Comments on: URL bar spoofing vulnerability

By: Internet Protection

Internet Protection — Tue, 01 Sep 2009 05:12:10 +0000

Successfull attack depends on the proper construction of the’data:’ URL. An algorithm could utilize JSdocument.body.clientWidth/Height properties to calculate thebest url padding for the given browser.

By: Daniel Veditz

Daniel Veditz — Mon, 31 Aug 2009 20:50:02 +0000

oh, /that/ “it”. I already said in comment 10 that we don’t have a fix for the fake anti-virus sites yet.

By: Greg R.

Greg R. — Mon, 31 Aug 2009 20:26:09 +0000

@Daniel veditz

Not true, unfortunately. I saw the newwayscanner.info popup for the first time almost immediately after installing 3.5.2. I did kill the process immediately, and blocked their website in my hosts file, and haven’t seen it since.

By: Daniel Veditz

Daniel Veditz — Mon, 31 Aug 2009 19:23:50 +0000

@Byron

The fix for this URL bar spoofing problem was released in Firefox 3.5.2 and Firefox 3.0.13

By: Byron

Byron — Mon, 31 Aug 2009 12:40:47 +0000

Where’s the patch for it????

By: Daniel Veditz

Daniel Veditz — Mon, 31 Aug 2009 06:47:21 +0000

@Douglas

Yes, this is the wrong place for this Please see the folks at http://support.mozilla.com to find help with Firefox problems. Or if you’re worried about (in)security you can report issues via e-mail to security@mozilla.org

The symptoms you describe are a classic scareware fraud that makes the rounds. It’s bad enough that the US FTC got a large judgment against a couple of operators last December (later cut to 6% of the original amount — boo!). Unfortunately that hasn’t slowed the problem since those guys were by no means the only ones using the technique.

Killing Firefox through the Task Manager simulates a “crash” so Firefox tries to restore your previous session instead of opening your home page. In Firefox 3.5 if you crash a couple of times in a row it will instead open on a page showing the tabs it’s trying to restore and allow you to skip specific tabs. Not a great workaround, and we are trying to come up with something better without breaking features that lots of legitimate web sites depend on.

By: Douglas Haire

Douglas Haire — Sun, 30 Aug 2009 12:37:52 +0000

This may be the wrong place for this but several times in the past few weeks I have been hit with something claiming to be a Mozilla Security Check. It also reports something like this:
“http://newwayscanner.info”

Whatever this is, it takes over Firefox, expands it to full page, and starts dialog boxes claiming it is scanning my computer and finding threats (usually 10 or more) then a dialog box pops up trying to start a download of some executable. The only way out of this is to use Task Manager to shut down Firefox (listed now as this Mozilla Security thing) and open it again using an internet link icon. I can then exit the malicious site by closing that tab. Attempting to re-open Firefox at my default home page just takes me back to the malicious site.

By: AndrewM

AndrewM — Wed, 26 Aug 2009 19:37:28 +0000

@Confused (in case you check back here or for anyone else who’s interested): If you look at the Known Vulnerabilities page for Firefox 3.5 ( http://www.mozilla.org/security/known-vulnerabilities/firefox35.html ) you’ll see that there’s a vulnerability fixed in Firefox 3.5.2 that sounds like it’s the right one (“Location bar and SSL indicator spoofing via window.open() on invalid URL”). When you click on that, you get taken to Mozilla Foundation Security Advisory 2009-44 ( http://www.mozilla.org/security/announce/2009/mfsa2009-44.html ) which gives a more detailed description and which links to the same bug number as the one given in the post above.

So yes, it’s fixed in 3.5.2

By: Confused

Confused — Thu, 06 Aug 2009 12:15:19 +0000

@ Zack

Thanks for the reply. This is what the bugszilla page shows at this time:

Whiteboard: [sg:moderate] spoof

Flags:
benjamin: blocking1.9.1-
benjamin: wanted1.9.1+
samuel.sidler: blocking1.9.0.14+
samuel.sidler: wanted1.9.0.x+
hskupin: in‑testsuite?

I am afraid the above is double dutch to me. If you understand it and have the time and inclination to explain in lay persons language how to interpret the above, I’d be interested to learn for the future. Otherwise a “yes this is fixed now” or “no it isn’t” would suffice.

(I am assuming that the 3.5.2. that came out about a week or so after this post included a fix).

By: Zack

Zack — Mon, 03 Aug 2009 23:14:50 +0000

@confused: RESOLVED FIXED means only “a fix for this issue has been committed to the current development trunk”. You have to look at a host of other information – the flags, the attachment flags, the whiteboard, etc. – to figure out which upcoming release that fix will be in.