Archive for July, 2007

San Francisco, Ajax Experience, Vancouver

posted July 12th, 2007, 4 comments

I’m going to be in San Francisco July 21st – 28th, and Vancouver July 28th – August 4th. While in San Francisco I’m speaking at the Ajax Experience. If you’re based in SF or YVR or are attending the conference let me know, cause I’d love to meet up.

sIFR 3 Revision 278 Security Update

posted July 4th, 2007, 89 comments, tagged

Newer versions are available. Find out more.

Yesterday, a security vulnerability was found in sIFR 2 and 3. Malicious websites can trick visitors into running JavaScript code on domains hosting sIFR movies. No exploits are known. If you are using sIFR 3, you are advised to update to revision 278 (or any later revision).

Download sIFR 3r278.

You’ll need to update the sifr.js file and re-export the sIFR movies.

Detailed description

sIFR passes the text it has to render to the Flash movie using Flash variables. Normally these variables are specified using a flashvars parameter, however they can also be passed using the query string. Malicious websites can craft an iframe which points to a sIFR movie on the target domain. An HTML link to some JavaScript code can be passed to the movie through the query string. When a visitor of the malicious website clicks on the link, the code is run on the domain the movie resides. Vulnerable browsers are Firefox, Safari, Opera and Netscape. This specific attack does not work in Internet Explorer. An alternative attack is to load the movie directly or in a popup window, this does work in Internet Explorer.

Revision 278 prevents this attack by not rendering any content that is passed through the query string. Credit goes to Arseny Vesnin for finding the vulnerability.

Other changes

Here are the changes since revision 229:

  • Improvements to the Callback API.
  • Improved ratio calculation and handling.
  • No longer replacing elements that have display: none set.
  • Added a transparency and opaqueness option.
  • Increased frame-rate of sIFR movies.
  • Elements with the .sIFR-ignore class will now be visible.
  • Changed semantics of sIFR.prefetch(). When invoked after sIFR.activate() it’ll pre-fetch the given Flash movies in all browsers.
  • Fix for the sticky hover problem.
  • Fixed problem in Internet Explorer when used in combination with (for instance) SWFObject.
  • Anti-aliasing can be specified in JavaScript.
  • Text-wrapping can now be prevented by setting the preventWrap property for sIFR.replace().
  • sIFR will no longer activate when loaded directly from the filesystem. Load it through a webserver instead.
  • Debug mode is automatically enabled if the sifr-debug.js file is loaded (before sifr.js).

As this release has been rushed due to the security issue, I have not been able to update the documentation.

Download sIFR 3r278.

sIFR 2.0.3 Security Update

posted July 4th, 2007, no comments, tagged

sIFR 2.0.5 has been released. Please upgrade to sIFR 2.0.5.

Yesterday, a security vulnerability was found in sIFR 2 and 3. Malicious websites can trick visitors into running JavaScript code on domains hosting sIFR movies. No exploits are known. If you are currently using sIFR 2, you are advised to update to version 2.0.3.

Download sIFR 2.0.3.

You’ll need to update the sifr.js file and re-export the sIFR movies.

Detailed description

sIFR passes the text it has to render to the Flash movie using Flash variables. Normally these variables are specified using a flashvars parameter, however they can also be passed using the query string. Malicious websites can craft an iframe which points to a sIFR movie on the target domain. An HTML link to some JavaScript code can be passed to the movie through the query string. When a visitor of the malicious website clicks on the link, the code is run on the domain the movie resides. Vulnerable browsers are Firefox, Safari, Opera and Netscape. This specific attack does not work in Internet Explorer. An alternative attack is to load the movie directly or in a popup window, this does work in Internet Explorer.

sIFR 2.0.3 prevents this attack by not rendering any content that is passed through the query string. Credit goes to Arseny Vesnin for finding the vulnerability.

Other changes since version 2.0.2

  • sIFR has been disabled for Safari 1.0.
  • If the innerHTML of an element containing a sIFR movie changes, the sIFR movie will fail to render. Upgrade to sIFR 3 to fix this.

sIFR 2.0.5 has been released. Please upgrade to sIFR 2.0.5.

Download sIFR 2.0.3.