Closed Bug 1009169 Opened 11 years ago Closed 10 years ago

Invisible mouse cursor when leaving bounds of SWF over DIV and via context menu

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
32 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: jordi.chancel, Unassigned)

References

Details

(Keywords: sec-low)

Attachments

(1 file, 4 obsolete files)

TESTCASE N°4.zip
53.19 KB, application/zip
Details
Attached file TESTCASE1.zip (obsolete) —
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 (Beta/Release) Build ID: 20140512030202 Steps to reproduce: This vulnerability is more or less similar to bug995603 but it works on the fixed version (firefox nightly 32). steps: -1 go with the cursor on the flash object -2 exit the flash object slowly by the up (I think a better way for make the cursor invisible is possible , i will work for that.) Results: Cursor can be sometime totally invisible Actual results: you can make a cursor-jacking/click-jacking/spoofing attacks when the cursor in totally invisible. Expected results: when you exit the flash object by the up slowly the cursor can be totally invisible.
It is pretty difficult to reproduce, but eventually I can see it. As is, hard to exploit.
I will works on it for make this more easy to exploit.
I have found a way for make sure than the cursor will be invisible but it's needed to right click and go to the context menu... do you want view this?
Summary: Firefox for MAC - mouse can be totally invisible when you exit a flash object slowly by the up → mouse can be made invisible when exiting a flash object slowly moving up
Summary: mouse can be made invisible when exiting a flash object slowly moving up → mouse can be made invisible when exiting a flash object slowly moving up OR make a right click and move the mouse on the flash object and go to the context menu.
So I can repro this as well, I noticed that the "phantom" pointer has an upper bound of the bottom of the flash object (but that may be because I am hitting the upper limit of the OS windows with the actual invisible pointer) and that if I re-navigate over the flash object my real pointer re-appears. Is this a regression or a case that just got missed instead of fixed?
in the context menu object case the mouse can be restored by the "esc" key
Summary: mouse can be made invisible when exiting a flash object slowly moving up OR make a right click and move the mouse on the flash object and go to the context menu. → mouse can be made invisible when exiting a flash object slowly moving up or by opening the context menu on object
I also got the pointer back by navigating to the edge of my screen in the context menu case
Summary: mouse can be made invisible when exiting a flash object slowly moving up or by opening the context menu on object → mouse can be made invisible when exiting a flash object slowly moving up or by opening the context menu the flash object
I have found a new way for make the cursor totally invisible. I use WebRTC and when i move the mouse on the flash object , the webRTC prompt will cover the flash object and the cursor will be totally invisible! I will upload the new testcase now.
Attached file TESTCASE n°2 using webRTC.zip (obsolete) —
This TESTCASE use WebRTC , when you move the mouse on the flash object , the WebRTC prompt will cover it and the cursor will be totally invisible.
Attachment #8421215 - Attachment is obsolete: true
Attached file TESTCASE N°3.zip (obsolete) —
This TESTCASE is an update of TESTCASE 2 and is more exploitable. Please don't use testcase2 and use this TESTCASE N°3 .
Attachment #8421273 - Attachment is obsolete: true
Summary: mouse can be made invisible when exiting a flash object slowly moving up or by opening the context menu the flash object → mouse can be made invisible WHEN THE WEBRTC PROMPT COVER THE FLASH OBJECT or exiting a flash object slowly moving up or by opening the context menu the flash object
Attached file TESTCASE N°4.zip
This TESTCASE N°4 is an update of testcase N°3 , please use this testcase and not the testcase N°3. Move your mouse on the flash object, wait 2s and the WebRTC Prompt will cover the flash object and the cursor will be totally invisible.
Attachment #8421275 - Attachment is obsolete: true
Attached video EXAMPLE WITH WEBRTC.mp4 (obsolete) —
An Example with WebRTC prompt (more critical).
Youtube private Video with WebRTC prompt => https://www.youtube.com/watch?v=DYSiHhbMqWs&feature=youtu.be
The original bug here and the new bug in comment 12 are very different. The first one is an edge case related to bug 995603 that should be fixed, but is not as serious. The second one involves spawning the WebRTC dialog while the Flash movie has hidden the cursor. I believe the first bug - the original bug - is a pretty low rating. However, the second one is bad. Looks trivial to clickjack the WebRTC permission dialog. I strongly feel that we need to always force the mouse cursor to be displayed whenever that dialog is shown.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I am renaming this bug and splitting off the WebRTC issue into its own issue - bug 1009540. Please move conversation of that issue to that page. This bug will remain open to deal with the edge cases of slowly leaving the SWF bounds overlapped by a DIV (bug 995603) and the context menu. These bugs should be rated separately.
Summary: mouse can be made invisible WHEN THE WEBRTC PROMPT COVER THE FLASH OBJECT or exiting a flash object slowly moving up or by opening the context menu the flash object → Invisible mouse cursor when leaving bounds of SWF over DIV and via context menu
- "Invisible mouse cursor when leaving bounds of SWF over DIV" : I would to say that it's not needed to leaving bounds of SWF over DIV. You can just go out bounds (up and not down) of SWF and just go on the <body>, or others objects (as you want) But not necessarily DIV.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(curtisk)
- And i would to say that it is not necessary too to go out slowly but sometime with a normal speed the mouse can be totally invisible as well.
Flags: needinfo?(curtisk)
Flags: needinfo?(mwobensmith)
(In reply to Jordi Chancel from comment #17) > - "Invisible mouse cursor when leaving bounds of SWF over DIV" : I would to > say that it's not needed to leaving bounds of SWF over DIV. You can just go > out bounds (up and not down) of SWF and just go on the <body>, or others > objects (as you want) But not necessarily DIV. - Can you fixed the title of this bug please?
We believe the title of the bug is sufficiently accurate and that the comments provide any further necessary information.
Keywords: sec-low
Attachment #8421538 - Attachment is obsolete: true
Since this issue fixes (as much as anything) bug 1009540 as well this, is there a way to get this addressed? Is this something you could work on, Gavin?
Flags: needinfo?(gavin.sharp)
No. Sounds like some strange issue with the Flash plugin. Maybe Benjamin has some ideas.
Flags: needinfo?(gavin.sharp) → needinfo?(benjamin)
ISTR another bug like this one (mac-specific), but I can't remember it. Flash is setting the mouse cursor and isn't resetting it properly. smichaud, do you remember a bug like this? In either case, can we do something simple like force reset/show the mouse cursor when the mouse leaves a plugin?
Component: General → Plug-ins
Flags: needinfo?(benjamin) → needinfo?(smichaud)
It will take me a while to look into this. > In either case, can we do something simple like force reset/show the > mouse cursor when the mouse leaves a plugin? I think we already do. It's possible, though, that there are still some cases where a mouse-exit event isn't sent where it's supposed to be.
> ISTR another bug like this one (mac-specific) You're probably thinking of bug 995603. Among other things, I need to check that the patch for bug 1092630 didn't regress the fix for that bug.
From re-reading the comments, I understand this bug is very difficult to reproduce. And given the number of testcases, it's not clear we don't have more than one bug here. It may be better to concentrate on bug 1009540, which (apparently) effects all platforms and seems a bit more definite. I will double-check that the fix for bug 995603 hasn't been regressed by the patch for bug 1092630. But beyond that there's probably nothing we can do here.
Flags: needinfo?(smichaud)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Group: core-security → core-security-release
Group: core-security-release
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: