Anyone using the Mozilla Firefox Browser?
- Thread starter Baltimore Shooter
- Start date
- Status
Firefox spoofing is the only known problem so far. Soon, there will be many more for everyone that uses Windows. However, Like the rest of you have mentioned, it is the best hands down!
-------------------------------------------------
Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).
__Expected Behavior
Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.
__Proof-of-Concept
http://www.mikx.de/firespoofing/
The PoC is designed for Firefox 1.0 running in a maximized window.
Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...
Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.
__Status
The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
public disclosure.
2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure
__Affected Software
Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.
__Contact Informations
[ January 25, 2005, 01:15 AM: Message edited by: Binary ]
-------------------------------------------------
Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).
__Expected Behavior
Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.
__Proof-of-Concept
http://www.mikx.de/firespoofing/
The PoC is designed for Firefox 1.0 running in a maximized window.
Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...
Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.
__Status
The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
public disclosure.
2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure
__Affected Software
Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.
__Contact Informations
[ January 25, 2005, 01:15 AM: Message edited by: Binary ]
Y
<yup>
Guest
off topic, but while we're plugging free software...
try Open Office ( http://www.openoffice.org/ )
great free office replacement when you want to read word docs, excel spreadsheets, and the like- but don't want to watse the big money for the microsoft suite. it doesn't quite have all the bells and whistles but i would guess it has everything that 98% of users would need.
try Open Office ( http://www.openoffice.org/ )
great free office replacement when you want to read word docs, excel spreadsheets, and the like- but don't want to watse the big money for the microsoft suite. it doesn't quite have all the bells and whistles but i would guess it has everything that 98% of users would need.
Run 'n' Get 'em
Well-known member
I use safari on my mac... but on my XP machine, I would delete IE if I could. The only thing I use it for is work webmail (MS Exchange Web Access, only works in IE)... Wincrap updates download automatically with SP2 for XP
I
imported_blank
Guest
I've been evaluating FIREFOX for a while now. Personally Netscape 7.1 is a better looking and faster browser then Firefox.
Flaca Productions, I sent you a PM - hope you don't mind
Gotta agree with that. IE ain't so bad if you run your security settings properly, every week check MS for security updates and use a third party pop up stopper. Due to firefox's growing popularity exploiters and hackers ARE starting to try to get around FF security.
Flaca Productions, I sent you a PM - hope you don't mind
Birdy
Well-known member
I use The Bat for email. Good simple program with great security. It's shareware, so it's cheap too.
http://www.sharewareconnection.com/the-bat-.htm
http://www.sharewareconnection.com/the-bat-.htm
- Status