Firefox security bug

A new major security issue has been found in Firefox. In short, websites have access to the UI elements. With some fancy coding, they can use the actual UI components to create a spoofed browser window. They have access to all the UI parts, so they can add anything they want (like the secure padlock icon, the security certificate page, etc.). They can spoof a UI that looks however they want. Rather than having to actually have a fake SSL site that looks like a valid site, someone could just use the UI objects to make it look like that.

http://www.nd.edu/~jsmith30/xul/test/spoof.html has details. The biggest limit on this spoof is that the site has no way of knowing what your current preferences are. The attacker could make it look like the default (which most people probably don’t change), but he has no way to copy your exact config. If you have some of the Javascript functions disabled, it will interfere with the spoofing, and look not-quite-right.

Until this is fixed, it’s best to prevent Javascript from changing the statusbar. [Tools | Options | Web Features | Advanced | Hide the status bar] is where you’ll find the option. If you disable that, you will see the real status bar in his window, with his spoofed statusbar above that. Unfortunately, that’s about the only way to be 100% sure of this. I suggest disabling that anyway. It will mean you always have the status info on the current window.

http://secunia.com/advisories/12188/ is the Secunia bulletin. http://bugzilla.mozilla.org/show_bug.cgi?id=244965 and http://bugzilla.mozilla.org/show_bug.cgi?id=252198 are applicable bug listings.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Note: This post is over 5 years old. You may want to check later in this blog to see if there is new information relevant to your comment.