Mozilla UI Spoofing Vulnerability
CowboyNeal July 31 2004
from the shields-up dept. Short Circuit writes "Secunia has issued a
security advisory for Mozilla and Firefox. Apparently, remote web
sites can spoof the user interface using XUL. (See the Firefox proof
of concept.) Of course, that won't stop me from using Firefox."

http://it.slashdot.org/it/04/07/31/...tid=128&tid=172

[ Post a follow-up to this message ]

Daeron wrote:

> Mozilla UI Spoofing Vulnerability
> CowboyNeal July 31 2004
> from the shields-up dept. Short Circuit writes "Secunia has issued a
> security advisory for Mozilla and Firefox. Apparently, remote web
> sites can spoof the user interface using XUL. (See the Firefox proof
> of concept.) Of course, that won't stop me from using Firefox."
>
> http://it.slashdot.org/it/04/07/31/...tid=128&tid=172


I know you guys love FireFox to death -- but I still think Konqueror is the
more superior browser.  The range and depth of configuration are great.
The integration with the KDE desktop is, of course, stella.

--
http://kentpsychedelic.blogspot.com

[ Post a follow-up to this message ]

"novelle.vague" <goddard.de@cahiers.du.fr.prix.mono> wrote in message news:<2270917.MuFRMpJQ
Ya@news.west.earthlink.net>...
> Daeron wrote:
> 

No, OSS doesn't get vulnerabilities, only MS software! Haven't you
read the Foaming Zealot Instructions?
[vbcol=seagreen]
> I know you guys love FireFox to death -- but I still think Konqueror is th
e
> more superior browser.  The range and depth of configuration are great.
> The integration with the KDE desktop is, of course, stella.

That's great, for everyone running KDE who prefers integration over
features and quality. Firefox makes Konqueror look like IE.

[ Post a follow-up to this message ]

On 31 Jul 2004 10:25:09 -0700, Daeron wrote:

> Mozilla UI Spoofing Vulnerability
> CowboyNeal July 31 2004
> from the shields-up dept. Short Circuit writes "Secunia has issued a
> security advisory for Mozilla and Firefox. Apparently, remote web
> sites can spoof the user interface using XUL. (See the Firefox proof
> of concept.) Of course, that won't stop me from using Firefox."
>
> http://it.slashdot.org/it/04/07/31/...tid=128&tid=172

Before reading one of his posts, consider this:

Daeron is a despicable liar of the highest order. He has attacked me
repeatedly in this newsgroup. In his latest attack posted to his blog, he
is claimikng that I posted requests for sexual acts on another newsgroup.

Those posts were forged by another lowlife Linux Advocate, but he's trying
to claim that this is my "hobby".

Doug Mitchell aka. Doug Mentohl aka. Daeron is a despicable lowlife piece
of scum who will stop at nothing to promote Linux - including attempting to
get people fired, and posting lies about them online.

Read his posts with care.

[ Post a follow-up to this message ]

In comp.os.linux.advocacy, Simon Cooke
<simonREMOVEcooke@earthREMOVElink.net>
wrote
on Sun, 1 Aug 2004 15:56:05 -0700
<1hp0ynsqcwb0t$.9nz9tmmr52tf$.dlg@40tude.net>:
> On 31 Jul 2004 10:25:09 -0700, Daeron wrote:
> 
>
> Before reading one of his posts, consider this:
>
> Daeron is a despicable liar of the highest order. He has attacked me
> repeatedly in this newsgroup. In his latest attack posted to his blog, he
> is claimikng that I posted requests for sexual acts on another newsgroup.
>
> Those posts were forged by another lowlife Linux Advocate, but he's trying
> to claim that this is my "hobby".
>
> Doug Mitchell aka. Doug Mentohl aka. Daeron is a despicable lowlife piece
> of scum who will stop at nothing to promote Linux - including attempting t
o
> get people fired, and posting lies about them online.
>
> Read his posts with care.

Even when his posts suggest that Linux has a problem?

Make up your mind!

--
#191, ewill3@earthlink.net
It's still legal to go .sigless.

[ Post a follow-up to this message ]

On Sat, 31 Jul 2004 10:25:09 -0700, Daeron wrote:

This is a real vulnerability, however, it's WAY over blown.  For it to
work, there must be many poor assumptions met.  First of all, you have to
turn off your toolbar.  Secondly, you have to make sure you always use the
default fonts and colors.  Third of all, it assumes that you are using a
default theme.  This combination is so unlikely, it's not worth talking
about.  First of all, the theme on firefox changes periodically, so which
theme is someone going to "code" for.  Secondly, if you use a large
monitor and/or run at a high resolution, chances are, you're not using the
default font selections.  This hoses the attack.  Third of all, who the
heck browses with their toolbar turned off in their browser.  I mean, come
on.

In otherwords, this attack is so lame, and a user would have to be so
stupid and, the configuration would have to be so perfect, it's not a
serious concern.  In fact, this problem has existed for over two years and
it's been well known.  How many problems have you read about here?  That's
right, zero in two friggen years.  Guess what, not a problem.  Move along.
Nothing to see here.

Cheers,

Greg

[ Post a follow-up to this message ]

Greg Copeland wrote:

> On Sat, 31 Jul 2004 10:25:09 -0700, Daeron wrote:
>
> This is a real vulnerability, however, it's WAY over blown.  For it to
> work, there must be many poor assumptions met.  First of all, you have to
> turn off your toolbar.  Secondly, you have to make sure you always use the
> default fonts and colors.  Third of all, it assumes that you are using a
> default theme.  This combination is so unlikely, it's not worth talking
> about.  First of all, the theme on firefox changes periodically, so which
> theme is someone going to "code" for.  Secondly, if you use a large
> monitor and/or run at a high resolution, chances are, you're not using the
> default font selections.  This hoses the attack.  Third of all, who the
> heck browses with their toolbar turned off in their browser.  I mean, come
> on.
>
> In otherwords, this attack is so lame, and a user would have to be so
> stupid and, the configuration would have to be so perfect, it's not a
> serious concern.  In fact, this problem has existed for over two years and
> it's been well known.  How many problems have you read about here?  That's
> right, zero in two friggen years.  Guess what, not a problem.  Move along.
> Nothing to see here.
>
> Cheers,
>
> Greg

Is he vulnerable to the javascript.

I am asking.

[ Post a follow-up to this message ]

On Thu, 05 Aug 2004 02:15:27 -0500, Greg Copeland wrote:

> On Sat, 31 Jul 2004 10:25:09 -0700, Daeron wrote:
>
> This is a real vulnerability, however, it's WAY over blown.  For it to
> work, there must be many poor assumptions met.  First of all, you have to
> turn off your toolbar.  Secondly, you have to make sure you always use the
> default fonts and colors.  Third of all, it assumes that you are using a
> default theme.  This combination is so unlikely, it's not worth talking
> about.

So in other words, the only difference from the default install is that you
have to turn off your toolbar. Which some sites will do for you on pop-up
windows (especially if it's a site which uses pop-ups in normal operation,
and you allow to create them by initiating the action yourself).

How is this unlikely again? Because I've seen plenty of people using
Mozilla who ONLY use the default theme and default fonts and colors.

[ Post a follow-up to this message ]

On Thu, 05 Aug 2004 08:59:58 -0700, Simon Cooke wrote:

> On Thu, 05 Aug 2004 02:15:27 -0500, Greg Copeland wrote:
> 
>
> So in other words, the only difference from the default install is that yo
u
> have to turn off your toolbar. Which some sites will do for you on pop-up
> windows (especially if it's a site which uses pop-ups in normal operation,
> and you allow to create them by initiating the action yourself).
>


Because popups are disabled.  And, it also proves that you didn't read or
have poor comprehension.  Which version are they attacking?  The latest?
A previous version?  Mozilla?  Firebird?  The toolbars differ, as do the
themes.  And again, it assumes that the default theme, colors and fonts
are in place.


> How is this unlikely again? Because I've seen plenty of people using
> Mozilla who ONLY use the default theme and default fonts and colors.

In otherwords, it's not likely.  Just as I originally stated and restated
a second time.  Not my problem that you have comprehension issues.

Cheers,

Greg

[ Post a follow-up to this message ]

On Thu, 05 Aug 2004 12:21:38 -0500, Greg Copeland wrote:

> On Thu, 05 Aug 2004 08:59:58 -0700, Simon Cooke wrote:
> 
>
>
> Because popups are disabled.

Popups are not disabled by default on a Mozilla install. Also, IIRC, not
all popups are disabled even if they're turned off - user-initiated popup
windows *ARE* allowed, and these are the exact kind of windows which can be
started up in "kiosk" mode - without toolbars.

> And, it also proves that you didn't read or
> have poor comprehension.  Which version are they attacking?  The latest?
> A previous version?  Mozilla?  Firebird?  The toolbars differ, as do the
> themes.  And again, it assumes that the default theme, colors and fonts
> are in place.

They are the DEFAULT theme, DEFAULT colors and DEFAULT fonts. That's how it
comes. You now - in your infinite capability and wisdom - have to show that
MOST users turn off popups (likely, but not foolproof, as some popups still
can be generated), MOST users change themes (unlikely) and MOST users
change fonts/colors (highly unlikely).

Most people - according to people who think that Mozilla should have more
marketshare, and that netscape was unfairly kicked out of the marketplace -
allegedly are so braindead that they won't even download Mozilla, they will
just use IE instead - the DEFAULT browser. What makes you think that the
majority of people will ever change their DEFAULT settings?
 
>
> In otherwords, it's not likely.

No, in other words, it's highly likely.

> Just as I originally stated and restated
> a second time.  Not my problem that you have comprehension issues.

What? You stated that most people use the default theme and default fonts
and colors? Because you also stated that this exploit is only an issue if
people *USE* the default theme and default fonts and colors. Which means
that you agree with me.

If you disagree, you'd better back it up with something better than just
handwaving "oh, you have comprehension problems", because from where I'm
sitting you obviously don't know how to read.

[ Post a follow-up to this message ]