Advertise on MozillaQuest Magazine Free Software for Your New Christmas Computer -- Or Any Computer for That Matter - Open Source Software MozillaQuest MQ Logo
MozillaQuest the on-line computer magazine
September 30, 2002
About Computers On-Line

RisingNet

EPIX Internet Services
MozillaQuest Magazine Front Page button

Internet & Web browsers button

custom Netscape & Mozilla themes & skins button

Digital Photography

Graphics

IRC - Internet Relay Chat - Chat button

Linux buttonLinux for Windows Users

Mozilla button

Multimedia

Netscape button
network articles

tutorial - help - how to button

Web Page Design

Web Tools

Windows button
..
..

The Mozilla 1.0 Web browser suite is out! MozillaQuest Magazine has the best, most balanced, accurate, robust and in-depth coverage of AOL-Netscape's Mozilla 1.0 browser on the Internet. I'ts all on MozillaQuest Magazine.

Zero Tolerance for Privacy and Security Bugs

Mozilla and Netscape JavaScript Bugs Compromise Privacy and Security


Mike Angelo -- 30 September 2002 (c)


Article Index

Anatomy of Mozilla Bug #145579

A Pattern of Known, Un-Fixed, Privacy Bugs in the Mozilla-Netscape Browsers

  • Oingo Bugs Fiasco
  • Mozilla Bug #32571

Duty To Disclose and To Fix Privacy and Security Bugs

Conclusion

Resources

If you like to keep your Web surfing habits private, you might want to turn JavaScript (JS) off in the Mozilla and Netscape browsers -- and other Mozilla-based browsers too. One reason is Mozilla Bug #145579. Even without Mozilla Bug #145579, your system is more secure and you are less subject to privacy and security invasions with JavaScript disabled.

While we were working on this story, Mozilla Bug #145579 was fixed in the daily/nightly Mozilla development builds. If you use the daily/nightly Mozilla builds, then you might want to upgrade now -- if you already have not done so.

However, if you use the Milestone releases such as Mozilla 1.0.1 or Mozilla 1.1, you simply might want to turn JavaScript off until the next Mozilla Milestone release. Generally, the Mozilla Milestone builds are more stable and more polished than are daily/nightly Mozilla development builds.

Please keep in mind that unless you upgrade to a new Mozilla build in which Bug #145579 has been fixed, you likely have that bug in your Mozilla browser suite. Moreover, at this time there is no Netscape 7 upgrade available that does not have Bug #145579 in it -- as far as we know. So, if you are a Netscape user you are SOOL (so out of luck).

Therefore, if you are using the Netscape 6.x or 7.x browser or a Mozilla browser or a Mozilla-based browser built prior to 19 September 2002, and you want to be protected from the privacy vulnerability described in Mozilla Bug #145579 and other JavaScript Mozilla bugs you ought to turn JavaScript off. If you have experience applying patches and hacks, there are some patches and hacks that you can use to work around the Bug #145579 problems. However, we do not recommend trying the patches and hacks unless you already know how to do this sort of thing.

In the Mozilla and Netscape browsers, JavaScript is mostly an all or none deal. However, in Microsoft Internet Explorer (MSIE) and MSIE-based browsers, you can set JavaScript to off, on, or ask before allowing a JavaScript to run. Please see Figure 1.

Figure 1a. Microsoft Internet Explorer (MSIE) Internet Options (preferences) Security tab. Please note IE gives you four sets (zones) of security and privacy settings. You have a choice of accepting the MSIE default settings for each zone or you can customize the setting for a zone.

Figure 1b. Microsoft Internet Explorer (MSIE) custom scripting security settings with the context sensitive (?) help showing. Please note that for these scripting settings you may chose Disable, Enable, or Prompt. The Mozilla-Netscape browsers do not provide a Prompt option for their comparable settings.

