User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 I did a quick search, but I'm rather uneducated on the subject so it's quite possible that this is a duplicate. I apologize ahead of time if it is. At any rate, the mirrors in the link posted above SHOUT NOT BE CLICKED. They're being spread around Slashdot and digg (probably others, as well) in an attempt to trick users into clicking them. Once clicked, Firefox automatically attempts to open a seemingly infinite number of instances of Outlook Express while blasting "I'm looking at gay porn" in the background along with extremely awful pictures. Reproducible: Always Steps to Reproduce: Click any of the links in the mirror site above. DO NOT CLICK THE LINK UNLESS YOU KNOW WHAT YOU'RE DOING. Actual Results: A lot of very disturbing pictures came up on the screen and Firefox attempted open a seemingly infinite number of instances of Outlook Express, which made it very difficult to get the situation back under control. Expected Results: There isn't much you can do about protecting users from obscene images, but I really hope there is something that can be done to hinder the attempted DOS attack that prohibits you from closing anything. about:buildconfig Build platform target i586-pc-msvc Build tools Compiler Version Compiler flags $(CYGWIN_WRAPPER) cl 12.00.8804 -TC -nologo -W3 -Gy -Fd$(PDBFILE) $(CYGWIN_WRAPPER) cl 12.00.8804 -TP -nologo -W3 -Gy -Fd$(PDBFILE) Configure arguments --enable-application=browser --enable-update-channel=release --enable-optimize --disable-debug --disable-tests --enable-static --disable-shared --enable-official-branding --enable-svg --enable-canvas --enable-update-packaging

Most of the sites listed at lastmeasure appear to be down. Captured one, though, and attached it. Outlook Express must be your default mail client. This thing creates a bunch divs with the src being news: and mailto: urls. The divs are created in groups by a setTimeout that calls itself, so there will indeed be an infinite number of them. external protocol handlers really don't make sense for divs/iframes/img etc. We probably have a bug on stopping them, in fact. If we did, though, there are probably other ways to do the same thing (sending click events to plain links?)

I think it would make sense to do the following: * Subject external-protocol URL loads and helper app loads to the same restrcitions as popup windows. * Limit the number of (non-whitelisted) popups per user action to 1-3, so a single click can't be used as an excuse to open a hundred popups or OE windows. I couldn't find a bug about restricting helper app and external protocol handlers so <iframe src> doesn't trigger them. As for "HEY EVERYBODY I'M LOOKING AT GAY PORN", it might be possible to work around that with an *option* for disabling sound (bug 24418), limiting sound volume (bug 333208), or disabling sound in non-foreground windows and tabs. But let's not make that the focus of this bug, since (a) it would be really hard to implement, (b) helper apps would defeat it, (c) it would have to be an option and wouldn't protect most people from these shock sites, and (d) fixing that wouldn't fix the annoying DoS. I changed the URL from http://lastmeasure.com/mirrors.php to http://en.wikipedia.org/wiki/Last_Measure, so people looking at this bug report are less likely to fall victim.

> I couldn't find a bug about restricting helper app and external protocol > handlers so <iframe src> doesn't trigger them. Found it: bug 167475.

*** Bug 337630 has been marked as a duplicate of this bug. ***

Fwiw, bug 229168 is where we're tracking all these issues...

*** Bug 291847 has been marked as a duplicate of this bug. ***

*** Bug 341140 has been marked as a duplicate of this bug. ***

*** Bug 342785 has been marked as a duplicate of this bug. ***

I feel this on GNU/Linux, so it's not just Windows. This seems like a security bug. Someone please change that, I can't. I also can't change the OS and it happens not just on Windows....

Last_Measure/GNAA is definitely not limited to windows.

Bug 356638 describes a new version of Last Measure that not only opens mailto: URLs, but also uses other external protocols. For me, this caused both Mail and Thunderbird to open, and also caused unknown-protocol error dialogs and unused-protocols security dialogs.

I guess, the root of evil is bug 167475.

Ran across another "Last Measure" browser exploit. Careful opening it. It redirects from google (somehow): http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fmembers.on.nimp.org%2F%3Fu%3Dtimecop&ei=UcVHSpWdItCvtwfnjsCMCg&rct=j&q=nimp+timecop&usg=AFQjCNHg4SY1IP4BptziBA5eGd-gxcxlLg

Seems like a duplicate.

Cleaning per duplicate.