Last Comment Bug 476593 - IFRAME DOS
: IFRAME DOS
Status: RESOLVED DUPLICATE of bug 432687
:
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: unspecified
: x86 Windows Vista
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
hxxp://www.windows-security-scanner.com/
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-02 21:51 PST by funkydude87
Modified: 2015-01-23 05:49 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description funkydude87 2009-02-02 21:51:10 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)

DO NOT VISIT THE SITE WITH JAVASCRIPT ENABLED.

The website in question is malicious and tries to force down malicious executables. The problem is that this website creates an IFRAME in such a way that in cannot be closed because it's out the screen and cannot be moved, the only solution is pressing alt+f4. If you trying to close the tab or close the browser the IFRAME will keep coming back. The only real solution is to end the process. I view this as a serious exploit in Firefox 3.0.5. I realize the website might be gone by the time you read this, so here is the code: http://pastebin.com/m4365b08b

Reproducible: Always

Steps to Reproduce:
1. View URL
Actual Results:  
Bad

Expected Results:  
No idea, block such IFRAMEs?
Comment 1 Daniel Veditz [:dveditz] 2009-02-03 08:38:51 PST
What, criminals don't obey court rulings? I'm shocked! (The US FTC supposedly put these guys out of business two months ago: http://www.ftc.gov/opa/2008/12/winsoftware.shtm)

The good news is this is not a true "exploit" in Firefox, but it is abusing website features to browbeat users into downloading their executable -- you can simply refuse although it may screw up your browsing session. The bad bews is we haven't yet figured out how to limit abuses of these features without breaking legitimate websites that rely on them.

*** This bug has been marked as a duplicate of bug 432687 ***
Comment 2 funkydude87 2009-02-03 09:42:05 PST
I'm slightly discouraged by the fact that the "duplicate bug" was marked 2008 with no fix yet. As I'm sure you understand, the _only_ way to exit this website is to terminate firefox as an application. Innocent users wouldn't know how to do this and would literally be forced to install the malware or hard shut down their pc.
Comment 3 Jesse Ruderman 2009-02-03 10:32:45 PST
Would you be happier having this bug duped to a 2006 bug? ;)  In bug 331334 comment 13 I explained why this is bad, and in bug 331334 comment 4 I suggested some solutions.

I'm hoping that in a few weeks, when we're done fighting the Firefox 3.1 fire, we can take a step back and decide which [sg:moderate] and [sg:low] bugs are "beginning-of-cycle" bugs and worth working on for Firefox 3.2.  The badgering issue will almost certainly make the cut, since it is actively exploited in the wild!
Comment 4 Matthias Versen [:Matti] 2009-02-03 11:33:21 PST
I may surprise you but there are many ways for a "DOS" attack against browsers, there are other examples like bug 61098 which is from 2000 (unfixed)

reduping to bug 432687

*** This bug has been marked as a duplicate of bug 432687 ***

Note You need to log in before you can comment on or make changes to this bug.