| SillyDog701 Forums |
| Author |
Message |
J-M
Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
|
 27 Aug, 2004 2:40 pm Java Tab Spoofing Vulnerability in NS7.2 using Mac OS X 10.x |
[sdp=43316] |
|
There was a BugTraq mailing list entry
http://www.securityfocus.com/archive/1/373080
dated Aug 26th 2004 2:51PM, see replied rows mentioning Web page http://www.securitywizardry.com/radar.htm .
which is test page to issue.
Maybe John informed Secunia too, because they published an advisory
in the evening Finnish time:
http://secunia.com/advisories/12392/
It specifies that affected version is Mac OS X 10.3.5.
I'm Windows user, so I tested NS7.2, Mozilla 1.7.2 and Firefox 0.9.3. Used Java platform was Java Plug-in 1.4.2_05 for Netscape Navigator, downloaded today. I think nothing "hijacking" mentioned in a posting happens. Additional tests with MultiZilla extension and FF's Tools / Options... / Advanced / Browsing: Select new tabs opened from links switched to On and Off required. Especially from OS X 10.3.5 users.
I have informed Mozilla Security team and Secunia from additional testings. I'm very sorry about long posting, but a solution I informed to Secunia is to disable Java. However, with Java enabled, status bar text 'Applet yavs started' is blinking while surfing other tabs.
(This section selected because there was any information at Mac OS and Linux topic)
- Juha-Matti
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b |
|
| Back to top |
  |
 |
goGecko
Joined: 15 Jul 2004
Posts: 125
|
| 27 Aug, 2004 3:08 pm Re: Java Tab Spoofing Vulnerability in NS7.2 using Mac OS X |
[sdp=43317] |
|
I am assuming that the second URL listed is the site that exposes the vulnerability. In Netscape 7.1 on Windows XP I get the message "Applet Failed to Start" using Java 1.4.2_04. As a result I don't think that Netscape 7.1 is affected. Someone should test 7.1 on Mac OS X and 7.2 on Windows.
| J-M wrote: | 
I have informed Mozilla Security team and Secunia from additional testings. I'm very sorry about long posting, but a solution I informed to Secunia is to disable Java. However, with Java enabled, status bar text 'Applet yavs started' is blinking while surfing other tabs.
 |
You should also notify Netscape at:
http://help.netscape.com/forms/bug-security.html
For the record there are people who read the feedback at that page.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20031008 Netscape/7.1 (ax) |
|
| Back to top |
|
|
J-M
Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
|
| 27 Aug, 2004 3:41 pm Re:Re: Java Tab Spoofing Vulnerability in NS7.2 using Mac OS |
[sdp=43319] |
|
Right, testing done with
http://www.securitywizardry.com/radar.htm .
Security Bug Report Form is filled now (I knew the URL), but six hours ago submitting results to Mozilla Security Team I asked can they inform AOL, because mozilla.org's team is a lot of bigger. Thanks for a URL to public awareness. Filled form includes link to this threat too.
Differences with Java 1.4.2_0x versions are now important, I think.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b |
|
| Back to top |
|
|
J-M
Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
|
| 27 Aug, 2004 5:30 pm Re: Java Tab Spoofing Vulnerability in NS7.2 using Mac OS X |
[sdp=43328] |
|
| goGecko wrote: | | In Netscape 7.1 on Windows XP I get the message "Applet Failed to Start" using Java 1.4.2_04. As a result I don't think that Netscape 7.1 is affected. Someone should test 7.1 on Mac OS X and 7.2 on Windows. |
Basic facts to testers:
Mac OS versions use Apple's Java, of course, MS versions Sun Java. Additional information about older plugins and behaviour at
'Java applet appears in all tabs' like issues
http://bugzilla.mozilla.org/show_bug.cgi?id=162134 .
Solution is very close.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b |
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
|
| 27 Aug, 2004 7:27 pm |
[sdp=43338] |
|
Thanks Juha-Matti.
I've just verified this vulnerability in Netscape 7.2 under Mac OS X 10.3.5.
A page loading with the test page Juha-Matti sent me.
And a new tab, You can see the the Java applets are available in a complete unrelated tab.
This vulnerability does not exist in Safari 1.2.3 or Camino 0.8.1 .
However, this vulnerability exist in Mozilla 1.7 (for Mac OS X) as well.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2
|
|
| Back to top |
|
|
goGecko
Joined: 15 Jul 2004
Posts: 125
|
| 27 Aug, 2004 8:18 pm Re: Java Tab Spoofing Vulnerability in NS7.2 using Mac OS X |
[sdp=43346] |
|
| J-M wrote: |
Basic facts to testers:
Mac OS versions use Apple's Java, of course, MS versions Sun Java. Additional information about older plugins and behaviour at
'Java applet appears in all tabs' like issues
http://bugzilla.mozilla.org/show_bug.cgi?id=162134 .
