• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
AplusWebMaster

Mozilla...security bugs

23 posts in this topic

FYI...

 

- http://news.com.com/2102-1002_3-5286138.ht...g=st.util.print

July 27, 2004

"Web surfers eyeing Mozilla-based browsers as a safer alternative might want to wait a week before making the switch. That's because the Mozilla Foundation, an open-source browser development group in Mountain View, Calif., has acknowledged a pair of serious flaws in the way its browsers handle certificates, the digital documents that let you verify a Web site's identity. Mozilla said its engineers were caught off-guard by the vulnerabilities, as the code in question dates back from the open-source browser's proprietary progenitor, Netscape...Mozilla said it was still deciding whether it would release stand-alone patches or simply issue the fixes with upcoming versions of the browsers. Current Mozilla-based browsers include Mozilla 1.7.1 and Firefox 0.9.2. Mozilla expects to have either patches or new versions of the browsers available in about a week."

 

:blink:

Share this post


Link to post
Share on other sites

see also

 

Secunia Security Advisories <sec-adv@secunia.com>

 

 

SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

 

 

list like this for all mozilla versions this is for firefox 0.x

2004 - 8 Secunia Security Advisories

- Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing

- Mozilla / Firefox Certificate Store Corruption Vulnerability

- Mozilla Fails to Restrict Access to "shell:"

- Mozilla XPInstall Dialog Box Security Issue

- Multiple Browsers Frame Injection Vulnerability

- Mozilla Browser Address Bar Spoofing Weakness

- Multiple Browsers Telnet URI Handler File Manipulation Vulnerability

 

 

I'm especiially interested in address bar google error hijack

 

Wyrmrider

Share this post


Link to post
Share on other sites

Current status at Secunia:

 

3 Secunia Security Advisories

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

- http://secunia.com/advisories/12188/

Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing

- http://secunia.com/advisories/12160/

Mozilla / Firefox Certificate Store Corruption Vulnerability

- http://secunia.com/advisories/12076/

 

 

:ph34r:

Share this post


Link to post
Share on other sites

That spoofing problem has me upset. The sentiment seems to be running against making XUL more restrictive simply because web developers are trying to develop web applications for it.

 

That's pure garbage. Microsoft's ActiveX mess was caused by this same foolishness. Web developers be damned, I want my browser to be secure.

Share this post


Link to post
Share on other sites

Oh dear, I still prefer Firefox to IE though. They do generally issue fixes faster but any software usually contains vulnerabilities, nothings perfect. I will still keep a high level of respect for Mozilla though.

Share this post


Link to post
Share on other sites

Looks like fixed versions for both Mozilla & Firefox are now available. :)

 

Firefox, Thunderbird, Mozilla Suite Upgrades Released

 

mozilla.org today released minor upgrades to three of its major products. Firefox 0.9.3, Thunderbird 0.7.3 and Mozilla 1.7.2 are all now available. These three new releases were created to correct 4 possible security vulnerabilities in past versions of each product. The Buildbar has links for all three releases.

 

http://www.mozillazine.org/

 

Get Mozilla 1.7.2: http://www.mozilla.org/releases/

Get Firefox 0.9.3: http://www.mozilla.org/products/firefox/

 

R. :wave:

Share this post


Link to post
Share on other sites

Thanks rosso_acido,

I looked earlier today, guess its just been released now.

Share this post


Link to post
Share on other sites

My pleasure. :)

 

I'm right now downloading Firefox 0.9.3 (I guess Mozilla will have to wait until tomorrow, since it's a good 12 MB and I'm on dialup)...

 

Best,

R. :wave:

Share this post


Link to post
Share on other sites

Do you happen to know if it's necessary to uninstall 9.2? Nevermind - I did - after that, 9.3 installed without a hitch. Extensions and options are exactly as before. :D

 

I think this may be important when you uninstall. When the uninstaller asks if you want to completely remove everything from the Mozilla folder, say No.

