SillyDog701

[J-M]

There was a BugTraq mailing list entry
http://www.securityfocus.com/archive/1/373080
dated Aug 26th 2004 2:51PM, see replied rows mentioning Web page http://www.securitywizardry.com/radar.htm .
which is test page to issue.


Maybe John informed Secunia too, because they published an advisory
in the evening Finnish time:
http://secunia.com/advisories/12392/
It specifies that affected version is Mac OS X 10.3.5.

I'm Windows user, so I tested NS7.2, Mozilla 1.7.2 and Firefox 0.9.3. Used Java platform was Java Plug-in 1.4.2_05 for Netscape Navigator, downloaded today. I think nothing "hijacking" mentioned in a posting happens. Additional tests with MultiZilla extension and FF's Tools / Options... / Advanced / Browsing: Select new tabs opened from links switched to On and Off required. Especially from OS X 10.3.5 users.
I have informed Mozilla Security team and Secunia from additional testings. I'm very sorry about long posting, but a solution I informed to Secunia is to disable Java. However, with Java enabled, status bar text 'Applet yavs started' is blinking while surfing other tabs.

(This section selected because there was any information at Mac OS and Linux topic)

- Juha-Matti

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[goGecko]

There was a BugTraq mailing list entry
http://www.securityfocus.com/archive/1/373080
dated Aug 26th 2004 2:51PM, see replied rows mentioning Web page
http://www.securitywizardry.com/radar.htm .

I am assuming that the second URL listed is the site that exposes the vulnerability. In Netscape 7.1 on Windows XP I get the message "Applet Failed to Start" using Java 1.4.2_04. As a result I don't think that Netscape 7.1 is affected. Someone should test 7.1 on Mac OS X and 7.2 on Windows.

I have informed Mozilla Security team and Secunia from additional testings. I'm very sorry about long posting, but a solution I informed to Secunia is to disable Java. However, with Java enabled, status bar text 'Applet yavs started' is blinking while surfing other tabs.

You should also notify Netscape at:
http://help.netscape.com/forms/bug-security.html

For the record there are people who read the feedback at that page.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20031008 Netscape/7.1 (ax)

[J-M]

Right, testing done with
http://www.securitywizardry.com/radar.htm .

Security Bug Report Form is filled now (I knew the URL), but six hours ago submitting results to Mozilla Security Team I asked can they inform AOL, because mozilla.org's team is a lot of bigger. Thanks for a URL to public awareness. Filled form includes link to this threat too.
Differences with Java 1.4.2_0x versions are now important, I think.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[J-M]

In Netscape 7.1 on Windows XP I get the message "Applet Failed to Start" using Java 1.4.2_04. As a result I don't think that Netscape 7.1 is affected. Someone should test 7.1 on Mac OS X and 7.2 on Windows.

Basic facts to testers:
Mac OS versions use Apple's Java, of course, MS versions Sun Java. Additional information about older plugins and behaviour at
'Java applet appears in all tabs' like issues
http://bugzilla.mozilla.org/show_bug.cgi?id=162134 .
Solution is very close.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[Antony]

Thanks Juha-Matti.

I've just verified this vulnerability in Netscape 7.2 under Mac OS X 10.3.5.

A page loading with the test page Juha-Matti sent me.


And a new tab, You can see the the Java applets are available in a complete unrelated tab.


This vulnerability does not exist in Safari 1.2.3 or Camino 0.8.1 .
However, this vulnerability exist in Mozilla 1.7 (for Mac OS X) as well.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2

[goGecko]

Basic facts to testers:
Mac OS versions use Apple's Java, of course, MS versions Sun Java. Additional information about older plugins and behaviour at
'Java applet appears in all tabs' like issues
http://bugzilla.mozilla.org/show_bug.cgi?id=162134 .
Solution is very close.

