Firefox 2 crash exploit and IE7 address spoofing flaw surfaces

Firefox 2 crash exploit and IE7 address spoofing flaw surfaces

Summary: After all the media inflated flap over a minor Outlook Express flaw surfaced over Internet Explorer 7, a minor but true IE7 address bar spoofing weakness was found. At the same time, bug tracking mailing lists have been talking about a flaw affecting the just released Firefox 2. Bugtraq called the flaw "critical" though Mozilla's security chief Window Snyder insisted the report is wrong and that the problem was already "fixed" but admitted a crash condition remained.

SHARE:
TOPICS: Browser
75

After all the media inflated flap over a minor Outlook Express flaw surfaced over Internet Explorer 7, a minor but true IE7 address bar spoofing weakness was found.  At the same time, bug tracking mailing lists have been talking about a flaw affecting the just released Firefox 2.  Bugtraq called the flaw "critical" though Mozilla's security chief Window Snyder insisted the report is wrong and that the problem was already "fixed" but admitted a crash condition remained.

Note: Secunia which lists both the Outlook Express flaw and the address spoofing flaw under IE7 made no mention of the Firefox 2.0 crash condition as of 10/26/2006 days after the Bugtraq reports.

The address bar spoofing weakness against IE7 happens when a small popup is spawned and a URL shows up with trailing spaces.  The trailing spaces pushed the URL to the left and partially out of site which hides the actual domain and shows you a fake domain.  If you click anywhere on the popup page or click on the background window, the left side of the URL and the actual domain name is revealed but the initial spoofing condition might be useful in a phishing attack to the unsuspecting user.  This condition is repeatable when you click on the address bar and that is probably what is being exploited since the popup first shows up with the address bar in focus.  The possible solution to this would be to strip out the trailing spaces (since spaces aren't supported in URLs anyways) when popping up browser windows or not allow it to start with the address bar in focus.

The Firefox bug was considered critical and "fixed" last month but it seems strange that Mozilla would leave a crash condition in Firefox 2.0.  Any kind of flaw that can cause an application to crash has to be alarming because it might be exploitable.  It sounds like some modifications were made to make the exploit condition less exploitable but a crash condition still exists.  When I spoke with Window Snyder last month on the phone, she made it very clear to me that Mozilla would not argue about what is a flaw and what isn't a flaw and that they would simply just fix it.  It's understandable that Mozilla is being defensive (like Microsoft and the Outlook Express IE7 issue) about the characterization of this flaw being labeled as "critical", but surely Mozilla will have to admit this may or may not still be a serious flaw since the exploit still crashes Firefox 2.0.  At some point Mozilla would have to admit this is a problem and really fix it so that the browser doesn't crash at all.

Some in the blogsphere and tech media are blowing these exploits way out of proportion (mostly towards Microsoft) and are drawing hasty and inaccurate conclusions.  They all need to calm down because neither next-generation browser from Microsoft or Mozilla have had any critical flaws yet and it's simply too soon to tell which one will end up more secure.  Even if there is a critical flaw found in either new product, we need to remember that Firefox 1.x averaged 5.15 highly/extremely critical flaws per month in the previous 12 months while IE6 averaged 2.6 highly/extremely critical flaws per month within the same time period.  These less critical issues in IE7 and FF2 so far don't even register as remotely exploitable conditions.

To give some proper historical perspective based on Secunia data, here is a chart of IE6 versus FF1 flaws.  Note that this only includes flaws that are ranked above moderately critical or a 3 on a scale of 5.

Before anyone complains that the numbers are way too high and that Secunia's own advisories stats are way lower than the ones I show, please remember that a single advisory with 9 highly critical flaws is counted as 9 highly critical flaws and that Secunia's stats based only on the number of advisories is highly misleading.

Note that any highly or extremely critical flaw is remotely exploitable and can allow a hacker to commandeer the browser process.  When the browser is run under an administrator user, the compromised browser can lead to total system compromise.  When the browser is run under a limited user context, a compromised browser can steal, delete, or encrypt user files for ransom.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

75 comments
Log in or register to join the discussion
  • George one small question

    Why don't you use a metric like flaws over the lifetime of a browser instead of taking a period which might or might not be arbitrary?

    When i was working on project related to maintenance, they hardly looked at periods, but preferred to look upon failures during the lifetime of a product to determine whether it provided a risk.
    tombalablomba
    • Isn't the most recent 12 months most relevant?

      I would think the last year is more relevant though. 12 months in the computer business is a LONG time.

      But again, this blog isn't about the IE6/FF1 flaws. I just showed that to put things in to some perspective over the flap these minor issues have been getting.
      georgeou
      • How about this then

        List all exploits that have been around for IE 6.0 from first release to date. That's FIVE LONG times by your reckoning.

        Your "perspective" is flawed because it ignores the fact that one product was released much later and has advanced much more rapidly than the other.

        If you want to compare products and exploits then stick with the 7.0 vs 2.0 list since they've come out at the same time. (Though I'll be interested in the time difference between 3.0 and 8.0 releases.)
        Robert Crocker
        • You're arguing FF is too young to be judged?

