Firefox & IE subject to phishing trick

[CZ]

From
http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/
"Many popular browsers are affected by a vulnerability that makes it easy to
spoof the content of websites, security firm Secunia warns.
Features built into browsers makes it possible for malicious websites to
change the content of pop-up windows created by trusted websites such as
online banks. Users would have no inkling that potentially hostile content
has been injected into a pop-up window. Exploits rely on misusing browser
functionality rather than taking advantage of a software bug. Thomas
Kristensen, Secunia's chief technology officer, described the problem as
"perhaps the simplest phishing trick yet."
Secunia has confirmed the vulnerability on fully patched versions of
Internet Explorer 6.0 and Windows XP SP1 and SP2 (advisory here), Mozilla
1.7.3, Mozilla Firefox 1.0, Netscape 7.2, Apple's Safari 1.2.4, Opera 7.54,
and KDE's Konqueror 3.2.2-6. Other versions of these browsers might also be
affected. Secunia has issued five advisories (summary here) and an on-line
test.
Secunia describes the vulnerabilities as "moderately critical". It advises
users not to browse untrusted sites while browsing trusted sites."

Here is the URL for the online test:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test

My test results:
Firefox v1.0 is vulnerable to the above spoofing.
IE with PopUpCop is not vulnerable.

 

[Trent©]

From
http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/
"Many popular browsers are affected by a vulnerability that makes it easy to
spoof the content of websites, security firm Secunia warns.
Features built into browsers makes it possible for malicious websites to
change the content of pop-up windows created by trusted websites such as
online banks. Users would have no inkling that potentially hostile content
has been injected into a pop-up window. Exploits rely on misusing browser
functionality rather than taking advantage of a software bug. Thomas
Kristensen, Secunia's chief technology officer, described the problem as
"perhaps the simplest phishing trick yet."
Secunia has confirmed the vulnerability on fully patched versions of
Internet Explorer 6.0 and Windows XP SP1 and SP2 (advisory here), Mozilla
1.7.3, Mozilla Firefox 1.0, Netscape 7.2, Apple's Safari 1.2.4, Opera 7.54,
and KDE's Konqueror 3.2.2-6. Other versions of these browsers might also be
affected. Secunia has issued five advisories (summary here) and an on-line
test.
Secunia describes the vulnerabilities as "moderately critical". It advises
users not to browse untrusted sites while browsing trusted sites."

Here is the URL for the online test:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test

My test results:
Firefox v1.0 is vulnerable to the above spoofing.
IE with PopUpCop is not vulnerable.

Any windows didn't open up for me...good, I guess.

But, then again, I had java scripting turned off...which is the way I
always surf the Net.

Not the best solution...granted. But works for me.

Thanks for the heads-up.


Have a nice one...

Trent

Budweiser: Helping ugly people have sex since 1876!

 

[Yash]

well, it is always advisble not to view un-trusted sites esp. while online
transactions or using e-commerce functions
Yash

 

[Jock Strap]

http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/

Your subject left out that ALL major browsers are affected, not just IE
and Firefox. I know your message body mentioned this, but not everyone
downloads message bodies after scanning the subjects!

 

[CZ]

http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/

Jock wrote:
Your subject left out that ALL major browsers are affected, not just IE
and Firefox. I know your message body mentioned this, but not everyone
downloads message bodies after scanning the subjects!

Jock:

Have you been able to get Safari to run on a PC?
When I try, I get a message about the wrong op system.

TIA

 

[Alex Nichol]

Your subject left out that ALL major browsers are affected, not just IE
and Firefox. I know your message body mentioned this, but not everyone
downloads message bodies after scanning the subjects!

The point of these things is that they get you to click a Link that does
not actually take you where a first glance would lead you to think.
There is a useful add on available - spoofstick - from
www.corestreet.com that will tell you the truth about it (both for IE
and for Firefox 1.0)

 

[Jock Strap]

Have you been able to get Safari to run on a PC?
When I try, I get a message about the wrong op system.

Doesn't mean Safari is immune to the phishing trick, which is
topic here; not Operating Systems. And yes, Safari CAN run on
a PC with a Mac emulator, so suck that.

 

[Jock Strap]

There is a useful add on available - spoofstick - from
www.corestreet.com that will tell you the truth about it (both for IE
and for Firefox 1.0)

SpoofStick fails with this trick (I tried it). It doesn't show the
real URL at all when you test the Secunia link that demonstrates it.

 

[CZ]

Doesn't mean Safari is immune to the phishing trick, which is
topic here; not Operating Systems. And yes, Safari CAN run on
a PC with a Mac emulator, so suck that.

Jock:

Thanks, but I prefer the speed of a PC for browsing:

The following article discusses Safari's lack of speed on an iMac G5:
http://www.anandtech.com/mac/showdoc.aspx?i=2232&p=13
"But before I get into the little features that make Safari a good browser,
let me address its biggest shortcoming: rendering speed.
Back before Firefox's release on the PC, the one argument that I'd always
hear against IE was that it was too slow compared to lesser used browsers
such as Opera. Having used Opera, I could hardly tell any performance
difference in rendering speed in comparison to IE. It was the lack of any
appreciable difference coupled with no real application level benefits over
IE that kept me from using it on the PC.
But when comparing Safari rendering speed to IE, the difference is much more
noticeable. Webpages render instantaneously under IE compared to the
multiple second delay that exists under Safari. In order to show the
difference, I ran a couple of informal tests:
IE (PC) Safari (Mac)
www.anandtech.com 2.825 4.073333333 0.306464812
www.cnn.com 2.75 4.123333333 0.333063864
www.slashdot.org 2.33 2.373333333 0.018258427
www.apple.com 2.625 4.073333333 0.355564648
www.microsoft.com 2.365 2.44 0.030737705
What we see here is that IE on the PC is consistently a lot faster in
rendering webpages than Safari, and although the numbers may seem small
themselves, they make the Mac (and actually your internet connection) feel a
lot slower when browsing normal web pages. Considering the amount of web
browsing that we all do on a regular basis, Safari's rendering performance
is nothing short of unacceptable"