Did you notice that bug 162134 was filed on August 10, 2002! I count at least 69 duplicates of the bug. I highly doubt that this will be fixed any time soon. Apparently Mozilla does not consider this to be a security bug. The last comment by a developer (Bill McGonigle) was back in February. I see comments like this:

The problem is not under our control. We're doing everything we can to tell plugins not to draw when they are in non-visible tabs (by setting their 'plugin window' to null), but the plugins are ignoring this. The bug has been acknowledged by the author of Apple's Java plugin, at least. Fixing this bug requires the plugins to be revved, and, since Mozilla now has little clout with plugin developers, this is unlikely to happen.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[J-M]

Did you notice that bug 162134 was filed on August 10, 2002! I count at least 69 duplicates of the bug. I highly doubt that this will be fixed any time soon. Apparently Mozilla does not consider this to be a security bug. The last comment by a developer (Bill McGonigle) was back in February. I see comments like this:

Thanks for pointing your test's Java version. Mozilla Security team informed from this thread and Anthony's issue with Mozilla 1.7. When it's not possible to page creators offer applet-only versions, which are using older Java versions too, I think disable Java from Preferences and Tools is a good workaround. Then users dont't see the 'Click here to get the plugin' boxes at all and contact admin to release non-Java alternative. Those scrollers can be made by Flash too.
But fix the problem at NS and Moz very soon is the most important mission.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[Antony]

According to Netscape Java Tab Spoofing Vulnerability (Secunia),

The vulnerability has been confirmed in Netscape 7.2 on Mac OS X 10.3.5.

Not just OS X 10.3.5, I tested this vulnerability, and I can confirm it occurs in Netscape 7.2 on Mac OS X 'Jaguar' 10.2.8 as well, not just 'Panther'

Actually, you can see the Java Applets in a new tab (blank tab).

(screenshot of Netscape 7.2 under Mac OS X 10.2.8 (Jaguar), with latest Mac OS X security updates and Java updates from Apple.)

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.4 (KHTML, like Gecko) Safari/125.9

[Antony]

Just verified that Firefox 0.9.3 for OS X exhibits the same vulnerability. Tested in both Mac OS X 'Jaguar' (:jaguar: 10.2.8) and 'Panther' (:panther: 10.3.5)

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/85.8.2 (KHTML, like Gecko) Safari/85.8

[Antony]

Now, with the release of Firefox 1.0 PR, I can still produce this problem.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Firefox/0.10

[J-M]

Now, with the release of Firefox 1.0 PR, I can still produce this problem.

Antony, is it possible to check the situation with 1.0 RC1 now (unfortunately I'm a pure and 100% Windows user).
Juha-Matti

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1

[Antony]

Now, with the release of Firefox 1.0 PR, I can still produce this problem.

Antony, is it possible to check the situation with 1.0 RC1 now (unfortunately I'm a pure and 100% Windows user).
Juha-Matti

I have to say I haven't downloaded Firefox 1.0 RC1 yet. But I will let you know once I install it.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

[Antony]

Now, with the release of Firefox 1.0 PR, I can still produce this problem.

Antony, is it possible to check the situation with 1.0 RC1 now (unfortunately I'm a pure and 100% Windows user).
Juha-Matti

Juha-Matti,
I skipped Firefox 1.0 RC1, but now, I can still reproduce this Java Tab Vulnerability in Firefox 1.0 RC2.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

[J-M]

Juha-Matti,
I skipped Firefox 1.0 RC1, but now, I can still reproduce this Java Tab Vulnerability in Firefox 1.0 RC2.

[skipped to quote screenshot]
Great, many thanks. Is your Java revision same as before, is this depending from Java version or is only workaround to this issue now to disable Java from Options... / Web Features.
Several new bug reports opened (duplicates of #162134 mentioned earlier however).
For example https://bugzilla.mozilla.org/show_bug.c ... 62134#c137
It's very important to try fix this to 1.0 Final for Mac!
[edited: a typo with 'depending']

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040919 Firefox/0.10.1

[DJGM]

Why is this problem being classed as a security vulnerability? TBH, I would class this particular bug
as "an annoyance", rather than a security hole. If it is a security bug (IMHO) it's a very minor one.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 - DJGM.co.uk (ax)