Posted on 12/08/2004 8:34:03 PM PST by Eagle9
A European security vendor warned Wednesday that most browsers sport a bug that hackers can exploit to spoof a Web site and trick users into trusting bogus pop-up windows.
The vulnerability, which Danish security firm Secunia rated as "moderately critical" is similar to previous bugs in browsers that was disclosed in July and September of 2004. Attackers could use it to add content into a trusted Web site's window by, for instance, inserting a fake form in a pop-up window seemingly opened by that site.
Affected browsers, said Secunia, include the popular Internet Explorer and the up-and-coming Firefox, as well as third-tier alternatives like Mozilla, Opera, Apple's Safari, and the open-source Konqueror.
IE 5.01, 5.5, and 6.x are vulnerable, claimed Secunia, and the "vulnerability has been confirmed on a fully patched system with Microsoft Windows XP SP1/SP2."
While flaws in Windows XP Service Pack 2 (SP2) are rare, some have been reported since the Microsoft released the security update in October.
Secunia has posted a test that users can run on their browser to determine if it's plagued by the bug.
The "test" link is in the last sentence of the article, and also posted here - http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
Ran it with Firefox 1.0... and passed.
I use FireFox, and the popup was blocked. I still had the option to view it if I chose to though.
I have IE6 with XP-Pro with ALL updates and I PASSED! but the noise (ie sound fx) from the huge barrage of attempted pop-ups was irritating.
I ran it with Firefox 1.0 and it failed. Wonder what the difference is.
My Firefox 1.0 fails.
The Mozilla browsers and Internet Explorer, provide a settings window where you can list such websites, that will permit Pop-up windows.
In other words, you fly an Internet browser, adjusting the trim and fuel settings as you go, if you mean to get there and back.
That's interesting I use Firefox 1.0 and I passed.
Firefox 1.0....passed
No problems here. I'm using Safari 1.2.4 (v125.12)
My mozilla 1.7.3 passed
FF runs all the sites I need to access now. I wouldn't use IE for anything.
Solution: Do not browse untrusted sites while browsing trusted sites.
Same here, failure.
I think Secunia's test should be done after a run of a spyware removal program such as Ad-Aware SE, SpyBot or the new spyware remover from Yahoo! Toolbar 1.9 for Internet Explorer. Embedded spywre might be the reason the windows are opening in the way Secunia describes it.
Mozilla 1.5 also passed.
My version 0.8 Firefox passed as well. You wanna knnow why folks?
Firefox has an extension available called PrefButtons 0.2.
This allows you to place a small check box on you tool bar that you can easily turn of Java scripting with. Uncheck the box and run the test and Secunia can't do bupkis!
Firefox still beats the crap out of everything else.
My Firefox blocks the popups from the Drudge site....
So these guys have a new technique?
bs open source means NO ONE patches it...
Tried it with Avant too. Works great!
Firefox 1.0 works too!
Bump
You have to be real careful with those.
My Fire fox passes. I know at one time I had installed this update...I thought it was to correct this problem. I would think it would already be included in Firefox 1.0
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.1/shellblock.xpi
I was going to try Avant at one time but was put off by what I read on their webpage:
"Since it's based on Internet Explorer, Avant Browser is as secure as Internet Explorer."
I don't want a browser that is AS secure as IE. I want one MORE secure than IE.
Maybe I'll try it on my desktop PC at work. Our company intranet sites don't like Firefox.
Good to know. Thanks for the research.
I think all you can say is that your browser passed on that particular occasion.
Shiira for OSX passed.
most recent problems in mozilla can be accessed through " about:config" , in your search bar. No browser will ever be "safe" and most bugs only infect your operating system anyway... which usually is microsoft...
Lynx PASSED!
Exactly. I had my Tabbed Browsing set to load links in New Tab. It failed the test. I changed the setting to load links in Current Tab. It passed the test.
Ditto - Mozilla 1.7.3 was good, though the pop-up notifications lasted quite a while (I guess it was doing what it was supposed to do!).
So this is a Java script buggy thing that will allow a new web page to attempt to gain control of my computer if I have another tab (or browser) that is open on a secure site?
Konqueror passed...
Passed on both IE 6.0 and Firefox 1.0. Whatever the bug is, certain configurations are protected against it.
Mmmm...could be. Check out reply #23.
HAHA!!! Excellent!
Well that sucked, I tried it with both IE and Fire fox and both failed.
Nice, clear test.
Ping a ling!!
scary post lulling people into false sense of security, the "test" proves nothing... this is a 4 month old exploit that can be changed by typing "about:config" and changing
various settings...(just one). Would like to recommend cert.org to any who cares. Bugs are usually meant to take over your operating system anyway, you can always reinstall your browser...
Same with my Netscape 7.1
Same here. Safari is safe.
mac's are far less safe than open source, or microsoft. They would find millions of converts if they were... (your Mac probably won't tell you you're compromised)
Bump
Ran it with SlimBrowser ... passed
don't mean to offend mac users, this is SERIOUS when someone can steal your financial info. The first virus generally recognised was a mac auto run cd virus... i typed this on mozilla and would never recommend anyone ever use a mac, they don't patch... the fact that AL GORE is on they're board might tell any one who cares... something about mac
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.