Help - Search - Members - Calendar
Full Version: Multiple Browser Injection Vulnerabilities (Secunia)
BleepingComputer.com > Security > Breaking Virus & Security News
   
harrywaldron
Dec 8 2004, 01:54 PM
Multiple Browser Injection Vulnerabilities (Secunia)

In personally testing this, ALL 3 BROWSERS FAILED THE TEST (e.g., IE 6 SP1, Mozilla Firefox 1.0, and Opera 7.60 Beta). Hopefully all the vendors are working on this one, as the opportunities for phishing expeditions are certainly possible with this one sad.gif

BROWSER IMPACTED: Netscape 7.x, Konqueror 3.x, Opera 7.x, Safari 1.x, Microsoft Internet Explorer 5.01/5.5/6, Mozilla 0.x, Mozilla 1.0, Mozilla 1.1, Mozilla 1.2, Mozilla 1.3, Mozilla 1.4, Mozilla 1.5, Mozilla 1.6, Mozilla 1.7.x, Mozilla Firefox 0.x,Mozilla Firefox 1.x

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

Solution: Do not browse untrusted sites while browsing trusted sites.


RELATED PRODUCT SITES

Netscape: http://secunia.com/advisories/13402/
Opera: http://secunia.com/advisories/13253/
Mozilla: http://secunia.com/advisories/13129/
IE: http://secunia.com/advisories/13251/
Konqueror: http://secunia.com/advisories/13254/
Safari: http://secunia.com/advisories/13252/

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

http://secunia.com/multiple_browsers_windo...erability_test/
raw
Dec 8 2004, 04:24 PM
Firefox is indeed vulnerable,but i thought this was great.

jgweed
Dec 8 2004, 08:21 PM
Mozilla and Firefox are only vulnerable if you have trusted and untrusted sites all tabbed at the same time, to the best of my knowledge.
Cheers,
John

Correction: I was wrong.
John
KoanYorel
Dec 8 2004, 10:17 PM
"Browser phishing 'flaw' could hook users"

Published: December 8, 2004, 4:50 PM PST By Robert Lemos Staff Writer, CNET News.com

QUOTE
A function built into all major browsers could be co-opted by attackers to fool Web site visitors into surrendering sensitive information, a security firm warned on Wednesday.

The issue, which security firm Secunia labeled a flaw, could allow a malicious Web site to refer visitors to a legitimate site--such as a bank's Web site--and then control the content displayed in a pop-up windows. The issue affects Microsoft's Internet Explorer, the Mozilla Foundation's Mozilla and Firefox browsers, Opera's browser, the open-source Konqueror browser and Apple Computer's Safari, the firm stated in advisories on its site.

"No browsers warn or check if the other site is allowed to change the content of the pop-up window," Thomas Kristensen, chief technology officer for Secunia, said in an e-mail to CNET News.com. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site."

The company has created demonstration that takes advantage of the flaw on its Web site. The example sends a user to Citibank's Web site, where clicking on the image opens a pop-up Window that is controlled by Secunia's program.

Microsoft said that the attack uses a legitimate feature of browsers to fool users.


Complete article

http://news.com.com/Browser+phishing+flaw+...ml?tag=nefd.top
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.