Firstly, a rough translation of the previous mail for non-Italian readers: She doesn't like the fact that the report was closed as not-a-bug, stating that there are enough elements to prove it. The first point here is that she says that new "fake" windows/frames hijacked the workspace, interpreting that as a window spoofing attack [1]. She adds that it isn't related to single rogue site, but it happens on all sites with frames (citing gmail, yahoo, and various other webmail). The second issue she reports (maybe related) is that the flash call fscommand() could be not safe, letting a malicious app the ability to invoke program on the target host (in the first mail she report part of the log of a network sniffer, during a SMB domain enum). She suggest to fix the bug and implement an ip-based filter to avoid the attack (here descibed as a mix of Man-in-the-middle and tcp-connection injecting by a third party host).
Then my comments: Firstly, the SMB enum is completely unrelated to this report, and I think the reporter just mixed what is an internal SMB traffic with which is usually called resource enumeration on an attacked host. Then, the part regarding the ip-source check could be ignored, as she's probably missing some fundamentals on the protocol (ie. here there isn't any injection at tcp-level). Coming back to browser issue, this is clearly a mixture of flash/swfdec behavior and iceweasel own rendering. Judging from the screenshot, she's using swfdec; looking at the source, both swfdec and gnash doesn't fully support fscommand(), but only a minor and safe subset (ie. "quit" and such). So actually this shouldn't pose a security problem (it could be relevant with the proprietary plugin, though I can't really say if fscommand() works without limits on linux, and what we could do for that). Secondly, I won't say she's experiencing a window spoofing attack. The only thing I can desume from the screenshot is a probably "strange" rendering and disposition of some iframed sites, which could be due to the embedded flash object, plus two unnamed windows which should be something external (swf object players or such). I really doubt that an intelligent user could be tricked this way by a specifically crafted website (or, anyway, we can't do much more to technically fix a human problem). Many details of the report are anyway obscure, so I had to add some own assumptions and interpretations to reach those conclusion. More details and specific info are welcome, if I've missed some points. I would agree with Cristoph closing this report as it isn't a bug in iceweasel, nor in any free flash player. In the end, I would agree with Luca, as I've already meet her on many mailing (eg. debian-italian, cc-italian, debian-user both under her real name and the nickname heba) and she has already proven to a be a mixture of uncollaborative troll and an egocentric security paranoid person, who is laking deep knowledge on certain fields and tends to correlate unlinked events to describe them all as a security attack in place (I could link previous threads here, but this isn't the main point of the bug report). Her second mail in italian was almost confuse as the first english one, plus adding some sarcastic comments that I personally didn't like (but I won't really engage an harsh discussion here). Nonetheless, I tried to be objective and inspected the issue from a neutral POV. Eric, please read all the above comments and decide by yourself. Cheers, Luca [1] http://www.mikx.de/firespoofing/ -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG Key ID: 3BFB9FB3 `- http://www.debian.org | Debian GNU/Linux Developer
pgpONsBgx2A2x.pgp
Description: PGP signature
