Status

()

Firefox
General
--
critical
RESOLVED DUPLICATE of bug 432687
8 years ago
2 years ago

People

(Reporter: funkydude87, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)

DO NOT VISIT THE SITE WITH JAVASCRIPT ENABLED.

The website in question is malicious and tries to force down malicious executables. The problem is that this website creates an IFRAME in such a way that in cannot be closed because it's out the screen and cannot be moved, the only solution is pressing alt+f4. If you trying to close the tab or close the browser the IFRAME will keep coming back. The only real solution is to end the process. I view this as a serious exploit in Firefox 3.0.5. I realize the website might be gone by the time you read this, so here is the code: http://pastebin.com/m4365b08b

Reproducible: Always

Steps to Reproduce:
1. View URL
Actual Results:  
Bad

Expected Results:  
No idea, block such IFRAMEs?
What, criminals don't obey court rulings? I'm shocked! (The US FTC supposedly put these guys out of business two months ago: http://www.ftc.gov/opa/2008/12/winsoftware.shtm)

The good news is this is not a true "exploit" in Firefox, but it is abusing website features to browbeat users into downloading their executable -- you can simply refuse although it may screw up your browsing session. The bad bews is we haven't yet figured out how to limit abuses of these features without breaking legitimate websites that rely on them.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 432687
(Reporter)

Comment 2

8 years ago
I'm slightly discouraged by the fact that the "duplicate bug" was marked 2008 with no fix yet. As I'm sure you understand, the _only_ way to exit this website is to terminate firefox as an application. Innocent users wouldn't know how to do this and would literally be forced to install the malware or hard shut down their pc.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---

Comment 3

8 years ago
Would you be happier having this bug duped to a 2006 bug? ;)  In bug 331334 comment 13 I explained why this is bad, and in bug 331334 comment 4 I suggested some solutions.

I'm hoping that in a few weeks, when we're done fighting the Firefox 3.1 fire, we can take a step back and decide which [sg:moderate] and [sg:low] bugs are "beginning-of-cycle" bugs and worth working on for Firefox 3.2.  The badgering issue will almost certainly make the cut, since it is actively exploited in the wild!
I may surprise you but there are many ways for a "DOS" attack against browsers, there are other examples like bug 61098 which is from 2000 (unfixed)

reduping to bug 432687
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago8 years ago
Resolution: --- → DUPLICATE
Summary: IFRAME EXPLOIT → IFRAME DOS
Duplicate of bug: 432687
You need to log in before you can comment on or make changes to this bug.