Solution is very close. |
Did you notice that bug 162134 was filed on August 10, 2002! I count at least 69 duplicates of the bug. I highly doubt that this will be fixed any time soon. Apparently Mozilla does not consider this to be a security bug. The last comment by a developer (Bill McGonigle) was back in February. I see comments like this:
| Simon Fraser wrote: | | The problem is not under our control. We're doing everything we can to tell plugins not to draw when they are in non-visible tabs (by setting their 'plugin window' to null), but the plugins are ignoring this. The bug has been acknowledged by the author of Apple's Java plugin, at least. Fixing this bug requires the plugins to be revved, and, since Mozilla now has little clout with plugin developers, this is unlikely to happen. |
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) |
|
| Back to top |
|
|
J-M
Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
|
| 27 Aug, 2004 10:57 pm Re: Java Tab Spoofing Vulnerability in NS7.2 using Mac OS X |
[sdp=43356] |
|
| goGecko wrote: |
Did you notice that bug 162134 was filed on August 10, 2002! I count at least 69 duplicates of the bug. I highly doubt that this will be fixed any time soon. Apparently Mozilla does not consider this to be a security bug. The last comment by a developer (Bill McGonigle) was back in February. I see comments like this: |
Thanks for pointing your test's Java version. Mozilla Security team informed from this thread and Anthony's issue with Mozilla 1.7. When it's not possible to page creators offer applet-only versions, which are using older Java versions too, I think disable Java from Preferences and Tools is a good workaround. Then users dont't see the 'Click here to get the plugin' boxes at all and contact admin to release non-Java alternative. Those scrollers can be made by Flash too.
But fix the problem at NS and Moz very soon is the most important mission.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b |
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
|
| 28 Aug, 2004 5:08 am |
[sdp=43367] |
|
According to Netscape Java Tab Spoofing Vulnerability (Secunia), | Secunia wrote: | | The vulnerability has been confirmed in Netscape 7.2 on Mac OS X 10.3.5. |
Not just OS X 10.3.5, I tested this vulnerability, and I can confirm it occurs in Netscape 7.2 on Mac OS X 'Jaguar' 10.2.8  as well, not just 'Panther' 
Actually, you can see the Java Applets in a new tab (blank tab).
(screenshot of Netscape 7.2 under Mac OS X 10.2.8 (Jaguar), with latest Mac OS X security updates and Java updates from Apple.)
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.4 (KHTML, like Gecko) Safari/125.9
|
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
|
| 28 Aug, 2004 7:57 am |
[sdp=43373] |
|
Just verified that Firefox 0.9.3 for OS X exhibits the same vulnerability. Tested in both Mac OS X 'Jaguar' ( 10.2.8) and 'Panther' ( 10.3.5)
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/85.8.2 (KHTML, like Gecko) Safari/85.8
|
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
|
| 17 Sep, 2004 3:24 am |
[sdp=44647] |
|
Now, with the release of Firefox 1.0 PR, I can still produce this problem.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Firefox/0.10
|
|
| Back to top |
|
|
J-M
Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
|
| 01 Nov, 2004 6:29 am |
[sdp=46996] |
|
| Antony wrote: | | Now, with the release of Firefox 1.0 PR, I can still produce this problem. |
Antony, is it possible to check the situation with 1.0 RC1 now (unfortunately I'm a pure and 100% Windows user). 
Juha-Matti
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1 |
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
|
| 01 Nov, 2004 9:56 am |
[sdp=47002] |
|
| J-M wrote: | | Antony wrote: | | Now, with the release of Firefox 1.0 PR, I can still produce this problem. |
Antony, is it possible to check the situation with 1.0 RC1 now (unfortunately I'm a pure and 100% Windows user).
Juha-Matti |
I have to say I haven't downloaded Firefox 1.0 RC1 yet. But I will let you know once I install it.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9
|
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
|
| 05 Nov, 2004 9:26 am |
[sdp=47190] |
|
| J-M wrote: | | Antony wrote: | | Now, with the release of Firefox 1.0 PR, I can still produce this problem. |
Antony, is it possible to check the situation with 1.0 RC1 now (unfortunately I'm a pure and 100% Windows user).
Juha-Matti |
Juha-Matti,
I skipped Firefox 1.0 RC1, but now, I can still reproduce this Java Tab Vulnerability in Firefox 1.0 RC2.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
|
|
| Back to top |
|
|
J-M
Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
|
| 06 Nov, 2004 9:28 am |
[sdp=47228] |
|
| Antony wrote: |
Juha-Matti,
I skipped Firefox 1.0 RC1, but now, I can still reproduce this Java Tab Vulnerability in Firefox 1.0 RC2. |
[skipped to quote screenshot]
Great, many thanks. Is your Java revision same as before, is this depending from Java version or is only workaround to this issue now to disable Java from Options... / Web Features.
Several new bug reports opened (duplicates of #162134 mentioned earlier however).
For example https://bugzilla.mozilla.org/show_bug.cgi?id=162134#c137
It's very important to try fix this to 1.0 Final for Mac!
[edited: a typo with 'depending']
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040919 Firefox/0.10.1
Last edited by J-M on 06 Nov, 2004 4:29 pm; edited once(1) |
|
| Back to top |
|
|
DJGM
Joined: 19 Jun 2002
Posts: 4371
Location: Manchester, England, UK
|
| 06 Nov, 2004 9:50 am |
[sdp=47229] |
|
Why is this problem being classed as a security vulnerability? TBH, I would class this particular bug
as "an annoyance", rather than a security hole. If it is a security bug (IMHO) it's a very minor one.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 - DJGM.co.uk (ax)
SeaMonkey = Swiss Army Knife: It's versatile, reliable, and contains useful tools.
Windows Internet Explorer = Old Swiss Cheese: Full of holes, and it stinks! |
|
| Back to top |
|
|
|
Search
Log in
Search | FAQ | Rules and Policies
| MozInfo701 - Mozilla Information Centre
| SD701 Open Directory
| Message Board Map
| download Netscape
