User: Password:
|
|
Subscribe / Log in / New account

Security

Blocking popups in FireFox

April 6, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

One of the most compelling features of Firefox, for many users, is its built-in pop-up blocking. However, the advertising networks and webmasters looking to inflict pop-up ads on users weren't content to allow Firefox users (or anyone else, for that matter) to browse in peace. It's not surprising that, as Firefox gains in popularity, the Mozilla team would be faced with an "arms race" with advertisers determined to spawn pop-ups on all visitors to sponsored sites.

This writer has recently noticed that some sites had begun spawning pop-ups, despite the fact that Firefox's preferences had been configured to block them. After so long without having to cope with pop-ups, it was doubly annoying to see the nuisance starting all over again.

For the most part, before Firefox and other pop-up blockers appeared on the scene, pop-ups and pop-unders were spawned by JavaScript as soon as a site loads. The Firefox pop-up blocking settings were very successful in blocking almost all pop-up ads. The notable exception, at least for this user, was the New York Times website, which was one of the first sites to find a workaround for Firefox's pop-up blocking.

JavaScript, however, is not the only method that can be used to spawn pop-ups. Notably, Flash, Java and other plugins are capable of spawning pop-ups and bypass the restrictions used to stop pop-ups spawned by JavaScript. To start blocking pop-ups on sites that take advantage of features in Flash or Java to spawn pop-ups, users can install the Pop-ups Must Die! extension.

Alternately, users can get the same effect by manually fine-tuning Firefox's settings. The first change, adding "privacy.popups.disable_from_plugins" is described here. The extension also changes the value of "dom.popup_allowed_events" to block all allowed pop-up events. This can be done by entering "about:config" in the Firefox address bar, and finding "dom.popup_allowed_events," and removing all of the options. These are the only two changes made by the extension.

The changes seem to have been very effective -- perhaps a little too effective. Several users have complained that the extension blocks requested pop-ups as well. This is true, but Firefox still allows users to whitelist sites after a pop-up has been blocked by the new settings. This writer considers it a small price to pay to avoid unrequested pop-ups. For those who would rather deal with the occasional unrequested pop-up, one may change "privacy.popups.disable_from_plugins" to "1" to allow pop-ups to be opened when a link is clicked. This will limit the number of windows opened by a link, so nefarious webmasters cannot open an unlimited number of windows.

Determined webmasters, however, can find ways to inflict advertising on users in other ways. Consider this site which was pointed out in the discussion about the "Pop-ups Must Die!" extension. Rather than spawning a pop-up, it creates a frame within the window that blocks the content of the site until the frame "window" is closed. Without disabling frames, which would cause a great deal of problems for sites that use them legitimately, it's difficult to imagine how one could avoid this kind of "pop-up." (Note, disabling frames by changing the value of "browser.frames.enabled" to false appears to break Firefox entirely.)

Ultimately, the best solution may not rest with Firefox. Users who are offended by pop-ups, and other intrusive advertising, have an infallible weapon at their disposal -- stop visiting sites that insist on using pop-ups. While it would require a great number of users to be effective, even the most persistent webmasters and advertisers would have to reconsider their methods if they have no audience for their ads.

Comments (7 posted)

New vulnerabilities

Dnsmasq: poisoning and DoS

Package(s):dnsmasq CVE #(s):
Created:April 4, 2005 Updated:July 21, 2005
Description: Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing.
Alerts:
Slackware SSA:2005-201-01 dnsmasq 2005-07-21
Gentoo 200504-03 dnsmasq 2005-04-04

Comments (none posted)

gaim: buffer overflow, DoS

Package(s):gaim CVE #(s):CAN-2005-0965 CAN-2005-0966
Created:April 5, 2005 Updated:May 15, 2005
Description: Jean-Yves Lefort discovered a buffer overflow in the gaim_markup_strip_html() function. This caused Gaim to crash when receiving certain malformed HTML messages. (CAN-2005-0965)

Jean-Yves Lefort also noticed that many functions that handle IRC commands do not escape received HTML metacharacters; this allowed remote attackers to cause a Denial of Service by injecting arbitrary HTML code into the conversation window, popping up arbitrarily many empty dialog boxes, or even causing Gaim to crash. (CAN-2005-0966)

Alerts:
Slackware SSA:2005-133-01 gaim 2005-05-15
Conectiva CLA-2005:949 gaim 2005-04-27
Slackware SSA:2005-111-03 gaim 2005-04-22
Mandriva MDKSA-2005:071 gaim 2005-04-13
Red Hat RHSA-2005:365-01 gaim 2005-04-12
Gentoo 200504-05 gaim 2005-04-06
Fedora FEDORA-2005-299 gaim 2005-04-05
Fedora FEDORA-2005-298 gaim 2005-04-05
Ubuntu USN-106-1 gaim 2005-04-05

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0400 CAN-2005-0749 CAN-2005-0750 CAN-2005-0815 CAN-2005-0839
Created:April 1, 2005 Updated:July 1, 2005
Description: More kernel vulnerabilities have been discovered including:
  • Mathieu Lafon discovered an information leak in the ext2 file system driver. (CAN-2005-0400)
  • Yichen Xie discovered a Denial of Service vulnerability in the ELF loader. (CAN-2005-0749)
  • Ilja van Sprundel discovered that the bluez_sock_create() function did not check its "protocol" argument for negative values. (CAN-2005-0750)
  • Michal Zalewski discovered that the iso9660 file system driver fails to check ranges properly in several cases. (CAN-2005-0815)
  • Previous kernels did not restrict the use of the N_MOUSE line discipline in the serial driver. (CAN-2005-0839)
Alerts:
Mandriva MDKSA-2005:110 kernel 2005-06-30
Mandriva MDKSA-2005:111 kernel-2.4 2005-06-30
Fedora-Legacy FLSA:152532 kernel 2005-06-04
Conectiva CLA-2005:952 kernel 2005-05-02
Red Hat RHSA-2005:284-01 kernel 2005-04-28
Red Hat RHSA-2005:283-01 kernel 2005-04-28
Red Hat RHSA-2005:293-01 kernel 2005-04-22
Fedora FEDORA-2005-313 kernel 2005-04-11
Trustix TSLSA-2005-0011 kernel 2005-04-05
SuSE SUSE-SA:2005:021 kernel 2005-04-04
Ubuntu USN-103-1 linux-source-2.6.8.1 2005-04-01

Comments (1 posted)

limewire: input validation errors

Package(s):limewire CVE #(s):CAN-2005-0788 CAN-2005-0789
Created:March 31, 2005 Updated:April 6, 2005
Description: LimeWire, a Java-based peer-to-peer client that works with the Gnutella file-sharing protocol, has two input validation errors that can allow a remote attacker to read arbitrary files with the permissions that LimeWire is running under.
Alerts:
Gentoo 200503-37 limewire 2005-03-31

Comments (none posted)

remstats: tempfile, missing input sanitizing

Package(s):remstats CVE #(s):CAN-2005-0387 CAN-2005-0388
Created:April 4, 2005 Updated:April 6, 2005
Description: Jens Steube discovered several vulnerabilities in remstats, the remote statistics system. When processing uptime data on the unix-server a temporary file is opened in an insecure fashion which could be used for a symlink attack to create or overwrite arbitrary files with the permissions of the remstats user. (CAN-2005-0387) The remoteping service can be exploited to execute arbitrary commands due to missing input sanitizing. (CAN-2005-0388)
Alerts:
Debian DSA-704-1 remstats 2005-04-04

Comments (none posted)

php4: denial of service vulnerabilities

Package(s):php4 CVE #(s):CAN-2005-0524 CAN-2005-0525
Created:April 5, 2005 Updated:May 26, 2005
Description: Two DoS vulnerabilities exist in PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3. One in the php_handle_iff function in image.c allows remote attackers to cause a denial of service (infinite loop) via a -8 size value. The php_next_marker function in image.c allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek. This later vulnerability also exists in PHP 3.
Alerts:
Debian DSA-729-1 php4 2005-05-26
Gentoo 200504-15 php 2005-04-18
Fedora FEDORA-2005-315 php 2005-04-15
Debian DSA-708-1 php3 2005-04-15
SuSE SUSE-SA:2005:023 php4, 2005-04-15
Slackware SSA:2005-095-01 php 2005-04-06
Ubuntu USN-105-1 php4 2005-04-05

Comments (none posted)

sharutils: insecure temporary files

Package(s):sharutils CVE #(s):
Created:April 4, 2005 Updated:April 14, 2005
Description: Joey Hess discovered that "unshar" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora FEDORA-2005-319 sharutils 2005-04-14
Mandrake MDKSA-2005:067 sharutils 2005-04-07
Gentoo 200504-06 sharutils 2005-04-06
Ubuntu USN-104-1 sharutils 2005-04-04

Comments (1 posted)

sylpheed: buffer overflow on message

Package(s):sylpheed sylpheed-claws CVE #(s):
Created:April 4, 2005 Updated:April 6, 2005
Description: Sylpheed and Sylpheed-claws fail to properly handle messages containing attachments with MIME-encoded filenames.
Alerts:
Gentoo 200504-02 sylpheed 2005-04-02

Comments (none posted)

wu-ftpd: missing input sanitizing

Package(s):wu-ftpd CVE #(s):CAN-2005-0256
Created:April 4, 2005 Updated:April 6, 2005
Description: The wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command.
Alerts:
Debian DSA-705-1 wu-ftpd 2005-04-04

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds