Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials users had entered on previously-visited sites. According to Ormandy, this isn’t as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.
To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.
In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.
You can read the paper here.
This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable “free” content are in direct conflict with security, privacy, stability, and performance concerns — and that Firefox is first and foremost a user-agent, not an industry-agent.
Between March and April, here is how the browser market changed, according to the latest figures from Net Applications:
- Internet Explorer: down 0.71 points to 55.83 percent
- Chrome: up 0.69 points to 25.68 percent
- Firefox: down 0.19 points to 11.70 percent
- Safari: up 0.12 points to 5.12
- Opera: up 0.05 points to 0.48 percent
When the browser encounters a Picture element, it first evaluates any rules that the Web developer might specify. (Opera’s developer site has a good article on all the possibilities Picture offers.) Then, after evaluating the various rules, the browser picks the best image based on its own criteria.
F.B. Purity is a browser extension / add-on that lets you clean up and customise Facebook. It filters out the junk you don’t want to see, leaving behind the stories and page elements you do wish to see. The list of story types that FBP hides is customizable to your taste.
The United States Computer Emergency Readiness Team, a part of Homeland Security known as US-CERT, said in an advisory released on Monday morning that the vulnerability in versions 6 to 11 of Internet Explorer could lead to “the complete compromise” of an affected system.
“We are currently unaware of a practical solution to this problem,” Carnegie Mellon’s Software Engineering Institute warned in a separate advisory, that US-CERT linked to in its warning.
In terms of why Firefox was the most exploited browser at the 2014 Pw2Own event, money likely plays a key role.
“Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers’ decision to wait until now to share their work and help protect Firefox users,” Stamm said. “Mozilla also offers financial rewards in our bug bounty program, and this program’s success has inspired other companies to follow suit.” –
As a result, developers have to design with the dangers in mind and weigh that against the type and sensitivity of data stored in the client. At the moment, many development shops are not training their staffs to do that, says David Eads, founder of Mobile Strategy Partners, a mobile development firm that specializes in financial and insurance applications. In fact, he recently ran into a bank that used example HTML5 code for training developers that put data in permanent storage on the client system as opposed to temporary storage.
It is well past time, though, for the W3C and the browser vendors to stop talking as if they constrain the markup developers can use and focus instead on the many things they can do to make the browsers supporting that markup processing more capable. HTML’s legacy vocabulary is a great foundation on which developers can build their own toolsets. The Web will benefit, however, from letting developers solve their information problems in their own ways, rather than trying to stuff too many things into a single vocabulary.