Date: 04 August 2004
References: AU-2004.0012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.23 -- AUSCERT ALERT
User Interface Spoofing in Mozilla and Firefox
04 August 2004
===========================================================================
Product: Mozilla
FireFox
Operating System: Linux variants
Mac OS X
OS/2
UNIX variants
Windows
Impact: Provide Misleading Information
Access Required: Remote
PROBLEM:
AusCERT advises that working proof of concept code has now been
published for a vulnerability in all versions of Mozilla and
Firefox. AusCERT expects this exploit code to be utilised to
facilitate identify fraud (aka "phishing") which may capture
sensitive account details.
IMPACT:
This vulnerability allows a malicious web site operator to cause
XUL (XML User Interface Language) files to be loaded in the browser.
XUL files allow for the possible spoofing of the browser's user
interface, including areas such as the address bar, tool bar, and
SSL certificate dialog boxes.
MITIGATION:
As no patch has yet been released for this issue, AusCERT recommends
users of the vulnerable browsers to not follow links to untrusted web
sites. Additionally, administrators may wish to implement mitigating
strategies such as disabling some window open features. This can be
done using "about:config" (without the quotes) in the address bar, and
setting the "dom.disable_window_open_feature.location" value to true.
Changing this setting will ensure that the true browser address and
tool bars remain visible at the top of the browser window, however the
spoofed address and tool bars will be still be shown. Administrators
are encouraged to test this and any other mitigation steps in their own
environments prior to implimenting in a production environment.
REFERENCES:
Further information regarding this vulnerability is available from:
http://www.nd.edu/~jsmith30/xul/test/spoof.html
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQRCCqih9+71yA2DNAQIU8wP/Y6ZMfzyx75Pd0t2Ux2+iPyY6ZVa3HrPz
4ETlabGQVf9knPDd6FE6Hum+wPrtAmJP92f7FJgvyHtEdhjF0FHryG1Co+vVTPT9
PggcCaH+dhSWq+FtCAIsMxy1OQoFbUWi4K5XHo+P5cf2uqZR3EW1/MJRMD+etBHa
G6IIiCxVQHE=
=HGpU
-----END PGP SIGNATURE-----
|