On 2004-08-02 13:15:49 -0000, Justin Polazzo wrote: > In-Reply-To: <20040730210508.GT19188@xxxxxxxxxxxxxxxxx> > > "The security implications of > this trick were considered as early as 1999 in Mozilla Bug 22183 > (http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the > Mozilla Foundation has kept the Bug confidential until recently, > when a researcher noted the problem and published a > particularly-effective demonstration, spoofing a "PayPal" login > site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)." > > 5 Years to fix a vuln? I am not sure if even Microsoft has been that > slow to confront a security flaw. Has anyone heard an explanation as > to why this was kept confidential and swept under the rug until now? You can read the bug yourself, but here is a short history of the bug: It looks like the original vulnerability required the user to download and install some XUL, and nobody took that serious. In 2002, people started discussion the paper by Zishuang Ye and Sean Smith and general spoofing prevention. However, nobody came up with a good idea, so the discussion sort of died off. (The problem with this vulnerability is that it's a user interface problem: You need to come up with some way to distinguish trusted from untrusted chrome in a way which is intuitive, impossible to fake and unobtrusive at the same time. People won't use a browser which puts a blinking border around each window, and it doesn't help if they have to press some obscure key sequence to find out whether a page is spoofed) That's not that uncommon with Mozilla. You can find quite a few bugs which are several years old and never fixed. Open source (and even an open bug tracking system) is not a garantuee for quick fixes. hp -- _ | Peter J. Holzer | Shooting the users in the foot is bad. |_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't. | | | hjp@xxxxxxxxx | -- Gordon Schumacher, __/ | http://www.hjp.at/ | mozilla bug #84128
Attachment:
pgp00003.pgp
Description: PGP signature