Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Time for a rant; how many sites are pointing out that many web browsers are vulnerable to the window injection vulnerability?

October 30th 2006 in Uncategorized

Edit: fix title. 

Come on guys – are people really so determined to find bad news about IE7 that they are willing to let important information about a vulnerability go unmentioned in their reports?

Despite the Secunia Windows Injection Vulnerability Test URL being http://secunia.com/multiple_browsers_window_injection_vulnerability_test/, and the test itself mentioning multiple Web browsers being affected, many news sites and blogs only mention IE7 in their reports.

Now, assuming that all of the Web sites below actually looked at the vulnerability test page, and read its content, as distinct to only reading the Secunia report specific to IE7, I have to ask why so few sites are mentioning that multiple Web browsers are vulnerable?  Are they leaving it to their readers to discover it for themselves?  Does it make for better press, or grab more hits, or cause more of a stir, if they only mention IE7?

I've completed a quick survey of news sites that have reported on the window injection vulnerability to see who, at the time of writing, mentions that many Web browsers are affected – so far, things are not looking good – yes, I know several of the sites are quite obscure, but they're the ones that have come up in News, Web and Blog searches.

Edit: The Microsoft Security Response Team responds:
http://blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx

Auscert, thankfully, points out that many browsers are affected:
http://www.auscert.org.au/render.html?it=4602

eweek – nope:
http://www.eweek.com/article2/0,1895,2047195,00.asp 

(quote from a spokesperson at MS in the eweek article – "[Secunia] describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window. In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision," – not only that, the bad sites have to get past the phishing filter and all the other difficulties described in my blog entry.

the register – nope:
http://www.theregister.co.uk/2006/10/30/ie_firefox_vulns/ 

bink.nu – nope:
http://bink.nu/Article8673.bink 

itnews.com.au – nope
http://www.itnews.com.au/newsstory.aspx?CIaNID=41462

itnews.com.au again – nope, but they do mention that FF2 seems to be immune
http://www.itnews.com.au/newsstory.aspx?CIaNID=41458

neowin? – YES!!!
http://www.neowin.net/forum/index.php?showtopic=507807

betanews – YES!!
http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840

securiteam – nope:
http://blogs.securiteam.com/index.php/archives/706 

cbsca – nope:
http://www.cbc.ca/technology/story/2006/10/30/tech-ie7injection-061030.html 

bitsofnews – nope:
http://www.bitsofnews.com/index2.php?option=com_content&task=view&id=4277&pop=1&page=0&Itemid=44

blogsforfirefox – nope:
http://blogsforfirefox.blogspot.com/2006/10/thesecurity-score-ie7-3-ff2-0.html

faill.com – nope:
http://www.faill.com/story.php?id=255

tipsdr.com – nope:
http://www.tipsdr.com/?p=555

fergdawg:
http://fergdawg.blogspot.com/2006/10/old-window-injection-flaw-reappears-in.html

networksecurity.fi – nope:
http://networksecurity.typepad.com/networksecurity/2006/10/ie_7_window_inj.html

vnunet.com – nope:
http://www.vnunet.com/vnunet/news/2167585/ie-bug-opens-exposes-users

Even Harry makes no mention [:(]
http://msmvps.com/blogs/harrywaldron/archive/2006/10/30/Internet-Explorer-7-Window-Injection-Vulnerability.aspx


Comments are closed.

Its been around since June 2006, and some said it was fixed in Firefox 1.5.0.7, but it's back…http://www.securityfocus.com/bid/19488Further information:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4253

Previous Entry

Tips Dr have reported again on the window content injection "vulnerability" reported by Secunia with a bit more information for their readers:http://www.tipsdr.com/?p=560Tips Dr have said thanks for letting them know that there was more to the story than first met their eye:http://msmvps.com/blogs/spywaresucks/archive/2006/10/31/229705.aspxWell done Tips Dr, and thanks – now, if only all those other sites would […]

Next Entry

Archives