In the all or none (off or on only) preferences such as the Mozilla-Netscape browsers employ for JavaScript, you must re-edit your preferences to turn some behavior or feature, JavaScript for example, off or on. However, with the MSIE-style ask setting, whenever a Web page attempts to execute some behavior or feature such as a script, the browser will advise you that the Web page wants to run a script. The browser also asks you if you want to allow that to occur. So, if you trust the Web site that sent the page to your browser, and you want to let the script run on that page, you can allow the script to run without needing to alter your underlying preference settings -- for that instance of that page only.

There are some trade-offs here. You might encounter problems with completing on-line forms and other interactive Web-based transactions with JavaScript turned off. Some Web pages might not display correctly or even display at all with JavaScript off. The way IE let's you do the JavaScript, you can make a case-by-case decision about JS for each page without having to modify your preferences configuration.

This is just one of the reasons why we do not recommend people switch from Internet Explorer to Mozilla or Netscape -- Internet Explorer provides a much richer set of privacy and security options than does the Mozilla-Netscape browser.

The Mozilla browser-suite comes with many Linux distributions. The Netscape browser-suite also is included with many Linux Distributions. The various Microsoft Windows operating systems come with Microsoft's Internet Explorer, but a few people obtain and install the Mozilla and Netscape browsers, or other Mozilla-based browsers, on their Windows-based computers. All told the Mozilla and Netscape browsers, and other Mozilla-based browsers, account for less than five per-cent of the Web-browser market.

Anatomy of Mozilla Bug #145579

Sven Neuhaus, a Software Engineer at Neoply, AG in Germany recently brought Mozilla Bug #145579 to public attention. In an 11 September 2002 posting to the Bugtraq mailing list, Privacy leak in Mozilla, Neuhus stated:

There is a serious privacy leak in Mozilla that reveals the URL of the page you are visiting to the web server of the page you visited last. The leak not only occurs for links followed on the page (that wouldn't be particularly serious) but also for URLs entered manually or picked from the bookmarks.

A more complete/technical description of Bug #145579 (link in the Resources section at the end of this article) is found in the description entry of that bug report:

If a new url is entered into the address bar (and enter or go is pressed) the browser starts to look up this address.

When a javascript (sic) script loads a new image by a setTimeout-triggered event on the current page while the browser is looking up the new address, the image has a document referer of http://new page/ instead of http://current page/

In his Bugtraq posting, Neuhaus notes that:

This is bug 145579 from the bugzilla (sic) database. It's a couple of months old now so I'm disclosing this vulnerability to hopefully initiate the fixing process.

As Neuhaus mentions in his Bugtraq posting, you can avoid this privacy bug by turning off JavaScript. To do that in Mozilla or Netscape, go to the Menu Bar and click on Edit > Preferences > Advanced > Scripts & Plugins. Then, in the Enable JavaScript for area, un-tick Navigator and Mail and Newsgroups. Please see Figure 2.

Figure 2. Mozilla JavaScript Settings.

Something that is obvious from looking at Mozilla Bug Report #145579, and something that several commenters there mention, is that this bug had been there for a while. Mozilla Bug #145579 was opened on 19 May 2002. Mozilla Bug Report #145579 is now four-months old and was not fixed until 17 September 2002. There is no excuse for letting a known privacy bug go un-fixed for four months.

Note: The date a bug report is filed is just that -- the date on which the bug is reported to the Mozilla-Netscape developers via the Bugzilla database. The bug report-date is not necessarily the date upon which the problem was introduced into the Mozilla code base. The problem or issue reported could have been in the Mozilla code-base for only a day or so, or it could have been in there for months or years -- but only reported on the date the bug was entered into the Bugzilla database.

Mozilla 1.0, 1.0.1, 1.1, and 1.2a and a few other intervening Mozilla editions all have been released since Bug #145579 was reported. Netscape 7.0, and likely Netscape 7.0-PR,1 were released since Bug #145579 was reported. Earlier Mozilla and Netscape releases could suffer from the issues described in Bug #145579, too.

A Pattern of Known, Un-Fixed, Privacy Bugs in the Mozilla-Netscape Browsers

Is there a pattern here? A pattern of the Mozilla-Netscape developers not only writing code that results in privacy invasions, but intentionally releasing Mozilla and Netscape browser-suites with known, un-fixed, privacy bugs and issues?

