Zero Tolerance for Privacy and Security Bugs

Mozilla and Netscape JavaScript Bugs Compromise Privacy and Security

Mike Angelo -- 30 September 2002 (c)

While we were working on this story, Mozilla Bug #145579 was fixed in the daily/nightly Mozilla development builds. If you use the daily/nightly Mozilla builds, then you might want to upgrade now -- if you already have not done so.

However, if you use the Milestone releases such as Mozilla 1.0.1 or Mozilla 1.1, you simply might want to turn JavaScript off until the next Mozilla Milestone release. Generally, the Mozilla Milestone builds are more stable and more polished than are daily/nightly Mozilla development builds.

Please keep in mind that unless you upgrade to a new Mozilla build in which Bug #145579 has been fixed, you likely have that bug in your Mozilla browser suite. Moreover, at this time there is no Netscape 7 upgrade available that does not have Bug #145579 in it -- as far as we know. So, if you are a Netscape user you are SOOL (so out of luck).

Therefore, if you are using the Netscape 6.x or 7.x browser or a Mozilla browser or a Mozilla-based browser built prior to 19 September 2002, and you want to be protected from the privacy vulnerability described in Mozilla Bug #145579 and other JavaScript Mozilla bugs you ought to turn JavaScript off. If you have experience applying patches and hacks, there are some patches and hacks that you can use to work around the Bug #145579 problems. However, we do not recommend trying the patches and hacks unless you already know how to do this sort of thing.

In the Mozilla and Netscape browsers, JavaScript is mostly an all or none deal. However, in Microsoft Internet Explorer (MSIE) and MSIE-based browsers, you can set JavaScript to off, on, or ask before allowing a JavaScript to run. Please see Figure 1.

In the all or none (off or on only) preferences such as the Mozilla-Netscape browsers employ for JavaScript, you must re-edit your preferences to turn some behavior or feature, JavaScript for example, off or on. However, with the MSIE-style ask setting, whenever a Web page attempts to execute some behavior or feature such as a script, the browser will advise you that the Web page wants to run a script. The browser also asks you if you want to allow that to occur. So, if you trust the Web site that sent the page to your browser, and you want to let the script run on that page, you can allow the script to run without needing to alter your underlying preference settings -- for that instance of that page only.

There are some trade-offs here. You might encounter problems with completing on-line forms and other interactive Web-based transactions with JavaScript turned off. Some Web pages might not display correctly or even display at all with JavaScript off. The way IE let's you do the JavaScript, you can make a case-by-case decision about JS for each page without having to modify your preferences configuration.

This is just one of the reasons why we do not recommend people switch from Internet Explorer to Mozilla or Netscape -- Internet Explorer provides a much richer set of privacy and security options than does the Mozilla-Netscape browser.

The Mozilla browser-suite comes with many Linux distributions. The Netscape browser-suite also is included with many Linux Distributions. The various Microsoft Windows operating systems come with Microsoft's Internet Explorer, but a few people obtain and install the Mozilla and Netscape browsers, or other Mozilla-based browsers, on their Windows-based computers. All told the Mozilla and Netscape browsers, and other Mozilla-based browsers, account for less than five per-cent of the Web-browser market.

Anatomy of Mozilla Bug #145579

Sven Neuhaus, a Software Engineer at Neoply, AG in Germany recently brought Mozilla Bug #145579 to public attention. In an 11 September 2002 posting to the Bugtraq mailing list, Privacy leak in Mozilla, Neuhus stated:

There is a serious privacy leak in Mozilla that reveals the URL of the page you are visiting to the web server of the page you visited last. The leak not only occurs for links followed on the page (that wouldn't be particularly serious) but also for URLs entered manually or picked from the bookmarks.

A more complete/technical description of Bug #145579 (link in the Resources section at the end of this article) is found in the description entry of that bug report:

If a new url is entered into the address bar (and enter or go is pressed) the browser starts to look up this address.

When a javascript (sic) script loads a new image by a setTimeout-triggered event on the current page while the browser is looking up the new address, the image has a document referer of http://new page/ instead of http://current page/

In his Bugtraq posting, Neuhaus notes that:

This is bug 145579 from the bugzilla (sic) database. It's a couple of months old now so I'm disclosing this vulnerability to hopefully initiate the fixing process.

As Neuhaus mentions in his Bugtraq posting, you can avoid this privacy bug by turning off JavaScript. To do that in Mozilla or Netscape, go to the Menu Bar and click on Edit > Preferences > Advanced > Scripts & Plugins. Then, in the Enable JavaScript for area, un-tick Navigator and Mail and Newsgroups. Please see Figure 2.

