Latest Firefox reintroduces 7-year-old security flaw

[Black Cluster]

Under which category does this falw introduction fall?

Actually, I liked the part of the countermeasure, in which they advise users to close all windows/tabs before the phase {Session} of entering sesetive data ....

Any comments?

New versions of the Mozilla Foundation's browsers have reintroduced a 7-year-old flaw that makes them vulnerable to spoofing attacks, security advisory company Secunia said yesterday.
Secunia first publicized the flaw last summer, warning that a feature built into most browsers for years was a security liability. The firm argued that a feature allowing one Web page to load arbitrary content into a frame of another page could allow an attacker to, for example, substitute his own log-in window on a bank's Web site. The feature was found in Internet Explorer, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror.

"We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such 'functionality' against the possible consequences for their customers," said Secunia Chief Technology Officer Thomas Kristensen last summer at the time of the flaw. "In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not."

Most browser vendors, including Mozilla, agreed and updated their products to remove the feature. But it has been reintroduced in Firefox 1.0.4, Mozilla 1.7.8 and Camino 0.x, according to the firm. Secunia has published an online demonstration of the flaw.

The new vulnerability is a slight variation of the flaw fixed last year, Secunia said.

The Mozilla Project said it is investigating the report, and a moderator of the organization's online support site said the flaw had not been exploited. "To protect yourself, close all other windows/tabs before accessing a site where you routinely put in a secure password (your bank or PayPal account), or your bank or credit card details (e.g., Amazon), or other sensitive data," the moderator said.

Source

[scratchONtheBOX]

Black Cluster,

Hi mate! How are you?

Indeed a great read again... It is a scary scenario finding out that someone could fall into some trap of phishing if not informed or aware of this vulnerability. Especially people who do business online. I have tried it with my IE and it really works. SCARY INDEED.

Thanks for the info.

Yo!

[chsh]

It's sad that something lauded by several large security groups as being far superior to IE had to go and make such a large mistake. For a few months now I've been pushing Firefox as a superior browser, and to an extent it probably still is, but it doesn't bode well for the group to have made such a serious (image-wise) blunder.

[Soda_Popinsky]

Software development is hard, especially testing and debugging. You'd think they'd go over all known vuln's before a release to make sure nothing opened up. :/

They have a lot of pressure on them to be quicker with patches, it's part of the benefit of using their browser.

[Black Cluster]

Testing is a pain in the nick for all programmers .... but falling in the same mistake twice is no good for the reputation of the company ....

The pitfalls of this sort of things can be exploited against the company on a very larg scale .... Especially the compteition in the browser market is becoming fiercer and fiercer .... and you know MS is really great i this sort of things .. I mean PR campaigns against competitors

[gore]

A little more about this, for now if you haven't patched, just don't have any tabs open if you're logging into your bank or something. The reason it ws put there was functionality, which is of course no excuse, but it wasn't there to be a problem, and the area it hurts you is if you have open tabs.

[thehorse13]

This tells me that the Mozilla folks have a flawed code check-in/check-out process. Typically, when one coder works on a section of the tree, it has to be QAed before it's checked back in. Looks like this didn't happen.

I'm willing to bet that the product is still superior and once this operational issue is cleared up, things should be back on track.

[slarty]

Originally posted here by thehorse13
This tells me that the Mozilla folks have a flawed code check-in/check-out process. Typically, when one coder works on a section of the tree, it has to be QAed before it's checked back in. Looks like this didn't happen.

No, I don't believe anything of the sort.

The fact that their test suite didn't contain a test for this particular elderly vulnerability doesn't surprise me in the least. They (i.e. Netscape) probably didn't use that level of diligence 7 years ago (When Gecko was first being developed).

In any case, the vulnerability would be very difficult to exploit in a real-world scenario, because the attacker's site wouldn't have any way of knowing the names of other browser windows which happened to be open at the time to attack them.

If it attempted to send content into a window which was not open, it would open a new window, so the user would be bound to notice. At least, if it wasn't blocked by a popup blocker (which typically, it would be).

I wonder if a popup blocker makes this exploit easier (albeit still incredibly improbable).

Slarty

[d0pp]

Things like this happen, especially when you have a codebase as diverse as that of Firefox/Mozilla. The point is, Mozilla is open about vunerabilities, and very diligent about patching them. I believe the fact that an old vulnerability resurfaced is definitely outweighed by the fact that said vulnerability is patched in a reasonable amount of time.