22 replies to this topic

[AplusWebMaster]

FYI...

- http://news.com.com/...g=st.util.print
July 27, 2004
"Web surfers eyeing Mozilla-based browsers as a safer alternative might want to wait a week before making the switch. That's because the Mozilla Foundation, an open-source browser development group in Mountain View, Calif., has acknowledged a pair of serious flaws in the way its browsers handle certificates, the digital documents that let you verify a Web site's identity. Mozilla said its engineers were caught off-guard by the vulnerabilities, as the code in question dates back from the open-source browser's proprietary progenitor, Netscape...Mozilla said it was still deciding whether it would release stand-alone patches or simply issue the fixes with upcoming versions of the browsers. Current Mozilla-based browsers include Mozilla 1.7.1 and Firefox 0.9.2. Mozilla expects to have either patches or new versions of the browsers available in about a week."

[wyrmrider]

see also

Secunia Security Advisories <sec-adv@secunia.com>


SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability


list like this for all mozilla versions this is for firefox 0.x
2004 - 8 Secunia Security Advisories
- Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing
- Mozilla / Firefox Certificate Store Corruption Vulnerability
- Mozilla Fails to Restrict Access to "shell:"
- Mozilla XPInstall Dialog Box Security Issue
- Multiple Browsers Frame Injection Vulnerability
- Mozilla Browser Address Bar Spoofing Weakness
- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability


I'm especiially interested in address bar google error hijack

Wyrmrider

[Buntox]

I heard about the firefox spoofing vulnerability on slashdot.org. The article contains a link to a page with info about the spoof and proof of the concept.

hope this helps

[AplusWebMaster]

Current status at Secunia:

3 Secunia Security Advisories
Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
- http://secunia.com/advisories/12188/
Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing
- http://secunia.com/advisories/12160/
Mozilla / Firefox Certificate Store Corruption Vulnerability
- http://secunia.com/advisories/12076/

[Mike]

That spoofing problem has me upset. The sentiment seems to be running against making XUL more restrictive simply because web developers are trying to develop web applications for it.

That's pure garbage. Microsoft's ActiveX mess was caused by this same foolishness. Web developers be damned, I want my browser to be secure.

[dowen]

Oh dear, I still prefer Firefox to IE though. They do generally issue fixes faster but any software usually contains vulnerabilities, nothings perfect. I will still keep a high level of respect for Mozilla though.

[rosso_acido]

Looks like fixed versions for both Mozilla & Firefox are now available.

Firefox, Thunderbird, Mozilla Suite Upgrades Released

mozilla.org today released minor upgrades to three of its major products. Firefox 0.9.3, Thunderbird 0.7.3 and Mozilla 1.7.2 are all now available. These three new releases were created to correct 4 possible security vulnerabilities in past versions of each product. The Buildbar has links for all three releases.

http://www.mozillazine.org/

Get Mozilla 1.7.2: http://www.mozilla.org/releases/
Get Firefox 0.9.3: http://www.mozilla.o...oducts/firefox/

R.

[dowen]

Thanks rosso_acido,
I looked earlier today, guess its just been released now.

[rosso_acido]

My pleasure.

I'm right now downloading Firefox 0.9.3 (I guess Mozilla will have to wait until tomorrow, since it's a good 12 MB and I'm on dialup)...

Best,
R.

[cnm]

Do you happen to know if it's necessary to uninstall 9.2? Nevermind - I did - after that, 9.3 installed without a hitch. Extensions and options are exactly as before.

I think this may be important when you uninstall. When the uninstaller asks if you want to completely remove everything from the Mozilla folder, say No.

[rosso_acido]

Well, on uninstalling 9.2 I told it to delete everything in the Mozilla Firefox folder (in Program Files), and now 9.3 also has all my options like before.

Maybe these are stored in Application Data, so they're not affected even if you delete the Mozilla folder?

R.

