Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Privacy Security IT Technology

Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix (zdnet.com) 91

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

This discussion has been archived. No new comments can be posted.

Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix

Comments Filter:
  • So: Given enough eyeballs, all bugs are shallow. [wikipedia.org]

    I guess we need to include a few caring fingers as well. ESPECIALLY middle ones for those hard-to-reach, far-away keys.

    (The bug is only 11 years old -- not even a teenager yet.)
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

      • by rtb61 ( 674572 ) on Monday December 10, 2018 @05:06PM (#57782720) Homepage

        What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

        • by Vreejack ( 68778 )

          I think it's used for scareware, as in "Microsoft is locking your computer due to detected hacking, etc. Hackers are stealing your credit cards and personal information. Please call our technician, etc." And of course you cannot escape the windows that keep opening unless you spam the escape key. Actually, that's a different exploit but prolly used for the same purpose.

        • What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

          Reminds me of the early web, popup hell, every attempt to close a popup opened three more - seriously, did they really think you we going to just finally say "ok, ok, I'll buy something, I give up!"

      • by Anonymous Coward on Monday December 10, 2018 @05:10PM (#57782742)

        Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

        iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:

        Modal dialog boxes

        This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).

        Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".

        • by Kjella ( 173770 )

          I like a power user's tool with half a dozen different menus and toolbars and windows floating or docked all over the place and so do 99% of all the people here I would assume. Certainly nobody is intimidated by Visual Studio or Photoshop or anything else that throw a ton of controls at you. I see my old man is struggling even on fairly simple web sites though because there's too many menus and sidebars and dynamically expanding and contracting sections and whatnot. Modal dialogs make for a very simple inte

    • So: Given enough eyeballs, all bugs are shallow Linus's Law [wikipedia.org]

      At first I thought I was reading the thread Scientists Identify Vast Underground Ecosystem Containing Billions of Micro-organisms [slashdot.org] and laughed, but then realized I was looking at the wrong tab. Still, you may have a point as TFS of that thread points out:

      ... the diversity of underworld species bears comparison to the Amazon or the Galapagos Islands, but unlike those places the environment is still largely pristine because people have yet to probe most of the subsurface.

  • by Anonymous Coward

    Firefox to me is no savior of privacy or champion of the web. They have sold out to Google, Yahoo, Pocket and installed extension AKA Mr. Robot without permission. Yeah Mozilla is a real saint when it comes to privacy and security. Used to have people at Mozilla who really did some good, they have either been forced out, or quit.

  • Why have we to suffer this horror in the first place?

    I remember reading a memo by some Microsoft engineer from some 20 years ago who was porting Internet Explorer to Unix; he noticed there that the Unix folk are easily put off by modal dialog boxes and prefer to have be able to open another window or page while a dialog box is active.

    Is that no longer the case?

    What happened since then? Why do we have to suffer the horror of gnome, which is making its dialog boxes global at display level, and nothing short o

    • Not sure I'd use Microsoft as a model of how to do anything. Whenever I'm forced to use MS-IE or Edge for a site they have this nasty habit of opening authentication dialogs behind the window that they relate to. You have to go hunting through the task bar icons to find the authentication dialog to submit so you can make progress.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      My professor in school ~20 years ago said to avoid modal dialogs because they piss people off and in many cases aren't required, and are lazy designs. And he was right.

    • by samdu ( 114873 ) <samdu@NOSPAM.ronintech.com> on Monday December 10, 2018 @05:22PM (#57782778) Homepage

      I don't know if I'd consider myself a "Unix person (though I do really like Linux)," but the issue I have with Microsoft's modal/non-modal dialog boxes is the complete lack of consistency. And this isn't an IE/Edge problem, it's a Windows problem. Some windows you can resize and interact with other windows. Some windows you can't resize, but you can still interact with other windows. Some windows you can resize and the content of the window flows to expand. Some you can resize and the content doesn't flow at all. It's a complete mess.

  • bad (Score:5, Funny)

    by TRRosen ( 720617 ) on Monday December 10, 2018 @04:27PM (#57782452)

    This is bad news for Firefox users. Both of them.

  • by auzy ( 680819 ) on Monday December 10, 2018 @04:29PM (#57782464)

    The CEO at Mozilla now seems to get paid over $800K per year.

    I lost all respect when the CEO sent out an email absolutely begging for money to help the company survive, whilst they themselves could hire 10 full time employees with that money and still live comfortably. Management at Mozilla is begging for money whilst they are literally living like kings (and I donated a fair bit to Mozilla in the past).

    Management seems to have reached max corruption, and if management gave a damn about the software, they would at least halve their salaries and hire more developers or start some community bounties with the money, instead of prioritising themselves. Even 300K is more than enough to live VERY comfortably. $800K is just greedy. Because, if management gave a The company is slowly returning to Netscape days and management seems more focused on their own gains.

    I also wonder how many people with the current board of directors were those who started with the company.

    • New ideas are very expensive! That's why Mozilla pays the CEO big bucks to copy Google Chrome's new ideas.
    • Everybody forgets that Firefox was a third party project that got brought into the fold, then bastardized with XUL.

      Firefox, while still Phoenix, was originally a GTK2 based native app, with no XUL in use. The result of this was a bare Gecko browser window with tabbing support, back when Mozilla was still the Browser Suite with single windows, no tabs, and horrible overhead for each new window. Firefox did away with all that, became popular among nerds, who passed it on by word of mouth, then something amazi

    • by epine ( 68316 )

      $800K is just greedy.

      Ah, the world-famous escape hatch "just", wherein "you get what you pay for" can pound sand, no questions asked.

      • by auzy ( 680819 )

        When Firefox was forked from Mozilla, it was revolutionary.

        It was promised to be non-bloated, incredibly fast, and have both theming and extensions which loaded easily (the alternative either had none, or required rebooting for every theme change, etc). That was what people like me were eager to donate to.

        Then over time, it felt like management changed. I was genuinely interested in Firefox Mobile, but that seemed like there was simply insufficient developers for that project.

        And instead of fixing issues,

  • by xack ( 5304745 ) on Monday December 10, 2018 @04:38PM (#57782544)
    This is just a glimpse of the epidemic of malware to come fueled by Mozilla not caring about their users. Just wait until a Pocket exploit gets developed. We need a real alternative to the Googzilla monoculture, and Goana/Servo are not enough to matter.
  • by Torodung ( 31985 ) on Monday December 10, 2018 @05:06PM (#57782724) Journal

    I am supremely disappointed that the link didn't lead to a proof of concept that blew up my desktop because I am using Firefox.

  • People are still using Firefox? BOTH of them should get new browsers!
  • Come on, they've been busy killing all of the old extensions, useful parts of the browser, changing the UI to something that nobody wants, and adding in useless features that would be better as extensions. Who has time to fix security bugs? There are only so many hours in a decade or so!

  • by Anonymous Coward

    The web is a steaming pile of shit being exploited by ad companies and other assholes -- and I consider the ad companies to be as malicious as the black hats.

    My Chrome has ScriptSafe and HTTP Switchboard. My Firefox has uMatrix and a few other things. My IE .. well, I use IE as the browser of last resort for shit I need to do but which won't play well with a sane browser.

    I do *domain* level whitelisting, which means all third parties who aren't provably related to the proper operating of a web site I real

The clash of ideas is the sound of freedom.

Working...