          "If you want to compare products and exploits then stick with the 7.0 vs 2.0 list since they've come out at the same time. (Though I'll be interested in the time difference between 3.0 and 8.0 releases.)"

          You're arguing FF is too young to be judged? But if FF is too young to be judged and measured, isn't it too young to be used by serious organizations? Your argument here doesn't make any sense. I'm talking about the here and now and if you can't put your hero Firefox up to the challenge then you shouldn't be using it.

          As for comparing IE7 to FF2, it's simply silly to do this now because it would be like trying to judge the winner of a 10 mile marathon in the first five seconds. These new products are barely a week old or less. Give it 3 months at least before we can have any kind of idea which product is more flawed.
          georgeou
          • Funny comparison

            [i]As for comparing IE7 to FF2, it's simply silly to do this now because it would be like trying to judge the winner of a 10 mile marathon in the first five seconds.[/i]

            This is a somewhat funny comparison George, because one of the runners (ie) has been running for some time and the second (ff) just got at the start. I guess it's really difficult to just look at the stats and decide what's better.

            FF has been pushing out a new version 1 to 1.5 which makes the comparison somewhat flawed. F.i. would a flaw in 1.0.9 still be counted etc. etc. etc.

            If both would have had the same lifetime, it would be easier.

            But i guess the moment the numbers are introduced, the disputes start :).

            As long as there is no definite good measure and people are investing money in finding flaws (which they then won't disclose) it's just hoping for the best and living in la la land hoping that you're safe, but you actually never now for sure as long as your pc is linked to the internet, regardless of OS, browser used etc. etc.
            tombalablomba
          • Firefox 1.X is 18 official releases

            George , not counting RC or betas and Alphas or trunk builds/developer previews (Firefox 3.0a1 is out), Firefox has had 18 releases since 1.0 (Dec 10, 2004). 17 official releases since March 2005.

            http://releases.mozilla.org/pub/mozilla.org/firefox/releases/

            3 of those releases were major (And very different than 1.0), FF 2.0, Firefox 1.5, and Firefox 1.5.0.X.

            Again calling it Firefox 1.X or 1.0+ is dead wrong. This is due to the fact that Firefox 1.0, 1.5, and 2.0/1.5.0.X are all based on different branches of the Mozilla Gecko rendering engine.

            Once again a nice chart for you http://wiki.mozilla.org/Global:1.9_Trunk_1.8_Branch_Plan

            Should we count IE 5.0, 5.5, 6.0, and 7.0 as one product? That is what you are doing by lumping 1.0, 1.5, 1.5.0.X, and 2.0 together.

            FF 2.0 isn't exactly new. They are using roughly the same rendering engine as FF 1.5.0.7. The Branch was created in December of 2005 and was recently patched to fix security flaws recently (within the last month).

            Mozilla openly claims that both FF 1.5 and 2.0 are from the same Mozilla Branch.

            MS by contrast claims IE 7.0 is new.
            Edward Meyers
          • Of course

            But that wouldn't allow George to continue on his NBM crusade.

            I can't help but wonder why he's messing with Firefox 1.x at all
            when Firefox 2.0 is the current version.
            jragosta
          • Ah, the numbering schemes to skew it a third way.

            MSIE had 2 versions also. IE6 and IE601 sp1. You forgot that one. Both companies have different number schemes anyway. So we go by the number left of the decimal point as a major change. It appears when Mozilla puts in a new engine, they do not consider it a major change. There is other criteria involved. I wonder how long it will be before I get those changes in SeaMonkey.

            It should be:

            (severe flaws total/years in service = average)
            +
            (medium flaws total/years in service = average)
            +
            (minor flaws total/years in service = average)
            =
            A value/3
            =
            severity rating of product over its life cycle

            Obviously if the flaws were on a 1-10 scale you would substitute 10 for the 3.

            The longer a product has been around, the more flaws it will have. Cannot compare Saturn to Ford in total flaws but you could compare them on a average. Also when a product is introduced, it will have many flaws and at the end of its life it should have very few.
            osreinstall
          • Check your version, you may have some already

            In Seamonkey check the version and see which version of Gecko you are using.

            It'll look like this:

            [i]Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20061026 Minefield/3.0a1[/i]

            The first part is the version of Gecko you are using, in my case it is 1.9a1.

            Mozilla uses .X releases to indicate a more major release and a .0.X as a minor/bugfix release. So in otherwords a .0.1 release is the equivalent of a .1 or SP release in IE sorta... as IE doesn't call its bugfixes new releases, except for SPs.

            The full point and half point eg; 1.0, 1.5, 2.0 releases are milestones and are considered major releases with Mozilla. When they switched rendering engines they jumped Firefox a half point release. The full point releases are typically time based Eg; Firefox 3.0 is scheduled to be out in March 2007.

            Since March/April 2006 the trunk builds have been renamed from Firefox 3.0a1 to Minefield, so you know to expect some bugs- hey isn't the bleeding edge great?
            Edward Meyers
          • I am not bleeding edge

            Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060910 SeaMonkey/1.0.5

            I just do releases. 1.8.0.7 is the engine and 1.0.5 is the release version of SeaMonkey. Oh, it will trickle down just wondering how long.

