web browser security issues

Discussion in 'NZ Computing' started by whoisthis, Jul 2, 2004.

  1. whoisthis

    whoisthis Guest

    The Secunia security group is reporting on a vulnerability that allows
    outside parties to "inject" spoofed content into a browser frame. The
    flaw affects Safari and a host of other browsers.

    According to the description: "The problem is that the browsers don't
    check if a target frame belongs to a website containing a malicious
    link, which therefore doesn't prevent one browser window from loading
    content in a named frame in another window.

    "Successful exploitation allows a malicious website to load arbitrary
    content in an arbitrary frame in another browser window owned by e.g. a
    trusted site.

    Secunia says the vulnerability has been confirmed in the following
    browsers:
    € Opera 7.51 for Windows
    € Opera 7.50 for Linux
    € Mozilla 1.6 for Windows
    € Mozilla 1.6 for Linux
    € Mozilla Firebird 0.7 for Linux
    € Mozilla Firefox 0.8 for Windows
    € Netscape 7.1 for Windows
    € Internet Explorer for Mac 5.2.3
    € Safari 1.2.2
    € Konqueror 3.1-15redhat


    Seems as though the fault is fairly wide spread across OS and browser,
    though for a change I do not see IE for windows, maybe all its other
    holes/bugs prevents this one from working
     
    whoisthis, Jul 2, 2004
    #1
    1. Advertising

  2. whoisthis

    Howard Guest

    whoisthis wrote:

    the same thing that Max Burke wrote in a recent posting headed:
    !Multiple Browsers Frame Injection Vulnerability
     
    Howard, Jul 2, 2004
    #2
    1. Advertising

  3. whoisthis

    Max Burke Guest

    > whoisthis scribbled:
    > The Secunia security group is reporting on a vulnerability that allows
    > outside parties to "inject" spoofed content into a browser frame. The
    > flaw affects Safari and a host of other browsers.
    > According to the description: "The problem is that the browsers don't
    > check if a target frame belongs to a website containing a malicious
    > link, which therefore doesn't prevent one browser window from loading
    > content in a named frame in another window.
    > "Successful exploitation allows a malicious website to load arbitrary
    > content in an arbitrary frame in another browser window owned by e.g.
    > a trusted site.
    > Secunia says the vulnerability has been confirmed in the following
    > browsers:
    > ? Opera 7.51 for Windows
    > ? Opera 7.50 for Linux
    > ? Mozilla 1.6 for Windows
    > ? Mozilla 1.6 for Linux
    > ? Mozilla Firebird 0.7 for Linux
    > ? Mozilla Firefox 0.8 for Windows
    > ? Netscape 7.1 for Windows
    > ? Internet Explorer for Mac 5.2.3
    > ? Safari 1.2.2
    > ? Konqueror 3.1-15redhat


    > Seems as though the fault is fairly wide spread across OS and browser,
    > though for a change I do not see IE for windows, maybe all its other
    > holes/bugs prevents this one from working


    It DOES affect IE. (for Windows)


    --

    Replace the obvious with paradise.net to email me
    Found Images
    http://homepages.paradise.net.nz/~mlvburke
     
    Max Burke, Jul 3, 2004
    #3
  4. whoisthis

    Ralph Fox Guest

    On Sat, 03 Jul 2004 10:18:50 +1200, in message
    <>, whoisthis wrote:

    > The Secunia security group is reporting on a vulnerability that allows
    > outside parties to "inject" spoofed content into a browser frame.


    The Secunia URL is http://secunia.com/advisories/11978/.


    > Seems as though the fault is fairly wide spread across OS and browser,
    > though for a change I do not see IE for windows



    You will see IE listed further down on the same page

    | The vulnerability also affects Internet Explorer:
    | SA11966


    Also look at the Secunia URL http://secunia.com/advisories/11966/
    where the same bug was reported in IE, the day before.




    --
    Cheers,
    Ralph

    Change is inevitable. Progress is optional.
     
    Ralph Fox, Jul 3, 2004
    #4
  5. In article <>, mer
    says...
    > The Secunia security group is reporting on a vulnerability that allows
    > outside parties to "inject" spoofed content into a browser frame. The
    > flaw affects Safari and a host of other browsers.
    >
    > According to the description: "The problem is that the browsers don't
    > check if a target frame belongs to a website containing a malicious
    > link, which therefore doesn't prevent one browser window from loading
    > content in a named frame in another window.
    >
    > "Successful exploitation allows a malicious website to load arbitrary
    > content in an arbitrary frame in another browser window owned by e.g. a
    > trusted site.
    >
    > Secunia says the vulnerability has been confirmed in the following
    > browsers:
    > ¤ Opera 7.51 for Windows
    > ¤ Opera 7.50 for Linux
    > ¤ Mozilla 1.6 for Windows
    > ¤ Mozilla 1.6 for Linux
    > ¤ Mozilla Firebird 0.7 for Linux
    > ¤ Mozilla Firefox 0.8 for Windows
    > ¤ Netscape 7.1 for Windows
    > ¤ Internet Explorer for Mac 5.2.3
    > ¤ Safari 1.2.2
    > ¤ Konqueror 3.1-15redhat
    >
    >
    > Seems as though the fault is fairly wide spread across OS and browser,
    > though for a change I do not see IE for windows, maybe all its other
    > holes/bugs prevents this one from working



    It says "IE" at the bottom in the fine print i.e. the people who run
    secunia want you to believe that IE is not as bad as all these other
    browsers.
     
    Patrick Dunford, Jul 3, 2004
    #5
  6. whoisthis

    Ralph Fox Guest

    On Sat, 3 Jul 2004 19:45:44 +1200, in message
    <>, Patrick Dunford wrote:

    > It says "IE" at the bottom in the fine print


    Correct.

    > i.e. the people who run
    > secunia want you to believe that IE is not as bad as all these other
    > browsers.


    Seeing as the people who run Secunia had already reported
    the same bug in IE earlier (http://secunia.com/advisories/11966/),
    I would be wary of interpreting it that way myself.

    Perhaps the people who run Secunia didn't want to report IE _twice_
    compared to other browsers, and be accused of the opposite.


    --
    Cheers,
    Ralph

    Change is inevitable. Progress is optional.
     
    Ralph Fox, Jul 3, 2004
    #6
  7. whoisthis <> wrote:
    >
    > Secunia says the vulnerability has been confirmed in the following
    > browsers:


    snip...

    http://secunia.com/advisories/11978/

    vulnerability confirmed for the list posted by whoisthis
    and for IE6 on WinXP

    page lists these browsers as possibly vulnerable

    Internet Explorer 5.x for Mac
    Konqueror 3.x
    Mozilla 0.x
    Mozilla 1.0
    Mozilla 1.1
    Mozilla 1.2
    Mozilla 1.3
    Mozilla 1.4
    Mozilla 1.5
    Mozilla 1.6
    Mozilla Firefox 0.x
    Netscape 6.x
    Netscape 7.x
    Opera 5.x
    Opera 6.x
    Opera 7.x
    Safari 1.x

    each item on this list is a link to a product specific list of known
    vulnerabilities, and the frame injection test page.
     
    J.Random Luser, Jul 4, 2004
    #7
  8. whoisthis

    Collector_NZ Guest

    J.Random Luser said the following on 4/07/2004 13:12:

    > whoisthis <> wrote:
    >
    >> Secunia says the vulnerability has been confirmed in the following
    >>browsers:

    >
    >
    > snip...
    >
    > http://secunia.com/advisories/11978/
    >
    > vulnerability confirmed for the list posted by whoisthis
    > and for IE6 on WinXP
    >
    > page lists these browsers as possibly vulnerable
    >
    > Internet Explorer 5.x for Mac
    > Konqueror 3.x
    > Mozilla 0.x
    > Mozilla 1.0
    > Mozilla 1.1
    > Mozilla 1.2
    > Mozilla 1.3
    > Mozilla 1.4
    > Mozilla 1.5
    > Mozilla 1.6
    > Mozilla Firefox 0.x
    > Netscape 6.x
    > Netscape 7.x
    > Opera 5.x
    > Opera 6.x
    > Opera 7.x
    > Safari 1.x
    >
    > each item on this list is a link to a product specific list of known
    > vulnerabilities, and the frame injection test page.


    Dosnt affect my Firefox 0.x copy. Using standard configuration.
     
    Collector_NZ, Jul 4, 2004
    #8
  9. In article <>,
    -echo.invalid says...
    > On Sat, 3 Jul 2004 19:45:44 +1200, in message
    > <>, Patrick Dunford wrote:
    >
    > > It says "IE" at the bottom in the fine print

    >
    > Correct.
    >
    > > i.e. the people who run
    > > secunia want you to believe that IE is not as bad as all these other
    > > browsers.

    >
    > Seeing as the people who run Secunia had already reported
    > the same bug in IE earlier (http://secunia.com/advisories/11966/),
    > I would be wary of interpreting it that way myself.


    They could have listed all the browsers in the same message, by updating
    the previous one.
     
    Patrick Dunford, Jul 4, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Surendra Singhi
    Replies:
    0
    Views:
    578
    Surendra Singhi
    Feb 22, 2005
  2. Replies:
    9
    Views:
    749
    Tony Raven
    Dec 28, 2005
  3. Russell Stamper
    Replies:
    1
    Views:
    1,631
    AnyBody43
    Oct 12, 2004
  4. =?Utf-8?B?UmVjb24=?=

    Still having multiple master browser issues.

    =?Utf-8?B?UmVjb24=?=, Jan 25, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,547
    =?Utf-8?B?UmVjb24=?=
    Jan 25, 2006
  5. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    658
    COMSOLIT Messmer
    Sep 5, 2003
Loading...

Share This Page