Re: Iceweasel freezes and iceape vulnerabilities and instability
Did a cursory bit of looking at the site -- it looks like the image in question
is not actually a "popup" per se (i.e. a secondary window that gets opened)
but is just a particularly obnoxious application of Javascript that's creating
a div on top of the page and inserting this form and image into it.  Or at
least that's what a bit of cursory inspection with the DOM Inspector seems
to suggest (also, if you hold down your move-window key and click, the
popup is fixed in place within the browser window, it's not a separate window
to X).
It's the same thing that e.g. gmail uses to display that little
"loading..." status
blurb in the upper-right corner that sometimes covers up useful links.
So the popup blocker couldn't work, there is no external window popping
up.  If you turn off javascript completely, that ought to fix it,
though probably
at the "cost" of meaning this website won't load at all.
It also displays an "alert" if you attempt to close the chat; my memory is
fuzzy but I'm pretty sure that specifying whether you can select that text
is a part of the Javascript standard.  Can you select the text in other alert
boxes?
Anyway, the browser is doing its job; it is just possible to do some really
annoying things with Javascript.  If it bothers you sufficiently, turn off
javascript.
On Sat, Jul 12, 2008 at 2:02 AM, Bret Busby <bret@busby.net> wrote:
> On Fri, 11 Jul 2008, Jeff Soules wrote:
>
>>
>>> that isallowed by Iceape, to take control of Iceape), Iceape opens
>>> multiple
>>> pop-up windows, and, if one of the pop-up windows is inadvertently,
>>> directly
>>> manually closed, the application crashes.
>>
>> Funny you mention this -- I don't think this is due to malicious code,
>> because
>> I have had a similar problem in IceWeasel, a crash when I closed a
>> popped-out google chat window.  I haven't seen a repeat of this so I don't
>> know if it was a fluke, but it does seem that under certain circumstances
>> which I can't yet elaborate, closing a popup will crash the browser.
>>
>>
>
> Okay - the web browser might not itself, contain malicious code, but, when
> attempting to close a tab, an unauthorised pop-up displays, and says
> something like "Are you sure you want to close this window? Click <whatever
> button> (in the unauthorised popup) to confirm/continue", that, to me, is a
> vulnerability/security risk, created by the browser's inability to block
> unwanted pop-ups.
>
> As  a single example of this, open
> http://www.truthaboutabs.com/get-ripped-abs.html , then, try to close it, by
> simply clicking on the box with a cross in it, that is to close either a tab
> or a browser window.
>
> Unwanted pop-up appears! Malicious code!
>
> And, that the web browser does not allow me to mark and copy the text that
> is displayed in the unrequested popup window, is a concern in itself, as it
> is clearly allowing an external web site to take control of the system, in
> preventing me from marking and copying the text in the popup window.
>
> How are we to know whether these things contain malicious code that is
> written to spread malicious code or otherwise take control of the system?
>
> We should not have to go out to a console session, and use "ps -ax | grep
> iceape", then "kill -9 <each pid showing iceape>", and kill all sessions of
> iceape, just to close a single, malicious tab, that is allowed by security
> breaches in the mozilla/firefox/iceape/iceweasel software.
>
> It is, to me, the web browser saying to the world, "Hey, everyone! here is
> some idiot's computer for you to gain unauthorised entry to and control
> over!".
>
> If the web browser is unable to block unwanted pop-ups, then we should not
> be misled by the browser, into thinking that it will block unwanted pop-ups
> that are a threat to system security.
>
> That in itself, is particularly disturbing - that we are misled by settings
> in the browser, that are supposed to protect us, that actually provide no
> protection.
>
> is that indicating that the web browser, does in fact contain malicious
> code, when it m,isleads the user into wrongly believeing that the user is
> protected from a particular security threat?
>
> That, I think, is a fair question.
>
> "Here is this special, new, armour plating compund, that will stop all
> bullet and armour-piercing projectiles. Just because it is actually just a
> roll of cling-wrap for food covering, does not mean that it will not protect
> your household from drive-by shootings."
>
> That is the nature of the option "Block unrequested popup windows", being an
> option to be set, that simply does not work.
>
> Whether that failing, is what causes the other instabilities (leading to the
> blank "untitled windows"), is something for the software maintainers to
> investigate, but, the software is insecure and deceptive, in falsely
> pretending to "Block unrequested popup windows".
>
> --
> Bret Busby
> Armadale
> West Australia
> ..............
>
> "So once you do know what the question actually is,
>  you'll know what the answer means."
> - Deep Thought,
>  Chapter 28 of Book 1 of
>  "The Hitchhiker's Guide to the Galaxy:
>  A Trilogy In Four Parts",
>  written by Douglas Adams,
>  published by Pan Books, 1992
>
> ....................................................
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: