A prominent security researcher has identified a problem with the way that Mozilla Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser’s address bar.
The vulnerability, which Mozilla has fixed in the upcoming version 3.6.4 of Firefox, has the effect of tricking users into thinking that they’re visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers. Security researcher Michal Zalewski discovered the flaw. There have been a number of other address-bar spoofing vulnerabilities reported in recent years, as researchers and attackers have focused their attention on the intricacies of the browsers’ interactions with Web sites.
Firefox 3.6.4 is currently in beta.
Zalewski has been detailing a series of interesting browser bugs that he’s discovered in recent blog posts, and the Firefox bug is the latest. Here’s his description of how it works:
Alas, this design decision creates an interesting vulnerability in
Firefox: the about:blank document actually displayed in
that window while the page is loading is considered to be same
origin with the opener; the attacker can inject any content there –
and still keep his made up URL in the address bar.
Well, the spinning throbber is there, right? As it turns out, you can make it go away. The harder way is to use an URL that legitimately returns HTTP 204; the easier way is to simply call window.stop():
<input type=submit value=”Click me!” onclick=”clicked()”>
<script>
var w;
function clicked() {
w = window.open(“http://1.2.3.4/”, “_blank”, “toolbar=1,menubar=1”);
setTimeout(‘w.document.body.innerHTML = “Fake content!”;w.stop();’, 500);
}
</script>
Zalewski also has discovered and reported other browser bugs in recent months, including one in Apple’s Safari browser. That vulnerability in Safari allowed different pages from different domains to access each other at any time.
