kabal1234 Posted December 10, 2004 Posted December 10, 2004 Multiple Browsers Window Injection Vulnerability Test Secunia Research has reported a vulnerability, which affects most browsers. The vulnerability can be exploited by a malicious web site to "hi-jack" a named browser window, regardless of which web site is the true "owner" of the window. Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable. Go here to take the test
kabal1234 Posted December 10, 2004 Author Posted December 10, 2004 No problems for me with IE6 SP2 & Firefox 1.0
rcjoop Posted December 10, 2004 Posted December 10, 2004 Not sure how you tested, just downloaded Firefox 1.0 and it does not pass the test. On the Mozilla sucurity site no patches available and on the secunia site it seems that Firefox and IE are both vulnerable. http://secunia.com/product/4227/
francois Posted December 10, 2004 Posted December 10, 2004 hi' click on the link no pop-up blocker and firefox 1.0 passes it francois
rcjoop Posted December 10, 2004 Posted December 10, 2004 hi'click on the link no pop-up blocker and firefox 1.0 passes it francois <{POST_SNAPBACK}> No it does not pass, well it does pass if you configure firefox for enabling pop-ups and use the test for not-enabled, seems not the way to do it. If you test with firefox and the selected test both disabled or both enabled it does not pass
Richard-BKK Posted December 10, 2004 Posted December 10, 2004 This is just a new MS Windows bug..... I run Redhat Fedora Core 3 Linux with Firefox 1.0 and Mozilla suite 1.7.3 and with both browsers I have no problems...
RDN Posted December 10, 2004 Posted December 10, 2004 (edited) I managed to make Firefox 1.0 fail the test. Under Tools/Options.../Web Features, I have "Block pop-up windows" checked. Under Tools/Options.../Tabbed Browsing, I have "Open these requested JavaScript popups in tabs:" set to "No Popups". These Options come with the "Tabbrowser Preferences" extension. Then I click on the "With pop-up blocker" test link, and then the CitiBank button, it fails - I get this message: Secunia - Window Injection TestThe pop-up window you requested to open via the CitiBank web site is now controlled by Secunia.com. This page could easily have contained malicious information spoofed as being from CitiBank, asking you to install programs or disclose sensitive information such as credit card details. This is only limited by the imagination of the attacker (phisher). If I change the Tabbed Browsing option to "Unresized Popups", and do the same, it fails. If I change the Tabbed Browsing option to "All Popups", and do the same, it fails. (Sorry - I previously said it passes, but it failed after a few seconds). Can anyone explain? Edited December 10, 2004 by RDN
waldwolf Posted December 10, 2004 Posted December 10, 2004 .......This is only limited by the imagination of the attacker (phisher).......... An new law was introduced in the U.S. Senate on July 9, 2004 which would make "phishing" a federal crime punishable by a large fine and up to 5 years in prison. Current US laws permit enforcement authorities to prosecute "phishers", but only after someone has been defrauded. This new bill would allow charges against "phishers" for attempting to deceive Internet users. (It is estimated, losses from "phishing" in the USA alone, will exceed 2 billion dollars in 2004.) More info: Anti-Phishing Act of 2004 (pdf) What Is "Phishing"? A Brief Primer
slimdog Posted December 11, 2004 Posted December 11, 2004 The vulnerabilty only works if you have Java enabled. For general surfing I never enable Java,therefore no pop-up's.There are a few sites which demand it that I do visit so I use Ie for these sites with Java enabled, once finished back to Opera.
RDN Posted December 11, 2004 Posted December 11, 2004 The vulnerability only works if you have Java enabled. For general surfing I never enable Java,therefore no pop-up's.There are a few sites which demand it that I do visit so I use Ie for these sites with Java enabled, once finished back to Opera. <{POST_SNAPBACK}> Thanks slimdog. I have enabled Java and Javascript, but under "Javascript, Advanced" I have turned off everything that scripts can do - so now they cannot move or resize existing windows, raise or lower windows, disable or replace context menus, hide the status bar, change the status bar text, change images. I repeated the test, and Firefox passed.
RDN Posted December 11, 2004 Posted December 11, 2004 I turned on the advanced option to allow Javascripts to "change images" (to let the +QUOTE feature to work in Thaivisa), and it still passed.
melus Posted December 11, 2004 Posted December 11, 2004 Using Webroot PopUp Washer to kill popups, running Firefox 1.0 with popups blocked, and Java and JavaScript enabled, and passed.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now