[mellonhead]

One thing that is still not fixed (can't be really) is the User Interface Spoofing Vulnerability. This is still an issue with .9.3. A workaround is to prevent the statusbar from being hidden by a spoofed page:

Go to Tools > Options... > Web Features > Advanced and uncheck "Hide the status bar". You can also prevent the toolbar being hidden by typing "about:config" into the address bar, hitting enter, pasting "dom.disable_window_open_feature.toolbar" into the filter field. Now right click and modify the preference from "false" to "true".

The spoofed page can be identified because your original statusbar will still be visable as well as the spoofed one.

[cnm]

Thanks, mellonhead. Good tip.

[dowen]

Same for me as well, thanks mellonhead. Just updated my settings.

Edited by dowen, 05 August 2004 - 09:49 AM.

[AplusWebMaster]

FYI...upgrade incentive:

Mozilla / Mozilla Firefox / Mozilla Thunderbird libpng Vulnerabilities
- http://secunia.com/advisories/12232/
"Secunia Advisory: SA12232
Release Date: 2004-08-05
Critical: Highly critical
Impact: DoS, System access
Where: From remote
....
Solution:
This has been fixed in the following versions:
* Mozilla 1.7.2
* Firefox 0.9.3
* Thunderbird 0.7.3 ..."

.

[wyrmrider]

Copy of letter of Aug 6, 2004 to:

Security@Mozilla.org

I am writing to notify you of a behavior which is unacceptable, privacy concerns, security concerns

Behavior

Your default search is Google
Your default Google Search is “I’m feeling Lucky”


Now go to WWW.Google.com and into the Google search window
TYPE WILDERSSECURITY then choose GOOGLE SEARCH note the results
Now TYPE misspelled WILDERSECURITY you should get “Did you mean WILDERSSECURITY”

TYPE WILDERSSECURITY into the window and NOW choose I’m Feeling Lucky
On my machine the site http://www.javacools...areblaster.html
That’s not perfect but I can live with that

Now Misspell WILDERSECURITY and choose “I’m feeling lucky”

You will get the same results by misspelling WILDERSECURITY in the FIREFOX address box with default settings i.e. most people will get this behavior

Notice how you are taken to apps5.oingo.com on this SEARCH ERROR condition

Apps5.oingo.com will access domainepark and try and do a “contextual search” and will transfer to PAID ADVERTISERS who will have no relationship to the searched for site except some name similarity or if you have OINGO or domainepark cookies will try and track your habits

This transfer to paid advertisers is without notice to the user

There does not seem to be much control over the paid advertisers
In one case the transfer was to a bridge site with the message SBYBOT SEARCH DESTROY and 3 more lines of text and a message “click to continue” without clicking the searcher is taken to a SPYWARE KILLER site with the heading SPYWARE FOUND ON YOUR MACHINE (and a hard sell)
Spyware Killer is a known hostile product
The trademark, unfair competition, and FTC (last weeks d squared decision) connections should be obvious
If this type of transfer is possible then transfer to phising and other hostile sites is probable

Other places transferred to are equally obnoxious. Usually phony pay per click “search pages”
HOWEVER I’ve the error mechanism has transferred to dp.information.com another “banned “site and banned host
It seems that during this process that scripts/ applets are executed on your users machine

This process tries to install cookies and the paid advertiser tries to install cookies
Needless to say this raises both privacy and security concerns

I’m current lost in google e-mail and tech support (sic) and help (sic)
I assume you have a contract with Google so can get to the bottom of this a lot easier than I can.

Possibilities I currently see are (none of them good)
1 This is a normal part of the ad-sense program
(Google acquired ad-sense from Applied Semantics which used to be OINGO)
2 Some one is using one of the known pirated copies of the old OINGO search engine
3 Someone has done a clever hack on Google search errors
4 The advertisers have run amouk

I would suggest:
1 that you immediately change default search to normal google search
2 that you post a call for vigilance and comments to see if anyone else has been harmed by this behavior (paid money, gotten porn, found themselves being spamed, etc)
3 You post a section in MOZILLAZINE to help follow up on this issue
4 (you can reference post by Wyrmrider)
5 You can educate your staff and volunteers that as of NOW even if this IS default Google behavior (and we are not certain that it is) it is not acceptable

References
Do searches in the usual places for OINGO, Applied Semantics, go back several years
Reply to this messages for additional links and details and links to many victims around the web

Does this happen with other browsers. Yes it can but others do not use “I’m feeling Lucky” as default

I also have a problem with the different results for “SEARCH GOOGLE” and “I’m feeling Lucky” on errors and/or that “ I’m feeling Lucky” results are not consistent in their treatment of search errors.

Thanks to:
Pieter Arntz (Metallica)
Cexx.org Forums
Tom Coyote Forum
Wilderssecuity forums LowWaterMark
SpywareWarrior forum
Spywareinfo
Eric L Howes / IE-Spyads (blocks in I.E)
TDS-3 and Wormguard /Diamond C.S forums
TeamSPYBOT Chi-Va
SBYBOT SEARCH & DESTROY (blocks some behavior in HOSTS)

I have been contact with the FTC and would appreciate any input on this issue

Wyrmrider

[AplusWebMaster]

It appears you have a legitimate issue, but you'd get a better audience in this forum with what appear to be design function inadequecies:

- http://forums.mozillazine.org/

...the topic was opened here dealing with specific vulnerabilities, most (but not all) of which were dealt with in the latest release:

- http://www.mozilla.org/download.html

'Just a thought...

[wyrmrider]

Thanks Aplus

I did post a very early version in Mozillazine but got a bunch of very immature responses. Of course then I did not have the problem narrowed down and was looking for a hijack.

I appreciate the professional level of feedback at this forum.and your members.
It really makes me double check and focus

I'm waiting to hear back from security@mozilla.org
Remember this is not Mozill- it's Google

This behaviour happens with ALL Google "I'm feeling lucky" searches if an Error happens, even with I.E.! if you misspell something or a websites down (but not all the time???) This is not the same behaviour as com.org- and i.e. autocompletion/ default search--it's much worse.

I'm forewarding my file to the FTC. The behaviour is in many cases (but not all) similar to the recent D-Squared case. The FTC can, as Deep Throat said, "follow the money" from SPYWARE KILLER back up the food chain.

I'm going to do some more suggested testing, revise, then I'll give Mozillazine another shot. Would like a reply from mozilla first but they better be quick.

thanks
Wyrmrider

[AplusWebMaster]

BTW, 'don't care much for any of the "built-in" search engine (pointers) anyway. 'Never did for -any- browser...too much "marketing/back-slapping" going on during the development process. Best meta-search engines can still be found in this article (even though it has a little hair on it):

Meta Search Or Meta Ads?
- http://searchenginew...p/34721_2163821

.

[wyrmrider]

off topic
nice site apluswebmaster

on topic
lavasoft news one issue ago was on mozilla and browsersecurity

wyrmrider

response to aplus
I agree I had them turned off in i.e it was when I went to firefox that all some old friends (GAIN) reappeared ( the were blocked by ie-spyads)
and I started getting these strange "I'm getting lucky" results
of course, at the time, I did not realize I was either using google OR "I'm feeling lucky"
of which I had had NO experience little learning curve here
when I had to reinstall windows I started getting com.org again which had totally and rightly forgotten about --what a forgettable site but not near as bad as what "I'm feeling lucky" gives.

WYRMRIDER

[ozcompute]

rosso acido
Firefox stores it data in: Docs and settings - "User name" - application data - Phoenix

[SpiritWind]

Saw a recent pcworld.com announcement of 10
security flaws in the Mozilla "family", which includes
Firefox and that a new release is available !?

[silence351]

Do you mean the preview release for firefox?
http://www.mozilla.org/download.html