Re: Iceweasel freezes and iceape vulnerabilities and instability
On Fri, 11 Jul 2008, Jeff Soules wrote:
that isallowed by Iceape, to take control of Iceape), Iceape opens multiple
pop-up windows, and, if one of the pop-up windows is inadvertently, directly
manually closed, the application crashes.
Funny you mention this -- I don't think this is due to malicious code, because
I have had a similar problem in IceWeasel, a crash when I closed a
popped-out google chat window. I haven't seen a repeat of this so I don't
know if it was a fluke, but it does seem that under certain circumstances
which I can't yet elaborate, closing a popup will crash the browser.
Okay - the web browser might not itself, contain malicious code, but,
when attempting to close a tab, an unauthorised pop-up displays, and
says something like "Are you sure you want to close this window? Click
<whatever button> (in the unauthorised popup) to confirm/continue",
that, to me, is a vulnerability/security risk, created by the browser's
inability to block unwanted pop-ups.
As a single example of this, open
http://www.truthaboutabs.com/get-ripped-abs.html , then, try to close
it, by simply clicking on the box with a cross in it, that is to close
either a tab or a browser window.
Unwanted pop-up appears! Malicious code!
And, that the web browser does not allow me to mark and copy the text
that is displayed in the unrequested popup window, is a concern in
itself, as it is clearly allowing an external web site to take control
of the system, in preventing me from marking and copying the text in the
popup window.
How are we to know whether these things contain malicious code that is
written to spread malicious code or otherwise take control of the
system?
We should not have to go out to a console session, and use "ps -ax |
grep iceape", then "kill -9 <each pid showing iceape>", and kill all
sessions of iceape, just to close a single, malicious tab, that is
allowed by security breaches in the mozilla/firefox/iceape/iceweasel
software.
It is, to me, the web browser saying to the world, "Hey, everyone! here
is some idiot's computer for you to gain unauthorised entry to and
control over!".
If the web browser is unable to block unwanted pop-ups, then we should
not be misled by the browser, into thinking that it will block unwanted
pop-ups that are a threat to system security.
That in itself, is particularly disturbing - that we are misled by
settings in the browser, that are supposed to protect us, that actually
provide no protection.
is that indicating that the web browser, does in fact contain malicious
code, when it m,isleads the user into wrongly believeing that the user
is protected from a particular security threat?
That, I think, is a fair question.
"Here is this special, new, armour plating compund, that will stop all
bullet and armour-piercing projectiles. Just because it is actually just
a roll of cling-wrap for food covering, does not mean that it will not
protect your household from drive-by shootings."
That is the nature of the option "Block unrequested popup windows",
being an option to be set, that simply does not work.
Whether that failing, is what causes the other instabilities (leading to
the blank "untitled windows"), is something for the software maintainers
to investigate, but, the software is insecure and deceptive, in falsely
pretending to "Block unrequested popup windows".
--
Bret Busby
Armadale
West Australia
..............
"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992
....................................................
Reply to: