Just dropped this message to warn FireFox users about a spoofing method of your browsers interface.
You can check it out yourself at:
http://www.nd.edu/~jsmith30/xul/test/spoof.html

This is not a bug but an exploited feature since Firefox interface is build on XUL. Hope the whitelist feature will be available with the next version.

An simmilar spoof can be done with IE and seen at:
http://w3irdn3rd.no-ip.org/bug/paypaal/

As many things in life, be careful if it is a dodgy site you are visiting.

http://www.mozilla.org/products/firefox/buttons/header.png
http://getfirefox.com/

Generally, this spoof can be done with ALL browsers that support javascript. This is because all browsers allow UI elements to be hidden, which is useful when displaying small tooltip-like windows, which don't need all the navigation buttons and even url bar.

Now, all you have to do is to open such a window, hide all buttons and use either XUL (in case of mozilla) or html (in case of all browsers) to create buttons that look (and even work) just like originals.

That has been known for ages and as far as I know, noone bothered to spoof any user interface with this just yet. And if they would, I bet they'd spoof IE6's buttons, since that will fool more people ;).

Radek

PS. The funny thing is, the spoofing example just doesn't work on my firefox. I get the "spoofed" buttons, but the originals are not hidden, so it would not fool anyone.

Yes you can turn off the ability to hide all of that stuff in Mozilla etc so it is always visible. IE users are just not that lucky. I always have those things disabled as they are abused more than they are needed.

Almost the same here.

user.js and similar settings work wonder for me, especially speed, but also to recognize phishing attempts. (But then again i hardly do many online transactions)

I can see that most of us here are very careful on the web.
Unfortunely there are many n00b users out there who caint tell the different until it is to late. Just like all those email viruses.

Nothing wrong with being a noob. That is unless you make no effort to stop being a noob. That does not mean becomming a 1337 h4x0r. But just learning about your environment. You would not run naked through a public park in a major city at night. But alot of people are running out on the public internet naked in IE exposing themselves to real danger. I am going out to a business tomorrow to fix several systems that were in just this position. When I was making a list of software to gather for the job.

1. Mozilla. ;)
2. Adaware
3. Spybot Search and destroy
4. F-Prot
5. Knopix-STD

Since I can't be there to scold people for launching IE I am going to block as many methods of launching IE as possible. Including hiding Mozilla in IE program shortcuts. :D I will leave one burried start link for when it is absolutely necessary to use IE. If I did not do this I would probably be out there every week. But at least it would be steady work. :p

Lolz, idd i also advise my friends not to use IE and recommends them to use FireFox as well.
Some do and some are just ignorant thinking it comez from M$ and would be better then a amateur written browser. :/

------------------------------------------------
... You would not run naked through a public park in a major city at night. ...
------------------------------------------------
erm no comments ;)

maybe this? rename FireFox.exe IExplorer.exe ;-)

is it just me, or could this kind of spoofing be solved by simply changing one's colour scheme?

@ neo:

good analogy there. that explains things quite well (i hope you don't mind if i steal that expression to help explain why my friends need to ditch IE once and for all)

If the address is spelled correctly does that mean you're safe?
(The example read paypaal)
Never mind (I had only looked at the I.E. example)

that sucks. that's why, never leave default UI :D

no, they can also fake the address bar. But if you click the arrow in the address bar you will notice that all your previous visits are not on the list. Ofcoz we seldom do that.
I always keep an eye on my statusbar.

Better just not browse BS sites :)

Originally posted by Mug Funky
is it just me, or could this kind of spoofing be solved by simply changing one's colour scheme?
Yep me thinks the same - at least I havent seen spoofed Bluezilla (http://themes.mozdev.org/themes/bluezilla.html) buttons ;)

Well, that trick would not work with my firefox installation. I have disabled the ability to hide GUI elements, and every new window opens in a tab instead. You can disable GUI element hiding by going to "about:config" and changing the entries that start with "dom.disable".

while this isn't really related, it does concern firefox and mozilla in general.

http://forums.invisionpower.com/lofiversion/index.php/t141604.html

hehe for once my IE (IE version: 6.0.2800 with SP1) has one advantage above FireFox, following url did not crash on my pc
http://www.unsanity.org/rosyna/imgs/pngtest.png

and it was ages ago i ever used IE and didnt update it at all :)

FF 0.93, or any recent nightly will not crash on this page ("instead", it shows a message indicating image error).

My Firefox didn't crash either :D

Can someone remind me what the 0.9.3 fix was for? I'm currently using 0.9.1+ w/ the 0.9.2 fix. I've been looking to upgrade to a nightly/3rd party build but I don't want to go thru the pain of setting up everything again when 1.0 is almost here.

Originally posted by wmansir
Can someone remind me what the 0.9.3 fix was for? I'm currently using 0.9.1+ w/ the 0.9.2 fix. I've been looking to upgrade to a nightly/3rd party build but I don't want to go thru the pain of setting up everything again when 1.0 is almost here.

I think it was a vulnerability in the PNG library where a buffer overflow could allow execution of code.

to avih: Thats the 0.9.3 png fix :)

to wmansir: idd, this was mainly a png fix. You can just install over the the old installation if you use an official release of firefox. Many forums report no problems. Problems only exists when you use nightly builds.

Can someone explain to me how an buffer overflow can cause an execution?

Can someone explain to me how an buffer overflow can cause an execution?

Simple; if you can write in memory past the buffer boundaries you can simply change the behaviour of the loaded program and make it run arbitrary code.

More infos:
http://www.linuxjournal.com/article.php?sid=6701