New vulnerabilities in various browsers,

[Stuart C]

Yep. Someone has found two vulnerabilities that can basically affect any browser that supports tabbed browsing (Current versions of Opera and Firefox are apparently affected).

Now, I do find it slightly ironic that there is a security vulnerability out there that IE isn't affected by...

http://secunia.com/secunia_research/2004-10/advisory/

Quote:

Originally Posted by secunia.com

Vulnerability "A":
It is possible for a inactive tab to spawn dialog boxes e.g. the
JavaScript "Prompt" box or the "Download dialog" box, even if the user
is browsing/viewing a completely different web site in another tab.

The problem is that the browsers does not indicate, which tab launched
the dialog boxes, which therefore could lead the user into disclosing
information to a malicious web site or to download and run a program,
which the user thought came from another trusted web site e.g. their
bank.

Demonstration:
http://secunia.com/multiple_browsers...spoofing_test/

Vulnerability "A" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039


Vulnerability "B":
It is possible for a inactive tab to always gain focus on a form
field in the inactive tab, even if the user is browsing/viewing a
completely different web site in another tab.

This is escalated a bit by the fact that most people do not look at
the monitor while typing data into a form field, and therefore might
send data to the site in the inactive tab, instead of the
intended/viewed tab.

Demonstration:
http://secunia.com/multiple_browsers...ld_focus_test/

Vulnerability "B" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039

Solutions or Workarounds are in the article..

[Ramrod]

Biftas sig says it all

[Bifta]

[Stuart C]

Lol

I think FireFox is starting to loose the internet public now since M$ have got IE with a pop-up blocker (in XP SP2 only though) and various other improvements.

I ditched FireFox ages ago, after it used 100% CPU just to load a web page up (and take it from any other apps that were open)

[punky]

I still think you'd have to be a bit dim to fall for it.

"Oh yes, let me just type in my passwords and credit card number into a standard javascript prompt box..."

Anyone that does deserves to get done. The best it could be used for is for collecting e-mail address for spam.

[Bifta]

Quote:

Originally Posted by punky

I still think you'd have to be a bit dim to fall for it.

"Oh yes, let me just type in my passwords and credit card number into a standard javascript prompt box..."

Anyone that does deserves to get done. The best it could be used for is for collecting e-mail address for spam.

Most people that use the Internet don't know what javascript is, let alone a javascript alert, if browsers like Firefox want to become the norm. they need to cater to these people.

[zovat]

Quote:

Originally Posted by scastle

Yep. Someone has found two vulnerabilities that can basically affect any browser that supports tabbed browsing (Current versions of Opera and Firefox are apparently affected).

Now, I do find it slightly ironic that there is a security vulnerability out there that IE isn't affected by...

http://secunia.com/secunia_research/2004-10/advisory/



Solutions or Workarounds are in the article..

so now we are supposed to thank M$ for never implementing the most useful of browsing features..

No thanks

so there is a new vulnerability - this is not uncommon... There are still less for Firefox than for IE.

Quote:

Originally Posted by Scott

I think FireFox is starting to loose the internet public now since M$ have got IE with a pop-up blocker (in XP SP2 only though) and various other improvements.

I ditched FireFox ages ago, after it used 100% CPU just to load a web page up (and take it from any other apps that were open)

I would disagree - the fact that M$ have implemented these features shows that Firefox (and other browsers) is having an effect - I have been running Firefox since Version 0.6 (or possibly earlier) and have had no issues with it.

My wife, who is no techie (but knows more about M$ office etc than me) is now using it, and thinks it is far better than IE.

As long as products like Firefox keep adding features and improving the "user experience", then there will always be a market for them.

[Aragorn]

There is a reference to these in a Reg article :

Quote:

... So here we have problems in some very popular tabbed browsers. Secunia's advice is logical: either disable JavaScript (which will cause problems using a vast number of web sites, so it's not likely), or avoid opening a trusted web site in a tab when other tabs already contain untrusted websites. OK. Not bad advice. So if you want to use PayPal or eBay or your bank, open up a new Firefox window first. No problem. A fix, of course, would be better.

In the usual open source tradition of fixing flaws quickly, Konqueror released a version of the browser that was patched against the vulnerabilities, and Firefox promised that it would be secured by the time 1.0 is released, sometime in the new few weeks. On the other hand, Netscape, now owned by AOL, and Avant never bothered to respond to Secunia when it contacted them. Guess I know which browsers to avoid.

I'm not trying to discredit Secunia or these vulnerabilities. They are definitely problems that need to be fixed. It's just that there's a big difference between the almost torturous series of steps required to exploit users with these vulnerabilities as compared to the recent IE exploit that involved simply visiting your bank's website.
...

I agree with the writer - you have to be pretty 'taken in' to go to a phished website and open the real website in another tab of the same browser!

I've been Mozilla/Firefox ing for over a year now and have no plans to change.

[Stuart C]

Quote:

Originally Posted by zovat

so now we are supposed to thank M$ for never implementing the most useful of browsing features..

No thanks

so there is a new vulnerability - this is not uncommon... There are still less for Firefox than for IE.

Calm down..

Athough I phrased the post in a jokey way, there was a serious message. People COULD get caught by this.

FYI, I am currently using one of the affected browsers: Opera.

BTW, IMO, tabbed browsing is not a useful feature. It's a pain. IE (in combination with XP) does do something similar. Open three (or more) IE windows, and you should find them nicely grouped as a menu on the one task bar button, although, that's not (strictly speaking) a feature of IE.

[zovat]

Quote:

Originally Posted by scastle

Calm down..

Sorry - I need to make the smilie bigger next time....

Quote:

Originally Posted by scastle

Athough I phrased the post in a jokey way, there was a serious message. People COULD get caught by this.

And it is a valid warning

Quote:

Originally Posted by scastle

FYI, I am currently using one of the affected browsers: Opera.

Must look at opera again - havn't used it for at least a year...

Quote:

Originally Posted by scastle

BTW, IMO, tabbed browsing is not a useful feature. It's a pain. IE (in combination with XP) does do something similar. Open three (or more) IE windows, and you should find them nicely grouped as a menu on the one task bar button, although, that's not (strictly speaking) a feature of IE.

each to their own - I like having the abitility to have 2 firefox windows open - 1 secure and one not, then have as many tabs within that as I need within each window..

Normally I have my Secure window containing tabs for banking and work (vpn/net connected), and the other window for insecure stuff like this site, dilbert, El Reg, etc.

[Salu]

There is a security update for IE6 with XP SP2 released today.

http://www.neowin.net/comments.php?i...&category=main

[Bifta]

Quote:

Originally Posted by Salu

There is a security update for IE6 with XP SP2 released today.

http://www.neowin.net/comments.php?i...&category=main

You should probably have read the link you posted, it's NOT a security update.

Quote:

Originally Posted by scastle

BTW, IMO, tabbed browsing is not a useful feature. It's a pain.

And IMO tabbed browsing is an *incredibly* useful feature!

Instead of having my task bar cluttered with a button for each browser window you have open, I can have just two or three, but each one of those is linked to two or three other tabs for google searches, sites where I'm downloading stuff from or anything else I want to look at, all I need to know is which button is CF, which is google and which is misc other.

I'd *never* go back to an untabbed browser and, to get back on topic, these "vulnerabilities" are, frankly, pretty unlikely to be exploitable in any meaningful way.