Security Vulnerability in multiple Browsers for both PCs and Macs

Secunia ^ | 6/21/2005 | Secunia

[Swordmaker]

Secunia Research has discovered a vulnerability in various browsers, which can be exploited by malicious web sites to spoof dialog boxes.

The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.

Please use the test page, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable.

This illustration may be used freely in news articles and web sites as long as Secunia.com is referenced as the source and the illustration links back to this page.

[Swordmaker]

According to Secunia, this is a only a mild vulnerability. They report that it exists in Safari 1.x, as well as in various other PC and Windows browsers including Internet Explorer, FireFox, Mozilla and Camino.

On testng I found it also exists in Safari 2.0 in Mac OSX.4.1.

---

---

You are vulnerable, if a JavaScript dialog box appears in front of the Google.com web site without displaying information about its origin.

You are not vulnerable, if you do not experience the above behaviour.



What should you do?

Please view the appropriate Secunia advisory for information about how you can fix or mitigate the impact of this vulnerability. The Secunia advisories will be updated when the vendors issue patches.

View the Secunia advisory regarding your browser:
- Internet Explorer for Mac
- Internet Explorer
- Opera
- Safari
- iCab
- Mozilla / FireFox / Camino

---

---

[Swordmaker]

Security warning ping... both PCs and Macs are affected!!!

PING!

If you want on or off the Mac Ping List, Freepmail me.

[jdm]

Good thing I use a Maxthon browser. < \\sarcasm >

[TheOtherOne]

Thanks.

It suggested for me.....Solution: Do not browse untrusted web sites while browsing trusted sites.

And that's just good common sense.

[Swordmaker]

Did you try it with the test? The vulnerability seems to me to have more to do with the way HTML, Java, and the Internet work than with a particular browser.

Try the test and let us know... if your browser is not vulnerable, I am sure that PC users would want to know about a safer alternative.

[Swordmaker]

Solution: Do not browse untrusted web sites while browsing trusted sites.

Quite frankly, I think that may be the only solution to this particular vulnerability.

[Soaring Feather]

I checked mine out and a box came up asking for a pass work string. I did not entering anything in the field box.

I am using IE.

[Soaring Feather]

entering=I did not enter anything.

[gidget7]

Something popped up when I did the test, but only for a split second, my spyware blocked it.

[Swordmaker]

Well, it's official... Microsoft claims it isn't a flaw or vulnerability, it's a feature!

---

IE pop-up spoof won't get patch
Published: June 23, 2005, 4:35 PM PDT
By Joris Evers
Staff Writer, CNET News.com

Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

[Californiajones]

Swordmaker -- I'm on Pather 10.3.9 -- how do I get rid of this bug on my computer? It is driving me nuts that I've got it!

[Swordmaker]

The easiest way to avoid this "feature" is to close ALL browser windows and wait about 10 seconds before opening a fresh blank window and navigating to any secure site such as your Bank, eBay, etc.