----- Forwarded message from Jeff Smith ----- Mozilla Firefox allows remote sites to render XUL content that mimics the browser's user interface. Using Javascript, the real interface can be turned off and replaced with fake UI components. For spoofing the UI, the effectiveness of XUL is far greater than that of static images or even DHTML. The security implications of this trick were considered as early as 1999 in Mozilla Bug 22183 (http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the Mozilla Foundation has kept the Bug confidential until recently, when a researcher noted the problem and published a particularly-effective demonstration, spoofing a "PayPal" login site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html). The demonstration takes advantage of the fact that the browser is designed to seamlessly render web applications written in XUL. XUL is a XML-based language that creates a user interface. It can produce buttons, menus, dialog boxes, and many more UI elements. The most well-known application using XUL for its interface is the Firefox browser itself. For more information, see http://www.mozilla.org/projects/xul/. The entire interface to Firefox is contained in a ~70kb XUL file (chrome/browser.jar!content/browser/browser.xul). With surprisingly few modifications, this same file was turned into a malicious web application. The URL bar was modified to always display "https://www.paypal.com/"; and the status bar was modified to include the "SSL Security" padlock icon. In addition, Javascript was added to make a spoofed "Security Info" dialog box pop up after double-clicking the padlock icon. The spoofed dialog box also derives from an XUL file in the Firefox UI, modified to contain ostensibly-legitimate information about the SSL "certificate" of the page. All said and done, the spoof successfully emulates a default installation of Firefox with frightening accuracy. However, because untrusted web applications have no access to user preferences, most browser customizations are not reflected in the spoof. This includes toolbar arrangement, the bookmarks menu, and some browser extensions. (The browser theme [UI skin] is an exception; it is spoofed.) In addition, to be effective, a user must click on a link on a malicious web page or (more likely) a forged email appearing to be from "PayPal". The developers of Mozilla are currently looking into various methods to make a fake user interface more obvious. The most likely solution will be to force the status bar to always be visible, as Microsoft will do with IE6 SP2. More information: http://bugzilla.mozilla.org/show_bug.cgi?id=22183 This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004. http://bugzilla.mozilla.org/show_bug.cgi?id=252198 This is the bug that was eventually filed on 7-19-2004. http://bugzilla.mozilla.org/show_bug.cgi?id=252811 This is the proposed solution to the issue. http://www.nd.edu/~jsmith30/xul/test/spoof.html This is the demonstration of the spoof. The author of the "PayPal" demonstration can be contacted via email at jsmith30 at nd dot edu. -- David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12