Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities
From: Jakob Balle (jb_at_SECUNIA.COM)
Date: 10/20/04
- Previous message: Russ Cooper: "Administrivia #29691: TruSecure Global Risk Index Survey"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Oct 2004 15:02:43 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
======================================================================
Secunia Research 20/10/2004
- Multiple Browsers Tabbed Browsing Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039
Prior versions of all above software may also be vulnerable.
======================================================================
2) Severity
Rating: Less/Moderately critical
Impact: Spoofing
Where: From remote
======================================================================
3) Description of Vulnerabilities
Vulnerability "A":
It is possible for a inactive tab to spawn dialog boxes e.g. the
JavaScript "Prompt" box or the "Download dialog" box, even if the user
is browsing/viewing a completely different web site in another tab.
The problem is that the browsers does not indicate, which tab launched
the dialog boxes, which therefore could lead the user into disclosing
information to a malicious web site or to download and run a program,
which the user thought came from another trusted web site e.g. their
bank.
Demonstration:
http://secunia.com/multiple_browsers_dialog_box_spoofing_test/
Vulnerability "A" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039
Vulnerability "B":
It is possible for a inactive tab to always gain focus on a form
field in the inactive tab, even if the user is browsing/viewing a
completely different web site in another tab.
This is escalated a bit by the fact that most people do not look at
the monitor while typing data into a form field, and therefore might
send data to the site in the inactive tab, instead of the
intended/viewed tab.
Demonstration:
http://secunia.com/multiple_browsers_form_field_focus_test/
Vulnerability "B" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039
======================================================================
4) Solution
Mozilla:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Mozilla Firefox:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Camino:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Not affected by this vulnerability.
Opera:
Vulnerability "A":
Will be fixed in Opera 7.60.
Until Opera 7.60 becomes available, Opera Software will release an
advisory on this issue, which will be available on the Opera
website.
Vulnerability "B":
Not affected by this vulnerability.
Avant Browser:
Vulnerability "A":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Konqueror:
Vulnerability "A":
The Vendor reports that KDE version 3.3.1 fixes this
vulnerability.
Vulnerability "B":
Not affected by this vulnerability.
Netscape:
Vulnerability "A":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Maxthon:
Vulnerability "A":
Will be fixed in an upcoming version.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Will be fixed in next version.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
======================================================================
5) Time Table
04/10/2004 - Vulnerabilities reported to Netscape, Mozilla, Opera and
Avant Browser.
05/10/2004 - Vulnerabilities reported to KDE (Konqueror) and Maxthon.
08/10/2004 - Netscape and Avant contacted again as they have not
responded.
20/10/2004 - Public disclosure.
======================================================================
6) Credits
Discovered by Jakob Balle, Secunia Research.
======================================================================
7) References
Secunia Advisories:
http://secunia.com/SA12706
http://secunia.com/SA12712
http://secunia.com/SA12713
http://secunia.com/SA12714
http://secunia.com/SA12717
http://secunia.com/SA12731
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-10/
======================================================================
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --
- Previous message: Russ Cooper: "Administrivia #29691: TruSecure Global Risk Index Survey"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