Something that is obvious from looking at Mozilla Bug Report #145579, and something that several commenters there mention, is that this bug had been there for a while. Mozilla Bug #145579 was opened on 19 May 2002. Mozilla Bug Report #145579 is now four-months old and was not fixed until 17 September 2002. There is no excuse for letting a known privacy bug go un-fixed for four months.

A Pattern of Known, Un-Fixed, Privacy Bugs in the Mozilla-Netscape Browsers

Is there a pattern here? A pattern of the Mozilla-Netscape developers not only writing code that results in privacy invasions, but intentionally releasing Mozilla and Netscape browser-suites with known, un-fixed, privacy bugs and issues?

Oingo Bugs Fiasco

Remember the Mozilla Oingo bugs fiasco? That was another privacy category set of bugs in the Mozilla 1.0 browser and e-mail-news modules. However, the Mozilla people released Mozilla 1.0 (5 June 2002) knowing the Oingo bug was there and took their time before releasing the patched release, 1.0.1-RC1 (15 August 2002). Is there a pattern of dragging on getting privacy bugs fixed?  

Mozilla Bug #32571

Mozilla Bug #32571, window.close() can close windows it doesn't own, is an even older, un-fixed Mozilla security bug. It was reported in March 2000 -- more than two years ago. (Link in the Resources section at the end of this article.)

Mozilla Bug #170165, Javascripts (sic) can close the browser window without warning, was filed only a few days ago. It has been marked a duplicate of Bug #32571. In part Bug #170165 is mentioned here because its description is much better worded than is the initial description of Bug #32571. (Link in the Resources section at the end of this article.)

The following simple javascript: <script>window.close()</script> closes the Mozilla browser window without warning, which is annoying in forums with html enabled and pesty kids. Internet Explorer gives a warning about this, but in Mozilla the page closes before you can see it. In Advanced options about Javascript (sic), you can turn off scripts that resize the window, move it, or open a new one, but there's no setting to turn off window.close().

Reproducible: Always

Steps to Reproduce:

1.Make a html page that contains <script>window.close()</script>

2.Open it in Mozilla

Actual Results:

The browser window closed.

Expected Results:

Ask me if I want to close the window or not, or have an option where you can turn unwanted closing of browser windows off.

Interestingly the original reporter of Mozilla Bug #32571 noted that he/she did not want the bug to be fixed stating: please try not to fix this bug. it (sic) is too convenient for me. (Perhaps what is a bug or annoyance to one person is a feature to another.)

Traversing the 73 comments to Mozilla Bug #32571 is an interesting experience. Noticeably, there are many bugs that have been marked as duplicates of Mozilla Bug #32571. Some commenters there believe that this bug is merely an annoyance. However, some wiser commenters realize the seriousness of Bug #32571.

For example, in Comment #59, May 2002, Christopher Cook notes:

I don't see Data Loss mentioned in this bug, perhaps because it's a matter of opinion but if I have 5 tabs open, and one has a form being filled out/webmail email being written then I WILL lose data because of this bug, not to mention all of the sites I had open (in my opinion having to re-browse to a page you found through a series of links is just as bad as having to re-type an email you've just lost) . . . a window should never be able to close tabs/windows it doesn't own (except itself) so is this getting a patch applied soon?

In Comment #69 Zbigniew Braniecki addressed the importance of Mozilla Bug #32571 stating: [i]t's a big security hole.

It appears that the problem described in Mozilla Bug Report #32571 likely has been in every Mozilla Milestone release since and including Mozilla Milestone M14 -- and likely every Netscape 6.x and Netscape 7.x release to date. Why was Mozilla Bug #32571 not fixed two years ago?

Related Articles

For more information about Mozilla 1.0, please see our Mozilla 1.0 comprehensive coverage articles:

• Mozilla 1.0 is Officially Out!,
• Mozilla 1.0 Browser Quick Look,
• Mozilla 1.0 Browser-Suite's E-Mail & News Quick Look
• Mozilla 1.0 Not Ready for Prime Time -- Close but No Cigar and No Brass Ring! -- A Quick Look at Some Mozilla 1.0 Browser-Suite Annoyances, Bugs, And Issues,
• Mozilla 1.0 Browser-Suite Performance -- Speed, Stability, and Memory Hogging, and
• Turmoil in MozillaLand: Current Status of Mozilla 1.0, 1.0.1, and 1.1-Alpha

Is Mozilla Actually AOL-Netscape's Mozilla?

Year 2001 in Review -- Mozilla and Netscape Browsers

AOL 7.0: Good News for AOL Users & Microsoft - Bad News for Netscape & Mozilla

Copyright 2000-2002 -- MozillaQuest -- Brodheadsville, Pa..USA -- All Rights Reserved