Share this post


Link to post
Share on other sites

Well, on uninstalling 9.2 I told it to delete everything in the Mozilla Firefox folder (in Program Files), and now 9.3 also has all my options like before. :scratchhead:

 

Maybe these are stored in Application Data, so they're not affected even if you delete the Mozilla folder? :wtf:

 

R. :wave:

Share this post


Link to post
Share on other sites

One thing that is still not fixed (can't be really) is the User Interface Spoofing Vulnerability. This is still an issue with .9.3. A workaround is to prevent the statusbar from being hidden by a spoofed page:

 

Go to Tools > Options... > Web Features > Advanced and uncheck "Hide the status bar". You can also prevent the toolbar being hidden by typing "about:config" into the address bar, hitting enter, pasting "dom.disable_window_open_feature.toolbar" into the filter field. Now right click and modify the preference from "false" to "true".

 

The spoofed page can be identified because your original statusbar will still be visable as well as the spoofed one.

Share this post


Link to post
Share on other sites

Same for me as well, thanks mellonhead. Just updated my settings.

Edited by dowen

Share this post


Link to post
Share on other sites

FYI...upgrade incentive:

 

Mozilla / Mozilla Firefox / Mozilla Thunderbird libpng Vulnerabilities

- http://secunia.com/advisories/12232/

"Secunia Advisory: SA12232

Release Date: 2004-08-05

Critical: Highly critical

Impact: DoS, System access

Where: From remote

....

Solution:

This has been fixed in the following versions:

* Mozilla 1.7.2

* Firefox 0.9.3

* Thunderbird 0.7.3 ..."

 

.

Share this post


Link to post
Share on other sites

Copy of letter of Aug 6, 2004 to:

 

Security@Mozilla.org

 

I am writing to notify you of a behavior which is unacceptable, privacy concerns, security concerns

 

Behavior

 

Your default search is Google

Your default Google Search is “I’m feeling Lucky”

 

 

Now go to WWW.Google.com and into the Google search window

TYPE WILDERSSECURITY then choose GOOGLE SEARCH note the results

Now TYPE misspelled WILDERSECURITY you should get “Did you mean WILDERSSECURITY”

 

TYPE WILDERSSECURITY into the window and NOW choose I’m Feeling Lucky

On my machine the site http://www.javacoolsoftware.com/spywareblaster.html

That’s not perfect but I can live with that

 

Now Misspell WILDERSECURITY and choose “I’m feeling lucky”

 

You will get the same results by misspelling WILDERSECURITY in the FIREFOX address box with default settings i.e. most people will get this behavior

 

Notice how you are taken to apps5.oingo.com on this SEARCH ERROR condition

 

Apps5.oingo.com will access domainepark and try and do a “contextual search” and will transfer to PAID ADVERTISERS who will have no relationship to the searched for site except some name similarity or if you have OINGO or domainepark cookies will try and track your habits

 

This transfer to paid advertisers is without notice to the user

 

There does not seem to be much control over the paid advertisers

In one case the transfer was to a bridge site with the message SBYBOT SEARCH DESTROY and 3 more lines of text and a message “click to continue” without clicking the searcher is taken to a SPYWARE KILLER site with the heading SPYWARE FOUND ON YOUR MACHINE (and a hard sell)

Spyware Killer is a known hostile product

The trademark, unfair competition, and FTC (last weeks d squared decision) connections should be obvious

If this type of transfer is possible then transfer to phising and other hostile sites is probable

 

Other places transferred to are equally obnoxious. Usually phony pay per click “search pages”

HOWEVER I’ve the error mechanism has transferred to dp.information.com another “banned “site and banned host

It seems that during this process that scripts/ applets are executed on your users machine

 

This process tries to install cookies and the paid advertiser tries to install cookies

Needless to say this raises both privacy and security concerns

 

I’m current lost in google e-mail and tech support (sic) and help (sic)

I assume you have a contract with Google so can get to the bottom of this a lot easier than I can.

