web browser security issues

Discussion in 'NZ Computing' started by whoisthis, Jul 2, 2004.

  1. whoisthis

    whoisthis Guest

    The Secunia security group is reporting on a vulnerability that allows
    outside parties to "inject" spoofed content into a browser frame. The
    flaw affects Safari and a host of other browsers.

    According to the description: "The problem is that the browsers don't
    check if a target frame belongs to a website containing a malicious
    link, which therefore doesn't prevent one browser window from loading
    content in a named frame in another window.

    "Successful exploitation allows a malicious website to load arbitrary
    content in an arbitrary frame in another browser window owned by e.g. a
    trusted site.

    Secunia says the vulnerability has been confirmed in the following
    browsers:
    € Opera 7.51 for Windows
    € Opera 7.50 for Linux
    € Mozilla 1.6 for Windows
    € Mozilla 1.6 for Linux
    € Mozilla Firebird 0.7 for Linux
    € Mozilla Firefox 0.8 for Windows
    € Netscape 7.1 for Windows
    € Internet Explorer for Mac 5.2.3
    € Safari 1.2.2
    € Konqueror 3.1-15redhat


    Seems as though the fault is fairly wide spread across OS and browser,
    though for a change I do not see IE for windows, maybe all its other
    holes/bugs prevents this one from working
     
    whoisthis, Jul 2, 2004
    #1
    1. Advertisements

  2. whoisthis

    Howard Guest

    whoisthis wrote:

    the same thing that Max Burke wrote in a recent posting headed:
    !Multiple Browsers Frame Injection Vulnerability
     
    Howard, Jul 2, 2004
    #2
    1. Advertisements

  3. whoisthis

    Max Burke Guest

    whoisthis scribbled:
    It DOES affect IE. (for Windows)
     
    Max Burke, Jul 3, 2004
    #3
  4. whoisthis

    Ralph Fox Guest

    On Sat, 03 Jul 2004 10:18:50 +1200, in message
    The Secunia URL is http://secunia.com/advisories/11978/.


    You will see IE listed further down on the same page

    | The vulnerability also affects Internet Explorer:
    | SA11966


    Also look at the Secunia URL http://secunia.com/advisories/11966/
    where the same bug was reported in IE, the day before.
     
    Ralph Fox, Jul 3, 2004
    #4

  5. It says "IE" at the bottom in the fine print i.e. the people who run
    secunia want you to believe that IE is not as bad as all these other
    browsers.
     
    Patrick Dunford, Jul 3, 2004
    #5
  6. whoisthis

    Ralph Fox Guest

    On Sat, 3 Jul 2004 19:45:44 +1200, in message
    Seeing as the people who run Secunia had already reported
    the same bug in IE earlier (http://secunia.com/advisories/11966/),
    I would be wary of interpreting it that way myself.

    Perhaps the people who run Secunia didn't want to report IE _twice_
    compared to other browsers, and be accused of the opposite.
     
    Ralph Fox, Jul 3, 2004
    #6
  7. snip...

    http://secunia.com/advisories/11978/

    vulnerability confirmed for the list posted by whoisthis
    and for IE6 on WinXP

    page lists these browsers as possibly vulnerable

    Internet Explorer 5.x for Mac
    Konqueror 3.x
    Mozilla 0.x
    Mozilla 1.0
    Mozilla 1.1
    Mozilla 1.2
    Mozilla 1.3
    Mozilla 1.4
    Mozilla 1.5
    Mozilla 1.6
    Mozilla Firefox 0.x
    Netscape 6.x
    Netscape 7.x
    Opera 5.x
    Opera 6.x
    Opera 7.x
    Safari 1.x

    each item on this list is a link to a product specific list of known
    vulnerabilities, and the frame injection test page.
     
    J.Random Luser, Jul 4, 2004
    #7
  8. whoisthis

    Collector_NZ Guest

    J.Random Luser said the following on 4/07/2004 13:12:
    Dosnt affect my Firefox 0.x copy. Using standard configuration.
     
    Collector_NZ, Jul 4, 2004
    #8
  9. They could have listed all the browsers in the same message, by updating
    the previous one.
     
    Patrick Dunford, Jul 4, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.