Mozilla has been aware of the Firefox iFrame bug that came to light yesterday for more than two months now and the company’s engineers concluded early on in the process that the problem was a fairly minor one that was unlikely to cause the vast majority of users any confusion or be exploited by attackers.
The bug, which is related to the way that Firefox renders URLs in iFrames, was submitted to Mozilla’s Bugzilla bug-tracking system on June 7 and within a day Mozilla’s engineers had explained in the bug thread why Firefox doesn’t throw an alert when the URL in an iFrame is obfuscated and said that exploitation was unlikely.
“Pretty early on we looked at it and thought that it wasn’t a major bug. The real defense there is that Firefox isn’t fooled by it,” Johnathan Nightingale, director of Firefox development, said in an interview Wednesday. “I think in this case, the alert would actually confuse people because they’d look in the address bar and the URL would look fine. The users who might see this in the iFrame are not the kind of people who would be fooled by it.”
In order to notice that a particular URL in an iFrame has been obfuscated, a user would need to view the source code of the page, which is not something that most users are likely to do. Because the bug doesn’t pose much risk to users, Mozilla has no plans to issue a fix for it at this point, Nightingale said.
“We take this stuff really, really seriously and if we’re missing something or not seeing an attack, we want to know about it,” he said. “But we took a close look at this and it’s a very low risk for users.”
Nightingale said that there are some extra security mechanisms in the pipeline for Firefox 4, which is currently in beta. The company will be adding content security policy into the browser itself, which will enable site operators to define which third-party sites should be treated as legitimate sources of content on their sites. So Firefox will then know that it shouldn’t load third-party content unless it’s from one of the defined sites.
This should help address some of the problems that have led to some of the mass Web site compromises in the last few years, many of which involve loading malicious code from remote sites. The mechanism not only will let Mozilla know about the attempt to load the third-party content, it also will alert the site’s operator, letting them know that there’s potentially malicious code being loaded via the site.
“This is probably my favorite security protection,” Nightingale said. “The reporting mechanism will tell administrators about the loading of the content, and that helps keep everyone safe. And that’s our job, to make the Web a better place.”