Oingo Bugs Fiasco

Remember the Mozilla Oingo bugs fiasco? That was another privacy category set of bugs in the Mozilla 1.0 browser and e-mail-news modules. However, the Mozilla people released Mozilla 1.0 (5 June 2002) knowing the Oingo bug was there and took their time before releasing the patched release, 1.0.1-RC1 (15 August 2002). Is there a pattern of dragging on getting privacy bugs fixed?  

Mozilla Bug #32571

Mozilla Bug #32571, window.close() can close windows it doesn't own, is an even older, un-fixed Mozilla security bug. It was reported in March 2000 -- more than two years ago. (Link in the Resources section at the end of this article.)

Mozilla Bug #170165, Javascripts (sic) can close the browser window without warning, was filed only a few days ago. It has been marked a duplicate of Bug #32571. In part Bug #170165 is mentioned here because its description is much better worded than is the initial description of Bug #32571. (Link in the Resources section at the end of this article.)

The following simple javascript: <script>window.close()</script> closes the Mozilla browser window without warning, which is annoying in forums with html enabled and pesty kids. Internet Explorer gives a warning about this, but in Mozilla the page closes before you can see it. In Advanced options about Javascript (sic), you can turn off scripts that resize the window, move it, or open a new one, but there's no setting to turn off window.close().

Reproducible: Always

Steps to Reproduce:

1.Make a html page that contains <script>window.close()</script>

2.Open it in Mozilla

Actual Results:

The browser window closed.

Expected Results:

Ask me if I want to close the window or not, or have an option where you can turn unwanted closing of browser windows off.

Interestingly the original reporter of Mozilla Bug #32571 noted that he/she did not want the bug to be fixed stating: please try not to fix this bug. it (sic) is too convenient for me. (Perhaps what is a bug or annoyance to one person is a feature to another.)

Traversing the 73 comments to Mozilla Bug #32571 is an interesting experience. Noticeably, there are many bugs that have been marked as duplicates of Mozilla Bug #32571. Some commenters there believe that this bug is merely an annoyance. However, some wiser commenters realize the seriousness of Bug #32571.

For example, in Comment #59, May 2002, Christopher Cook notes:

I don't see Data Loss mentioned in this bug, perhaps because it's a matter of opinion but if I have 5 tabs open, and one has a form being filled out/webmail email being written then I WILL lose data because of this bug, not to mention all of the sites I had open (in my opinion having to re-browse to a page you found through a series of links is just as bad as having to re-type an email you've just lost) . . . a window should never be able to close tabs/windows it doesn't own (except itself) so is this getting a patch applied soon?

In Comment #69 Zbigniew Braniecki addressed the importance of Mozilla Bug #32571 stating: [i]t's a big security hole.

It appears that the problem described in Mozilla Bug Report #32571 likely has been in every Mozilla Milestone release since and including Mozilla Milestone M14 -- and likely every Netscape 6.x and Netscape 7.x release to date. Why was Mozilla Bug #32571 not fixed two years ago?


  • See Duty To Disclose and To Fix Privacy and Security Bugs
  • on Page 2 ----->

  • Copyright 2000-2002 -- MozillaQuest -- Brodheadsville, Pa..USA -- All Rights Reserved


    Recent Articles

    A New Mug for Bugzilla - Version 2.16 on Its Way

    Netscape 6.2.1 Browser-Suite Released

    Belkin SCSI to USB Adapter for Mac & Windows - Add SCSI to Laptop, Notebook, & Desktop Computers

    Getting Started with Wireless Network Technology Part I: A Simple Wireless Computer Connection for Home, Office, or School

    Getting Started with Wireless Network Technology Part I: A Simple Wireless Computer Connection for Home, Office, or School

