December 10, 200421 yr Multiple Browsers Window Injection Vulnerability Test Secunia Research has reported a vulnerability, which affects most browsers. The vulnerability can be exploited by a malicious web site to "hi-jack" a named browser window, regardless of which web site is the true "owner" of the window. Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable. Go here to take the test
December 10, 200421 yr Not sure how you tested, just downloaded Firefox 1.0 and it does not pass the test. On the Mozilla sucurity site no patches available and on the secunia site it seems that Firefox and IE are both vulnerable. http://secunia.com/product/4227/
December 10, 200421 yr hi'click on the link no pop-up blocker and firefox 1.0 passes it francois <{POST_SNAPBACK}> No it does not pass, well it does pass if you configure firefox for enabling pop-ups and use the test for not-enabled, seems not the way to do it. If you test with firefox and the selected test both disabled or both enabled it does not pass
December 10, 200421 yr This is just a new MS Windows bug..... I run Redhat Fedora Core 3 Linux with Firefox 1.0 and Mozilla suite 1.7.3 and with both browsers I have no problems...
December 10, 200421 yr I managed to make Firefox 1.0 fail the test. Under Tools/Options.../Web Features, I have "Block pop-up windows" checked. Under Tools/Options.../Tabbed Browsing, I have "Open these requested JavaScript popups in tabs:" set to "No Popups". These Options come with the "Tabbrowser Preferences" extension. Then I click on the "With pop-up blocker" test link, and then the CitiBank button, it fails - I get this message: Secunia - Window Injection TestThe pop-up window you requested to open via the CitiBank web site is now controlled by Secunia.com. This page could easily have contained malicious information spoofed as being from CitiBank, asking you to install programs or disclose sensitive information such as credit card details. This is only limited by the imagination of the attacker (phisher). If I change the Tabbed Browsing option to "Unresized Popups", and do the same, it fails. If I change the Tabbed Browsing option to "All Popups", and do the same, it fails. (Sorry - I previously said it passes, but it failed after a few seconds). Can anyone explain?
December 10, 200421 yr .......This is only limited by the imagination of the attacker (phisher).......... An new law was introduced in the U.S. Senate on July 9, 2004 which would make "phishing" a federal crime punishable by a large fine and up to 5 years in prison. Current US laws permit enforcement authorities to prosecute "phishers", but only after someone has been defrauded. This new bill would allow charges against "phishers" for attempting to deceive Internet users. (It is estimated, losses from "phishing" in the USA alone, will exceed 2 billion dollars in 2004.) More info: Anti-Phishing Act of 2004 (pdf) What Is "Phishing"? A Brief Primer
December 11, 200421 yr The vulnerabilty only works if you have Java enabled. For general surfing I never enable Java,therefore no pop-up's.There are a few sites which demand it that I do visit so I use Ie for these sites with Java enabled, once finished back to Opera.
December 11, 200421 yr The vulnerability only works if you have Java enabled. For general surfing I never enable Java,therefore no pop-up's.There are a few sites which demand it that I do visit so I use Ie for these sites with Java enabled, once finished back to Opera. <{POST_SNAPBACK}> Thanks slimdog. I have enabled Java and Javascript, but under "Javascript, Advanced" I have turned off everything that scripts can do - so now they cannot move or resize existing windows, raise or lower windows, disable or replace context menus, hide the status bar, change the status bar text, change images. I repeated the test, and Firefox passed.
December 11, 200421 yr I turned on the advanced option to allow Javascripts to "change images" (to let the +QUOTE feature to work in Thaivisa), and it still passed.
December 11, 200421 yr Using Webroot PopUp Washer to kill popups, running Firefox 1.0 with popups blocked, and Java and JavaScript enabled, and passed.
Create an account or sign in to comment