Posted on 12/08/2004 8:34:03 PM PST by Eagle9
A European security vendor warned Wednesday that most browsers sport a bug that hackers can exploit to spoof a Web site and trick users into trusting bogus pop-up windows.
The vulnerability, which Danish security firm Secunia rated as "moderately critical" is similar to previous bugs in browsers that was disclosed in July and September of 2004. Attackers could use it to add content into a trusted Web site's window by, for instance, inserting a fake form in a pop-up window seemingly opened by that site.
Affected browsers, said Secunia, include the popular Internet Explorer and the up-and-coming Firefox, as well as third-tier alternatives like Mozilla, Opera, Apple's Safari, and the open-source Konqueror.
IE 5.01, 5.5, and 6.x are vulnerable, claimed Secunia, and the "vulnerability has been confirmed on a fully patched system with Microsoft Windows XP SP1/SP2."
While flaws in Windows XP Service Pack 2 (SP2) are rare, some have been reported since the Microsoft released the security update in October.
Secunia has posted a test that users can run on their browser to determine if it's plagued by the bug.
The "test" link is in the last sentence of the article, and also posted here - http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
Ran it with Firefox 1.0... and passed.
I use FireFox, and the popup was blocked. I still had the option to view it if I chose to though.
I have IE6 with XP-Pro with ALL updates and I PASSED! but the noise (ie sound fx) from the huge barrage of attempted pop-ups was irritating.
I ran it with Firefox 1.0 and it failed. Wonder what the difference is.
My Firefox 1.0 fails.
The Mozilla browsers and Internet Explorer, provide a settings window where you can list such websites, that will permit Pop-up windows.
In other words, you fly an Internet browser, adjusting the trim and fuel settings as you go, if you mean to get there and back.
That's interesting I use Firefox 1.0 and I passed.
Firefox 1.0....passed
No problems here. I'm using Safari 1.2.4 (v125.12)
My mozilla 1.7.3 passed
FF runs all the sites I need to access now. I wouldn't use IE for anything.
Solution: Do not browse untrusted sites while browsing trusted sites.
Same here, failure.
I think Secunia's test should be done after a run of a spyware removal program such as Ad-Aware SE, SpyBot or the new spyware remover from Yahoo! Toolbar 1.9 for Internet Explorer. Embedded spywre might be the reason the windows are opening in the way Secunia describes it.
Mozilla 1.5 also passed.
My version 0.8 Firefox passed as well. You wanna knnow why folks?
Firefox has an extension available called PrefButtons 0.2.
This allows you to place a small check box on you tool bar that you can easily turn of Java scripting with. Uncheck the box and run the test and Secunia can't do bupkis!
Firefox still beats the crap out of everything else.
My Firefox blocks the popups from the Drudge site....
So these guys have a new technique?
bs open source means NO ONE patches it...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.