    Mozilla Milestone 0.9.6 Browser-Suite Released

    Netscape Communicator 4.79 Browser-Suite Released

    Mozilla Roadmap Update - Mozilla 1.0 Set Back to April 2002

    Netscape 6.2 Browser Source Code (Mozilla 0.9.4.1) Released

    Mandrake Linux 8.1 Boxed CDs Available Now

    SuSE Linux 7.3 Ships In North America

    Red Hat Linux 7.2 Distribution Released

    AOL 7.0: Good News for AOL Users & Microsoft - Bad News for Netscape & Mozilla

    Mozilla Milestone 0.9.5 Browser-Suite Released

    Mozilla Organization Opposes W3C (RAND) Patent Policy Proposal

    Mozilla 0.9.5 Branched -- Buggier Than Ever

    Patch Maker -- Mozilla Hacking & Patching Made Easy

    SuSE Linux 7.3 Set for October 22 Release

    Mandrake Linux 8.1 Released for Downloading

    Belkin 4-Port USB Switch for Linux, Mac, & Windows

    World Trade Center & Pentagon Aircraft-Bombings - Terrorism ? The Third World War - 11 September Massacre

    Laptop & Notebook Docking -- Peripheral Device Sharing

    Milestone 0.9.4 Delayed - Turbo Mode & Bugs Slow Mozilla Development to Snail´s Pace - Turbo/Quick-Launch Examined -- Is Mozilla Really Open Source?

    Milestone 0.9.4 Delayed - Turbo Mode & Bugs Slow Mozilla Development to Snail´s Pace - Turbo/Quick-Launch Examined -- Is Mozilla Really Open Source?

    Netscape Lays-Off Mozilla's Chief Lizard Wrangler, Mitchell Baker, & Others?

    SuSE Linux Free for US High Schools

    Mozilla Roadmap Update - Mozilla 1.0 Release Set Back to 2002 - Mozilla 0.9.4 Set for 7 September Release

    Red Hat E-Commerce Suite - Open Source Software Plus Commercial Tools, Services, & Support

    KDE 2.2 Released - Binaries and Source Code Available for Downloading

    Caldera OpenLinux Workstation 3.1 - review

    Caldera OpenLinux 3.1 - Open UNIX 8

    Mozilla 0.9.2 Branches on Schedule, but with Many Bugs

    Is Netscape Losing the Browser Wars? Part II: Why Are Major Linux Distributions Rejecting Netscape 6?

    Is Netscape losing browser war

    Red Hat Linux drops Netscape browser

    Linux for Microsoft Windows Users #5: Simple Number Crunching, Word Processing, & Photo Viewing with the Windows-Like Desktop for Linux

    AbiWord - A Free, Decent, MS Word Clone for the Linux, MS Windows, & Other Platforms

    Linux for Microsoft Windows Users: #4-- Getting Started Using the Windows-Like Desktop for Linux

    Linux for Microsoft Windows Users: #3 -- Making an MS Windows-Like Desktop for Red Hat Linux

    Composer: The Netscape & Mozilla Graphical HTML Editor & Word Processor

    Mozilla Milestone 0.8 Browser-Suite RPM Builds Released

    Linux for Microsoft Windows Users: #2 -Getting Started with The Linux MS Windows-Like Desktop

    Triple-Boot Caldera OpenLinux, Red Hat Linux, & MS Windows for Best of Three Worlds

    Linux for Microsoft Windows Users: Introduction & Overview

    Meet Bugzilla -- Mozilla's Secretary of Bug-Busting & Feature Requests Lizard

    Computer Connections at Home, Office, & School

    Some Basics for Computing & Networking Novices

    dual-boot Linux & windows for best of both operating system worlds

    New Browser War Heats Up -- But It's Netscape vs. Netscape

    MozillaQuest the Series -- Building Your Own Mozilla-Based Web Browser:Branding your Lizard

    How to Download,, Install, & Configure Netscape 6.0 Safely

    MozillaQuest the Series -- Building Your Own Mozilla-Based Web Browser:Skinning the Lizard

    MozillaQuest Magic: Enabling Changes Made to Mozilla-Based Browsers & Applications Chrome -- A Tutorial

    Mozilla's ChatZilla, The Lizard Speaks:- IRC