Mozilla Firefox and Netscape contain a vulnerability that could allow an unauthenticated, remote attacker to trick a user into clicking an arbitrary security dialog confirmation.
The vulnerability is due to an implementation error within the functions responsible for displaying dialog boxes that are created for certain security events. An unauthenticated, remote attacker who can convince a user to visit a malicious web page could trick a user into accepting or allowing an attacker to perform a requested action that requires user confirmation. The consequences could be wide ranging, from the unintended modification of browser settings, to assisting an attacker in performing a spoofing or phishing attack.
Mozilla and Netscape confirmed the vulnerability in security advisories and released updates.
Indicators of Compromise
The following products are vulnerable:
Mozilla Firefox 18.104.22.168 and prior Netscape versions 22.214.171.124 and prior
The vulnerability is due to a design error that does not stop the dialog timer on certain security dialogs. When the affected dialogs lose focus before the expiration of the initial timer value, the timer is not properly reset. This error may cause the security dialog to be instantly clickable when it regains focus.
An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to visit a malicious web page that triggers a security dialog and then creates an attacker-controlled browser element over the security dialog. If the attacker can subsequently convince a user to perform a specific action on the malicious page, such as clicking an area on the page, the attacker could cause the security dialog to gain focus and steal the input of the user. This action could allow the attacker to modify browser settings, or may assist in spoofing or phishing attacks against the affected user.
Timer-based security dialogs were added to the Firefox code base to help prevent focus-stealing attacks. A timer-based dialog is meant to require a predefined display time before its elements accept user input, helping to prevent these types of attacks. Because the dialog timer for certain events does not properly reset if the window loses focus prior to the activation of the dialog, it is possible to immediately hide such a window until the timer has expired. This action effectively mitigates the implementation of timer-based security dialogs.
To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and then trick the user into clicking in a predictable location after a predetermined amount of time. Successful exploitation could cause the user to unknowingly confirm any action specified in the security dialog.
The Mozilla Foundation initially stated that the vulnerability that is detailed in this alert affects Thunderbird. However, a subsequent Mozilla advisory reports that Thunderbird is not vulnerable, and it has been removed from this alert.
Customers should be aware that third-party vendors sometimes release updated packages for open source applications that may be inconsistent with the updates provided by the vendor. Third-party implementations of the product may actually be affected, or these updates may have been issued in response to the initial vendor advisory. Administrators are advised to ensure that they have applied the correct update by contacting third-party vendors for information.
Administrators are advised to apply the appropriate updates.
Users are advised not to open e-mail messages from untrusted sources.
Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.
Administrators are advised to use an unprivileged account for routine activities.
Mozilla has released a security advisory at the following link: MFSA 2008-08
Sun has released an alert notification and patches to address the subverted security dialog box vulnerability in Mozilla Firefox.
2008-June-11 13:14 GMT
Gentoo has released a security advisory and updated packages to address the subverted security dialog box vulnerability in Mozilla Firefox.
2008-May-26 12:23 GMT
Novell has released a knowledgebase article and updated packages to address the subverted security dialog box vulnerability in the Mozilla XULRunner engine.
2008-March-27 17:50 GMT
Debian has re-released a security advisory and updated packages to address the subverted security dialog box vulnerability in Iceape, the Debian-specific package based on SeaMonkey.
2008-March-24 11:46 GMT
Debian has re-released a security advisory with updated packages to address the subverted security dialog box vulnerability in Icedove, an unbranded version of Mozilla Thunderbird.
2008-March-18 11:23 GMT
Mozilla has updated their security advisory indicating that Thunderbird is not affected by the subverted security dialog box vulnerability in Mozilla SeaMonkey. Avaya has released a security advisory for SeaMonkey and Mandriva has released an advisory and updates for Thunderbird.
2008-March-11 15:35 GMT
Debian and Mandriva have released security advisories and updated packages to address the subverted security dialog box vulnerability in Mozilla products.
2008-February-25 18:12 GMT
Netscape has issued release notes and an updated version to address the subverted security dialog box vulnerability in Netscape. FreeBSD and Novell have released security advisories and updated software for Mozilla.
2008-February-22 19:02 GMT
SUSE has released a security announcement and updated packages to address the subverted security dialog box vulnerability in Firefox.
2008-February-18 19:37 GMT
Avaya, Debian, Slackware, and Novell have released security advisories and updated packages to address the subverted security dialog box vulnerability in Mozilla-based browsers.
2008-February-14 23:08 GMT
Mozilla Firefox and Thunderbird contain a vulnerability that could allow an unauthenticated, remote attacker to trick a user into clicking arbitrary security dialog confirmations. Updates are available.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.