            I do not do the nightlies. Usually in the past the dialog boxes acted up. I had one that didn't export bookmarks or an address book.
            osreinstall
          • Being on the Bleeding Edge has certain downfalls

            You're version of Seamonkey is the same Gecko version as FF 1.5.0.7- which isn't a bad browser. It should be faster than FF 1.0.X and 1.5. It also has some native SVG support, which isn't as big a deal right now unless you are using some specialized Web Apps or the site utilizes SVG to a good extent (Some do).

            With the nightlies you do want to back up your bookmarks as there are sometimes bugs but on the other hand you get a preview of what is to come. With Firefox I noticed a speed increase in both start-up, rendering, and it just seems more responsive with the nightlies.

            An alpha of Seamonkey 1.1 is out and I think it uses the Gecko 1.8.1a (FF2 uses 1.8.1) so a new version of Seamonkey that uses the same rendering engine as FF 2.0 should be out soon.
            Edward Meyers
          • Yes it does.

            It is just as fast as the current Firefox for it is the same browser and network optimized. Since it cannot support the plugin, I just put the tweaks in a user.js file. I got them by studying the about:config in Firefox and a Mozilla resource website. So it is a lot faster than an OEM SeaMonkey.

            I backup the entire profile right along with emails to a server at least 3 times a week. I made a batch file to grab everything important on the hard drive. Backup is the only way to go to make sure the data doesn't get lost.

            That would be good. I use the integrated browser because it is easier. I could use web mail but it has the grace of a 32 oz ballpein hammer on a jeweler's workbench. Not to mention the incredible slowness.
            osreinstall
          • Seamonkey has other advantages

            Seamonkey is 14 MB for Linix, 12 MB for Windows.

            Seamonkey is the equivalent of Thunderbird, Firefox, NVU (Sorta NVU has some additional features), and also includes a chat client. Do the math;


            FF 2.0 for Linux is 9.2 MB; Windows 5.6 MB
            Thunderbird is 10.1 MB for Linux; Windows 6.0 MB for Windows

            Just FF and Thunderbird is larger , on Linux, than Seamonkey. On Windows just those two aren't much smaller, so for less than 1 MB you get the web editor and chat for almost nothing.

            The one thing that has me prefering FF to Seamonkey is that FF has a separate search bar. That is it.
            Edward Meyers
          • That is one I didn't mention

            It gets more noticeable with plugins.

            The integrated package is smaller than the combined package. I would have preferred if they had made it completely lego. Just download the installer with the engine and treat everything as an xpi. It would be browser.xpi, mail.xpi, calendar.xpi and so on. Everything is an xpi that you snap into place. That way it is totally customizable.

            I am still wondering how to shutdown html in email without wacking the browser part. I have looked for a mailnews.disable_html = true setting and their isn't one on the internet. Send format you can but not receive. This is probably why they split them up. It should have been recoded in in seperate zones of security with the lego principle.

            Oh Well.
            osreinstall
          • XUL Runner - It's where they are heading

            Read the Firefox 3 PRD found here http://wiki.mozilla.org/Firefox:3.0_PRD

            They are moving towards XUL Runner
            http://developer.mozilla.org/en/docs/XULRunner

            Once this is all implemented, as I understand it, it will work like you describe.

            Also I grabbed a copy of the latest trunk build of Seamonkey and it uses 1.9a1
            Edward Meyers
          • That would be decent.

            I found the hack I was looking for in SeaMonkey 1.0.5. You can do it in the GUI pull down menu but it is globally and to inflexable.

            Go in about:config and change this value:
            mailnews.display.html_as

            0=render html as sent from sender (default)
            1=text only
            2=html source
            3=html sanitize

            Picked 3 for it can be adjusted in the next setting.

            The mailnews.display.html_sanitizer.allowed_tags has a bunch of allowed settings seperated by spaces. You can add to it to allow everything or delete from it to restrict everything. I deleted the setting:
            a(href, name, title)
            This converts all the hyperlinks to plain text. More settings for user.js

            Now I have safe html with hyperlinks deactivated in the body of the mail message. I don't click on them anyway. I will try that new SeaMonkey and see what's new.
            osreinstall
          • Spoke too soon

            It appears to eliminate links in html bodies if originally html. If typed in they show up. Oh well time to search for a setting.
            osreinstall
          • Sorry George.

            Your MS cheerling is too little too late. We've moved on.
            nomorems
          • Deliberately obtuse

            George,

            You know I'm arguing no such thing.

            My point is that you're comparing ALL the bugs of FireFox for it's entire life compared to the last year's worth of IE bugs after it's already been beaten up for a number of years. The fact that bugs are still falling out should be cause for concern.
            Robert Crocker
        • Robert Robert Robert

          Come now. George Ou colors his world differently and besides he likes these stats because it ALWAYS engenders a response (click).

          You get bad wit yousef George! ;)

          Signing off. Over and out.
          (static line noise !@#$%^&)k Blip.
          D T Schmitz