• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Mozilla/Netscape/Firefox Browsers XPCOM Plug-In For Apple Mac OSX Content Spoofing Vulnerability

Severity: MODERATE

Description:

Mozilla, Netscape and Firefox are web browsers that are based on the Gecko engine. The Gecko engine employs the XPCOM interface to permit third parties to author browser plug-ins. The aforementioned browsers are available for a number of platforms, including Microsoft Windows, Apple Mac OS X, Unix and Linux variants.

Browsers based on the Gecko engine are reported prone to a content spoofing vulnerability when they are running on the Apple Mac OS X platform. It is reported that the vulnerability occurs when the browser is configured to employ 'Tabbed Browsing' functionality.

In essence, an XPCOM plug-in that is invoked in one tab may draw graphics in the environment of alternate tabs that are open in the same browser window that the original XPCOM plug-in was drawn in.

It is not known whether the XPCOM based plug-in from one domain can directly access the properties of an alternate domain, however, it has been reported that graphical elements may be displayed in alternate tabs. It is not known to what degree an attacker could control this behavior.

While a number of plug-ins are noted to exhibit this behavior on Mac OS X platforms, the major risk is that Java applets may draw graphics in alternate tabs. This could allow for content to be spoofed or misrepresented. Since it may also be possible to associate event handlers for keyboard and mouse actions with these graphical elements, this could allow an attacker to intercept information from a victim user who may trust spoofed content.

This vulnerability is reported to exist in versions of Netscape Navigator, Mozilla, and Firefox browsers on Mac OS X platforms. Other browsers that are based on the Gecko engine might also be vulnerable.

Affected Products:

• Mozilla Browser 1.7.2
• Mozilla Firefox 0.9.3
• Netscape Navigator 7.1.0
• Netscape Navigator 7.2.0

References:

• Bill McGonigle <bill+mozilla@zettabyte.net>: [OSX] (Java applet, Real, QuickTime) XPCOM plug-ins draw on wrong tabs and lea
• Netscape: Netscape Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.