Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Iceweasel freezes and iceape vulnerabilities and instability (http://www.linux-archive.org/debian-user/123476-iceweasel-freezes-iceape-vulnerabilities-instability.html)

Bret Busby 07-12-2008 06:02 AM

Iceweasel freezes and iceape vulnerabilities and instability
 
On Fri, 11 Jul 2008, Jeff Soules wrote:




that isallowed by Iceape, to take control of Iceape), Iceape opens multiple
pop-up windows, and, if one of the pop-up windows is inadvertently, directly
manually closed, the application crashes.


Funny you mention this -- I don't think this is due to malicious code, because
I have had a similar problem in IceWeasel, a crash when I closed a
popped-out google chat window. I haven't seen a repeat of this so I don't
know if it was a fluke, but it does seem that under certain circumstances
which I can't yet elaborate, closing a popup will crash the browser.




Okay - the web browser might not itself, contain malicious code, but,
when attempting to close a tab, an unauthorised pop-up displays, and
says something like "Are you sure you want to close this window? Click
<whatever button> (in the unauthorised popup) to confirm/continue",
that, to me, is a vulnerability/security risk, created by the browser's
inability to block unwanted pop-ups.


As a single example of this, open
http://www.truthaboutabs.com/get-ripped-abs.html , then, try to close
it, by simply clicking on the box with a cross in it, that is to close
either a tab or a browser window.


Unwanted pop-up appears! Malicious code!

And, that the web browser does not allow me to mark and copy the text
that is displayed in the unrequested popup window, is a concern in
itself, as it is clearly allowing an external web site to take control
of the system, in preventing me from marking and copying the text in the
popup window.


How are we to know whether these things contain malicious code that is
written to spread malicious code or otherwise take control of the
system?


We should not have to go out to a console session, and use "ps -ax |
grep iceape", then "kill -9 <each pid showing iceape>", and kill all
sessions of iceape, just to close a single, malicious tab, that is
allowed by security breaches in the mozilla/firefox/iceape/iceweasel
software.


It is, to me, the web browser saying to the world, "Hey, everyone! here
is some idiot's computer for you to gain unauthorised entry to and
control over!".


If the web browser is unable to block unwanted pop-ups, then we should
not be misled by the browser, into thinking that it will block unwanted
pop-ups that are a threat to system security.


That in itself, is particularly disturbing - that we are misled by
settings in the browser, that are supposed to protect us, that actually
provide no protection.


is that indicating that the web browser, does in fact contain malicious
code, when it m,isleads the user into wrongly believeing that the user
is protected from a particular security threat?


That, I think, is a fair question.

"Here is this special, new, armour plating compund, that will stop all
bullet and armour-piercing projectiles. Just because it is actually just
a roll of cling-wrap for food covering, does not mean that it will not
protect your household from drive-by shootings."


That is the nature of the option "Block unrequested popup windows",
being an option to be set, that simply does not work.


Whether that failing, is what causes the other instabilities (leading to
the blank "untitled windows"), is something for the software maintainers
to investigate, but, the software is insecure and deceptive, in falsely
pretending to "Block unrequested popup windows".


--
Bret Busby
Armadale
West Australia
..............

"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992

.................................................. ..


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Jeff Soules" 07-12-2008 02:36 PM

Iceweasel freezes and iceape vulnerabilities and instability
 
Did a cursory bit of looking at the site -- it looks like the image in question
is not actually a "popup" per se (i.e. a secondary window that gets opened)
but is just a particularly obnoxious application of Javascript that's creating
a div on top of the page and inserting this form and image into it. Or at
least that's what a bit of cursory inspection with the DOM Inspector seems
to suggest (also, if you hold down your move-window key and click, the
popup is fixed in place within the browser window, it's not a separate window
to X).
It's the same thing that e.g. gmail uses to display that little
"loading..." status
blurb in the upper-right corner that sometimes covers up useful links.

So the popup blocker couldn't work, there is no external window popping
up. If you turn off javascript completely, that ought to fix it,
though probably
at the "cost" of meaning this website won't load at all.

