Re: Iceweasel freezes and iceape vulnerabilities and instability

Did a cursory bit of looking at the site -- it looks like the image in question
is not actually a "popup" per se (i.e. a secondary window that gets opened)
but is just a particularly obnoxious application of Javascript that's creating
a div on top of the page and inserting this form and image into it. Or at
least that's what a bit of cursory inspection with the DOM Inspector seems
to suggest (also, if you hold down your move-window key and click, the
popup is fixed in place within the browser window, it's not a separate window
to X).
It's the same thing that e.g. gmail uses to display that little
"loading..." status
blurb in the upper-right corner that sometimes covers up useful links.

So the popup blocker couldn't work, there is no external window popping
up. If you turn off javascript completely, that ought to fix it,
though probably
at the "cost" of meaning this website won't load at all.

It also displays an "alert" if you attempt to close the chat; my memory is
fuzzy but I'm pretty sure that specifying whether you can select that text
is a part of the Javascript standard. Can you select the text in other alert
boxes?

Anyway, the browser is doing its job; it is just possible to do some really
annoying things with Javascript. If it bothers you sufficiently, turn off
javascript.

On Sat, Jul 12, 2008 at 2:02 AM, Bret Busby <bret@xxxxxxxxx> wrote:
On Fri, 11 Jul 2008, Jeff Soules wrote:


that isallowed by Iceape, to take control of Iceape), Iceape opens
multiple
pop-up windows, and, if one of the pop-up windows is inadvertently,
directly
manually closed, the application crashes.

Funny you mention this -- I don't think this is due to malicious code,
because
I have had a similar problem in IceWeasel, a crash when I closed a
popped-out google chat window. I haven't seen a repeat of this so I don't
know if it was a fluke, but it does seem that under certain circumstances
which I can't yet elaborate, closing a popup will crash the browser.



Okay - the web browser might not itself, contain malicious code, but, when
attempting to close a tab, an unauthorised pop-up displays, and says
something like "Are you sure you want to close this window? Click <whatever
button> (in the unauthorised popup) to confirm/continue", that, to me, is a
vulnerability/security risk, created by the browser's inability to block
unwanted pop-ups.

As a single example of this, open
http://www.truthaboutabs.com/get-ripped-abs.html , then, try to close it, by
simply clicking on the box with a cross in it, that is to close either a tab
or a browser window.

Unwanted pop-up appears! Malicious code!

And, that the web browser does not allow me to mark and copy the text that
is displayed in the unrequested popup window, is a concern in itself, as it
is clearly allowing an external web site to take control of the system, in
preventing me from marking and copying the text in the popup window.

How are we to know whether these things contain malicious code that is
written to spread malicious code or otherwise take control of the system?

We should not have to go out to a console session, and use "ps -ax | grep
iceape", then "kill -9 <each pid showing iceape>", and kill all sessions of
iceape, just to close a single, malicious tab, that is allowed by security
breaches in the mozilla/firefox/iceape/iceweasel software.

It is, to me, the web browser saying to the world, "Hey, everyone! here is
some idiot's computer for you to gain unauthorised entry to and control
over!".

If the web browser is unable to block unwanted pop-ups, then we should not
be misled by the browser, into thinking that it will block unwanted pop-ups
that are a threat to system security.

That in itself, is particularly disturbing - that we are misled by settings
in the browser, that are supposed to protect us, that actually provide no
protection.

is that indicating that the web browser, does in fact contain malicious
code, when it m,isleads the user into wrongly believeing that the user is
protected from a particular security threat?

That, I think, is a fair question.

"Here is this special, new, armour plating compund, that will stop all
bullet and armour-piercing projectiles. Just because it is actually just a
roll of cling-wrap for food covering, does not mean that it will not protect
your household from drive-by shootings."

That is the nature of the option "Block unrequested popup windows", being an
option to be set, that simply does not work.

Whether that failing, is what causes the other instabilities (leading to the
blank "untitled windows"), is something for the software maintainers to
investigate, but, the software is insecure and deceptive, in falsely
pretending to "Block unrequested popup windows".

--
Bret Busby
Armadale
West Australia
..............

"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992

....................................................


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject
of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx




--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx