[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040803074228.GA21160@wsr.ac.at>
Date: Tue, 3 Aug 2004 09:42:28 +0200
From: "Peter J. Holzer" <hjp@....ac.at>
To: bugtraq@...urityfocus.com
Subject: Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
On 2004-08-02 13:15:49 -0000, Justin Polazzo wrote:
> In-Reply-To: <20040730210508.GT19188@...urityfocus.com>
>
> "The security implications of
> this trick were considered as early as 1999 in Mozilla Bug 22183
> (http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
> Mozilla Foundation has kept the Bug confidential until recently,
> when a researcher noted the problem and published a
> particularly-effective demonstration, spoofing a "PayPal" login
> site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."
>
> 5 Years to fix a vuln? I am not sure if even Microsoft has been that
> slow to confront a security flaw. Has anyone heard an explanation as
> to why this was kept confidential and swept under the rug until now?
You can read the bug yourself, but here is a short history of the bug:
It looks like the original vulnerability required the user to download
and install some XUL, and nobody took that serious.
In 2002, people started discussion the paper by Zishuang Ye and Sean
Smith and general spoofing prevention. However, nobody came up with a
good idea, so the discussion sort of died off. (The problem with this
vulnerability is that it's a user interface problem: You need to come up
with some way to distinguish trusted from untrusted chrome in a way
which is intuitive, impossible to fake and unobtrusive at the same time.
People won't use a browser which puts a blinking border around each
window, and it doesn't help if they have to press some obscure key
sequence to find out whether a page is spoofed)
That's not that uncommon with Mozilla. You can find quite a few bugs
which are several years old and never fixed. Open source (and even an
open bug tracking system) is not a garantuee for quick fixes.
hp
--
_ | Peter J. Holzer | Shooting the users in the foot is bad.
|_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't.
| | | hjp@....ac.at | -- Gordon Schumacher,
__/ | http://www.hjp.at/ | mozilla bug #84128
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists