Category Archives: FireFox

Bug in Internet Explorer security model when embedding Flash

Update: I’ve posted a real world example of this bug being exploited.

This one has the same behavior on IE6, IE7 and IE8 betas.

I have only tested this with Flash swf files, but it’s likely that this security is applied and broken the same way, when navigating to different types of files.

When loading Flash file (swf) directly inside the browser without an html page container, for ex: http://example.com/game.swf , most browsers create an html page automatically and embed the swf inside it. FireFox and Google Chrome, for that matter, automatically create an embed tag with some default values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutral.js) to load the object.

The fact that this automatically created embed tag doesn’t mention the allowscriptaccess property it’s defaulted to samedomain. This way the swf file can script the automatically generated html page it resides in, using ExternalInterface, leading to a major security flaw. I will post about a real world example of this security flaw, shortly.

Internet Explorer, rightfully, consider this generated page as less secure and as such restrict access to the JavaScript document object. It’s preventing from the embedded swf to script the DOM of the page.

Just test it, go to any swf file on the web using Internet explorer, then run this script in the address bar javascript:alert(document); you’ll see the error “Access is denied”. Touching the document is prohibited!

Error_Access_Denied

But, all that is needed to compromise this security feature in IE is to reload the page. That’s it, just reload the page once by pressing F5. Run the script again javascript:alert(document); you’ll see the precious document and no error will be thrown.

Since most of the other javascript objects are still available and among these is the window native object. A swf file, for example, can reload the page on its own using window.location.reload() and then will be able to bypass the restriction and freely manipulate the page.

This script can run from inside the swf using ExternaInterface.call(“eval”, “script”); If the “try” clause fail it’s probably an IE browser and the page will reload immediately without the user noticing. The 2nd time the page loads the “try” clause won’t fail.

try{
   $d = document;
   //Mess with the DOM
}catch(ex){
   window.location.reload();
}

I was impressed that Microsoft implemented such a security feature as opposed to FireFox, Chrome and others who don’t have a similar restriction. but, it needs to be done right otherwise it misses the point.

As I said, I’ll post a real world example of this being exploited, soon.

I have finally closed all of my TABs

This happens to me once in a few months, I managed to clear all of my FireFox tabs. Read ‘em all, all the stuff I “have to” read later, some wait there as an opened tab for weeks before it gets read and closed. It feels like a fresh start every time I managed to do so. Just the FireFox starting page without anything else. I’d better not go to any interesting website right now, especially not one of these aggregators that can lead to tenths of opened tabs in a minute. Lets savor the moment.

Along with some other issues like, CSRF, Tab surfing mainly hurt our time management (lake of) skills. With the old browsers, though you could have opened a lot of windows, but, it felt crowded after 10 and when it crashed and it generally did (i.e. IE), it didn’t gave you the “favor” of restoring all the windows. These days when using a browser like FF it’s easy to open tons of tabs without even noticing. The only thing that could have saved us, is the small memory leakage in FF that force us to restarts the browser every so often. Sadly enough there are add-ons like Tab Mix that will restore all of the tabs. Or what I generally do is just kill the process and launch FF again to get back all of my tabs with a clean FF memory. You can’t just lose the tabs you need to read it!

I was starving for something that will help my condition. There are lots of tab related addons for FireFox that do all kind of tricks, but look at this one I found here named, Read It Later. Look at the name, it’ll help me to, you guessed it, read it later. I don’t need my tabs to sing or be colorful I just won’t to be able to close the tabs and not feel like I’m loosing anything.

So far so good, but, will I really read these tabs later coz sometimes it’s worth it, reading later, that is. And I believe I wont because Read It Later reminds me too much of this “uber” technic I have of dragging all the links from the address-bar into a folder. This way you clear the tabs, you have it all saved, but you never even open this folder again. Read it later generates a plain list which has no appealing, and doesn’t really convince me to get back to it, especially when it gets crowded with lots of links.

Luckily there is yet another tab saver that focus on tab saving named Taboo. The obvious benefit of Taboo is that it generates thumbnails out of the saved links. Which helps to distinguish between the good saves to the lesser good ones. Taboo also can show you the saved tabs inside a calendar. For me that’s all I wont, give me the saved tab and tell me how old it is. The only thing that is missing from Taboo is that you can’t right click on a link and save it, it has to be an opened tab. And also no offline reading but who needs it anyway, just open the tabs before you go online if you ever do, go offline. Taboo adds just two buttons near the address bar, and been working fine for me so far.
Taboo buttons

There are other tab savers that try to do too much, they wonna be more then a simple tab saver, and loose their purpose by doing that. For ex. scrapbook, which do too much IMHO. Scrapbook has the nerve of adding itself in too many places and even in my FF main menu, just after my bookmark menu button. Does the Scrapbook saved tabs are equal to my main FF Bookmarks?! I don’t think so!

ScrapBook

Maybe I need to sell my Ferari, not that I own a Ferari (yet), you know, metaphorically speaking. Unplug the switch, disconnect, get a life, bring a hammer and break my laptop into tiny pieces. Wait, that’s the company’s laptop, I don’t think they’ll like that.

Anyway, this post has become quite of a rant and, I would finally say that tab surfing is a too good feature, maybe I was better off without it, but it’s here to stay and I’m not gonna quit using it so I’d better find some way to complete it. I have all of these add-ons and more still installed and I’d let you know how it’s working.