecko was first being developed).

    In any case, the vulnerability would be very difficult to exploit in a real-world scenario, because the attacker's site wouldn't have any way of knowing the names of other browser windows which happened to be open at the time to attack them.

    If it attempted to send content into a window which was not open, it would open a new window, so the user would be bound to notice. At least, if it wasn't blocked by a popup blocker (which typically, it would be).

    I wonder if a popup blocker makes this exploit easier (albeit still incredibly improbable).

    Slarty

  9. #9
    Banned
    Join Date
    Jun 2005
    Posts
    445
    Things like this happen, especially when you have a codebase as diverse as that of Firefox/Mozilla. The point is, Mozilla is open about vunerabilities, and very diligent about patching them. I believe the fact that an old vulnerability resurfaced is definitely outweighed by the fact that said vulnerability is patched in a reasonable amount of time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •