RSSVulnerability Affects Firefox and IE, New and Old
By Scott M. Fulton, III | Published October 30, 2006, 2:17 PM
A newly discovered vulnerability, which the CTO of security services firm Secunia described this morning as affecting Internet Explorer 7.0, can also affect not only IE6 but Firefox versions 1.5 and 2.0, as observed by BetaNews in our own tests.
The vulnerability can become an easy exploit, and has actually been an annoyance for developers for years: Essentially, code within a Web page has the capability to address new popup windows as they appear, by means of a JavaScript trigger. If the event that code is executed prior to the code for the popup window's own page, it can effectively pre-empt the popup window's content, substituting its own.
If a popup blocker is enabled, the exploit should theoretically be disabled. However, if popup blocking is turned off, or if a malicious page is open in one browser window while an "exception site" -- a page where popups are allowed -- resides in another, the exploit is still feasible.
BetaNews was able to trigger the exploit not only for both Internet Explorer versions 6 and 7, but also Firefox versions 1.5 and 2.0, in the latter case when such exception sites were open along with the Secunia test page.
In fact, on one system, we were able to trigger the exploit in Firefox 1.5 with popup blocking turned on.
While the vulnerability apparently remains an annoyance across the board, Secunia's message this morning was oriented specifically toward IE7. "A vigilant user has been testing IE7," Secunia reported, "and found that it actually is vulnerable in a default configuration to the 'Window Injection Vulnerability."'
Years ago, when the vulnerability was first discovered, Microsoft created a security setting for IE6, which is accessible from the Internet Options control panel. Specifically, this can be accessed from the Security tab: Click Custom Level, then from the Settings list, scroll down to find Navigate sub-frames across different domains, and below that, click the Disable option. As Secunia noted, on systems where IE7 is installed, this setting is now disabled by default.
On one Windows XP-based test system, where we left this setting disabled, IE7 passed the Secunia vulnerability test, both with popup blocking turned on and turned off. On another XP-based system, IE7 failed the Secunia test, but only when popup blocking was turned off. We don't know the reason yet. Also, in our Vista RC2-based Virtual PC environment, IE7 failed the Secunia test, regardless of the popup blocking setting.
Meanwhile, in BetaNews' test, Firefox 1.5 failed the Secunia test, both when popup blocking was engaged, as well as when the site which generated the popup was added to its list of allowed sites. All installations of Firefox 2.0 in Windows XP passed when popup blocking was engaged, though all failed when the popup generating site was made an exception. The only browser among the two brands and different versions to pass both tests was Firefox 2.0 in Vista RC2.
Though the page that testers see when a browser fails the test reports that the code within the page may as well have been malicious, questions could well be raised about that claim. Theoretically, even though the DOM (the document framework) for the popup was circumvented, the same type of restrictions that would apply to scripting on any other page, should apply to the popup as well.
Popup blocking in both Firefox and IE disable their appearance, not filter their content; therefore, disabling popup blocking should not disable filters as well.
A Secunia advisory from March 2005 records that the vulnerability was discovered in Firefox in December 2004, but that Mozilla released a patch for it, for use in Firefox 1.0.1, the following February. No follow-ups were added to the advisory since that time.
io non conosco le modalita' di test che avete effettuato con FF 2.0 ma vi posso assicurare che il vostro test viene perfettamente superato con la mia versione di FF 2.0 senza nessun problema sia con i pop-up abilitati che disabilitati. Ho NOScript abilitato come extension e WinXP SP2!
Un saluto, Aigor
Score: 0
|I've tested many times with IE7 under WinXP SP2 and Secunia exploit doesn't work so IE7 is NOT affected by this flaw.
Score: 0
|I'm running FF 1.5.07 and IE 6 w/ no popup blockers & NoScript. With noscript on in FF it doesn't work. Using IE Tab in FF it opens the USA Today page and the Secunia page in different tabs.