 

Possibilities I currently see are (none of them good)

1 This is a normal part of the ad-sense program

(Google acquired ad-sense from Applied Semantics which used to be OINGO)

2 Some one is using one of the known pirated copies of the old OINGO search engine

3 Someone has done a clever hack on Google search errors

4 The advertisers have run amouk

 

I would suggest:

1 that you immediately change default search to normal google search

2 that you post a call for vigilance and comments to see if anyone else has been harmed by this behavior (paid money, gotten porn, found themselves being spamed, etc)

3 You post a section in MOZILLAZINE to help follow up on this issue

4 (you can reference post by Wyrmrider)

5 You can educate your staff and volunteers that as of NOW even if this IS default Google behavior (and we are not certain that it is) it is not acceptable

 

References

Do searches in the usual places for OINGO, Applied Semantics, go back several years

Reply to this messages for additional links and details and links to many victims around the web

 

Does this happen with other browsers. Yes it can but others do not use “I’m feeling Lucky” as default

 

I also have a problem with the different results for “SEARCH GOOGLE” and “I’m feeling Lucky” on errors and/or that “ I’m feeling Lucky” results are not consistent in their treatment of search errors.

 

Thanks to:

Pieter Arntz (Metallica)

Cexx.org Forums

Tom Coyote Forum

Wilderssecuity forums LowWaterMark

SpywareWarrior forum

Spywareinfo

Eric L Howes / IE-Spyads (blocks in I.E)

TDS-3 and Wormguard /Diamond C.S forums

TeamSPYBOT Chi-Va

SBYBOT SEARCH & DESTROY (blocks some behavior in HOSTS)

 

I have been contact with the FTC and would appreciate any input on this issue

 

Wyrmrider

Share this post


Link to post
Share on other sites

It appears you have a legitimate issue, but you'd get a better audience in this forum with what appear to be design function inadequecies:

 

- http://forums.mozillazine.org/

 

...the topic was opened here dealing with specific vulnerabilities, most (but not all) of which were dealt with in the latest release:

 

- http://www.mozilla.org/download.html

 

'Just a thought...

Share this post


Link to post
Share on other sites

Thanks Aplus

 

I did post a very early version in Mozillazine but got a bunch of very immature responses. Of course then I did not have the problem narrowed down and was looking for a hijack.

 

I appreciate the professional level of feedback at this forum.and your members.

It really makes me double check and focus

 

I'm waiting to hear back from security@mozilla.org

Remember this is not Mozill- it's Google

 

This behaviour happens with ALL Google "I'm feeling lucky" searches if an Error happens, even with I.E.! if you misspell something or a websites down (but not all the time???) This is not the same behaviour as com.org- and i.e. autocompletion/ default search--it's much worse.

 

I'm forewarding my file to the FTC. The behaviour is in many cases (but not all) similar to the recent D-Squared case. The FTC can, as Deep Throat said, "follow the money" from SPYWARE KILLER back up the food chain.

 

I'm going to do some more suggested testing, revise, then I'll give Mozillazine another shot. Would like a reply from mozilla first but they better be quick.

 

thanks

Wyrmrider

Share this post


Link to post
Share on other sites

BTW, 'don't care much for any of the "built-in" search engine (pointers) anyway. 'Never did for -any- browser...too much "marketing/back-slapping" going on during the development process. Best meta-search engines can still be found in this article (even though it has a little hair on it):

 

Meta Search Or Meta Ads?

- http://searchenginewatch.com/sereport/prin...p/34721_2163821

 

.

Share this post


Link to post
Share on other sites

off topic

nice site apluswebmaster

 

on topic

lavasoft news one issue ago was on mozilla and browsersecurity

 

wyrmrider

 

response to aplus

I agree I had them turned off in i.e it was when I went to firefox that all some old friends (GAIN) reappeared ( the were blocked by ie-spyads)

and I started getting these strange "I'm getting lucky" results

of course, at the time, I did not realize I was either using google OR "I'm feeling lucky"

of which I had had NO experience little learning curve here

when I had to reinstall windows I started getting com.org again which had totally and rightly forgotten about --what a forgettable site but not near as bad as what "I'm feeling lucky" gives.

 

WYRMRIDER

Share this post


Link to post
Share on other sites

:unsure: Saw a recent pcworld.com announcement of 10

security flaws in the Mozilla "family", which includes

Firefox and that a new release is available !?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0