It also displays an "alert" if you attempt to close the chat; my memory is
fuzzy but I'm pretty sure that specifying whether you can select that text
is a part of the Javascript standard. Can you select the text in other alert
boxes?

Anyway, the browser is doing its job; it is just possible to do some really
annoying things with Javascript. If it bothers you sufficiently, turn off
javascript.

On Sat, Jul 12, 2008 at 2:02 AM, Bret Busby <bret@busby.net> wrote:
> On Fri, 11 Jul 2008, Jeff Soules wrote:
>
>>
>>> that isallowed by Iceape, to take control of Iceape), Iceape opens
>>> multiple
>>> pop-up windows, and, if one of the pop-up windows is inadvertently,
>>> directly
>>> manually closed, the application crashes.
>>
>> Funny you mention this -- I don't think this is due to malicious code,
>> because
>> I have had a similar problem in IceWeasel, a crash when I closed a
>> popped-out google chat window. I haven't seen a repeat of this so I don't
>> know if it was a fluke, but it does seem that under certain circumstances
>> which I can't yet elaborate, closing a popup will crash the browser.
>>
>>
>
> Okay - the web browser might not itself, contain malicious code, but, when
> attempting to close a tab, an unauthorised pop-up displays, and says
> something like "Are you sure you want to close this window? Click <whatever
> button> (in the unauthorised popup) to confirm/continue", that, to me, is a
> vulnerability/security risk, created by the browser's inability to block
> unwanted pop-ups.
>
> As a single example of this, open
> http://www.truthaboutabs.com/get-ripped-abs.html , then, try to close it, by
> simply clicking on the box with a cross in it, that is to close either a tab
> or a browser window.
>
> Unwanted pop-up appears! Malicious code!
>
> And, that the web browser does not allow me to mark and copy the text that
> is displayed in the unrequested popup window, is a concern in itself, as it
> is clearly allowing an external web site to take control of the system, in
> preventing me from marking and copying the text in the popup window.
>
> How are we to know whether these things contain malicious code that is
> written to spread malicious code or otherwise take control of the system?
>
> We should not have to go out to a console session, and use "ps -ax | grep
> iceape", then "kill -9 <each pid showing iceape>", and kill all sessions of
> iceape, just to close a single, malicious tab, that is allowed by security
> breaches in the mozilla/firefox/iceape/iceweasel software.
>
> It is, to me, the web browser saying to the world, "Hey, everyone! here is
> some idiot's computer for you to gain unauthorised entry to and control
> over!".
>
> If the web browser is unable to block unwanted pop-ups, then we should not
> be misled by the browser, into thinking that it will block unwanted pop-ups
> that are a threat to system security.
>
> That in itself, is particularly disturbing - that we are misled by settings
> in the browser, that are supposed to protect us, that actually provide no
> protection.
>
> is that indicating that the web browser, does in fact contain malicious
> code, when it m,isleads the user into wrongly believeing that the user is
> protected from a particular security threat?
>
> That, I think, is a fair question.
>
> "Here is this special, new, armour plating compund, that will stop all
> bullet and armour-piercing projectiles. Just because it is actually just a
> roll of cling-wrap for food covering, does not mean that it will not protect
> your household from drive-by shootings."
>
> That is the nature of the option "Block unrequested popup windows", being an
> option to be set, that simply does not work.
>
> Whether that failing, is what causes the other instabilities (leading to the
> blank "untitled windows"), is something for the software maintainers to
> investigate, but, the software is insecure and deceptive, in falsely
> pretending to "Block unrequested popup windows".
>
> --
> Bret Busby
> Armadale
> West Australia
> ..............
>
> "So once you do know what the question actually is,
> you'll know what the answer means."
> - Deep Thought,
> Chapter 28 of Book 1 of
> "The Hitchhiker's Guide to the Galaxy:
> A Trilogy In Four Parts",
> written by Douglas Adams,
> published by Pan Books, 1992
>
> .................................................. ..
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 02:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.