Re: Firespoofing [Firefox 1.0]

To: mikx <mikx@xxxxxxx>
Subject: Re: Firespoofing [Firefox 1.0]
From: Pavel Kankovsky <peak@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 11 Jan 2005 21:15:02 +0100 (MET)
Cc: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <00c801c4f76b$36346020$280207d5@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On Tue, 11 Jan 2005, mikx wrote:

> The bug is confirmed but currently unfixed (open for more than 3 months). As 
> a partial workaround set dom.disable_window_flip to true in about:config. 

Setting most of dom.disable_window_open_feature.* to true (and making it
impossible to remove browser "decorations" from browser windows) is a
pretty efficient (even if not 100% bullet-proof) way to thwart this kind
of attack. As well as other GUI spoofing attacks.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

References:
- Firespoofing [Firefox 1.0]
  - From: mikx

Prev by Date: IlohaMail Insecure Configuration Files
Next by Date: Re: DSL- Router Teledat 530 DoS
Previous by thread: Firespoofing [Firefox 1.0]
Next by thread: [ GLSA 200501-18 ] KDE FTP KIOslave: Command injection
Index(es):
- Date
- Thread