C
CZ
From
http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/
"Many popular browsers are affected by a vulnerability that makes it easy to
spoof the content of websites, security firm Secunia warns.
Features built into browsers makes it possible for malicious websites to
change the content of pop-up windows created by trusted websites such as
online banks. Users would have no inkling that potentially hostile content
has been injected into a pop-up window. Exploits rely on misusing browser
functionality rather than taking advantage of a software bug. Thomas
Kristensen, Secunia's chief technology officer, described the problem as
"perhaps the simplest phishing trick yet."
Secunia has confirmed the vulnerability on fully patched versions of
Internet Explorer 6.0 and Windows XP SP1 and SP2 (advisory here), Mozilla
1.7.3, Mozilla Firefox 1.0, Netscape 7.2, Apple's Safari 1.2.4, Opera 7.54,
and KDE's Konqueror 3.2.2-6. Other versions of these browsers might also be
affected. Secunia has issued five advisories (summary here) and an on-line
test.
Secunia describes the vulnerabilities as "moderately critical". It advises
users not to browse untrusted sites while browsing trusted sites."
Here is the URL for the online test:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test
My test results:
Firefox v1.0 is vulnerable to the above spoofing.
IE with PopUpCop is not vulnerable.
http://www.theregister.co.uk/2004/12/09/secunia_browser_exploit_warning/
"Many popular browsers are affected by a vulnerability that makes it easy to
spoof the content of websites, security firm Secunia warns.
Features built into browsers makes it possible for malicious websites to
change the content of pop-up windows created by trusted websites such as
online banks. Users would have no inkling that potentially hostile content
has been injected into a pop-up window. Exploits rely on misusing browser
functionality rather than taking advantage of a software bug. Thomas
Kristensen, Secunia's chief technology officer, described the problem as
"perhaps the simplest phishing trick yet."
Secunia has confirmed the vulnerability on fully patched versions of
Internet Explorer 6.0 and Windows XP SP1 and SP2 (advisory here), Mozilla
1.7.3, Mozilla Firefox 1.0, Netscape 7.2, Apple's Safari 1.2.4, Opera 7.54,
and KDE's Konqueror 3.2.2-6. Other versions of these browsers might also be
affected. Secunia has issued five advisories (summary here) and an on-line
test.
Secunia describes the vulnerabilities as "moderately critical". It advises
users not to browse untrusted sites while browsing trusted sites."
Here is the URL for the online test:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test
My test results:
Firefox v1.0 is vulnerable to the above spoofing.
IE with PopUpCop is not vulnerable.