In IE6 it did the same thing as IE Tab except in different windows.
Score: 0
|"What if Eleanor Roosevelt Could Fly?"
A pothole on a major highway has more chance of hurting people than this vulnerability.
There needs to be a security level called "insignificant" because alerts like this make Secunia no better than Chicken Little.
Score: 0
|"There needs to be a security level called 'insignificant' because alerts like this make Secunia no better than Chicken Little."
Seems that way to me as well. The Secunia test doesn't do anything to my browsers, except Konq, which merely reports a script error in the page.
http://www.securityprone...thMicrosoftOverIE7.html
Score: 0
|Opera is not vunarable to this problem...
Again the only browser to take security seriously it seems..
Score: 0
|It's unfortunate that Opera sacrifices usability for security against problems that probably only a fraction of one percent of web users will ever see. Opera may be more secure, but it fails to work with lots of sites, like most sites that use AJAX.
Score: 0
|The reason for that is because Opera is the most standards compliant, which I applaud them for.
However, being standards compliant isn't worth a whole lot when 90% of sites out there... aren't.
Score: 0
|Strange, all works fine for me with websites that I visit regularly and Opera 9.02/9.1.
Score: 0
|According to one of the posts below, Opera fails on default settings.
Of course, neither of you provide anything more than just your own statements...and we *know* where your bias lies.
Score: 0
|Wow...you've been to *all* the websites?
/sarcasm
Great! That means you don't visit the sites the guy above visits.
So based on our own little poll here, opera works for 50% of people's browsing habits, and does not work for the other 50%.
Not quite what you were going for?
Score: 0
|After I saw this new security flaw reported today at Secunia I dug through the older report there and I wrote an article in my blog and I mentioned there that since this was originally reported in 2004 and was an issue faced by Opera, Firefox and other browsers all at the same time how can only Microsoft overlook this. And I mentioned that it would be really surprising if only Microsoft left this unpatched while the others took care of it already and I said may be SEcunia has not yet conducted this test on Firefox and we will have to wait and see whether Firefox too has the same prob. And now you have answered my worries. Now I would like to know what Opera says. Did they patch it long back? Or may be not. We will have to wait and see.
Btw I have given a link to my article to this page as an update on what I wrote mentioning now firefox too has been found vulnerable.
Anyone interested in reading what I wrote you can see it at my blog here. http://infopowered.blogs...flaw-spotted-in-ie.html
Score: 0
|Sounds like a cross-browser Javascript issue, not really a "browser" vulnerability.
The browser's just the JS client. It's JS that seems to be the problem here. All the browsers can do is bandaid JS without handicapping it too much.
Props to IE7 and FF2 for getting the closest.
Would like to know how Opera handles this. Odd that it wasn't even mentioned. I guess no-one uses it. :p
Score: 0
|Yep...I tried these tests over the weekend. Discovered without NoScript disabled in Firefox 2, I failed. Tried Opera on default settings..Failed. I knew IE would fail..Disabled active scripting a long time ago in IE. Applied the ZGProtector Last week. With that 3rd party patch applied it seem to allow IE to pass the test. Thats a good thing. Seeing as how me Outlook is affected by previous exploits that use active scripting...BTW I posted my response about what I found in me own observations on the feedback page. I recon someone read it aye...:))...I got the reference to the ZGProtector from the SecurityNow webpage.
Score: 0
|I just checked IE7 on both XP/SP2 and Vista build 5574 and both the "trusted" and "internet" zones are indeed configured to allow (enable) navigating sub-frames between different domains. Pretty weird/dumb. I just set both to "Prompt" to see what happens now.
Score: 0
|Interesting Secunia specifically mentionms IE7 and neglects to mention the others--more bias, perhaps?
Score: 0
|Its only news when its an IE vulnerability, havent you learned that?
It just sounds to me like secunia just wanted to put out that a vulnerability existed (Which they probably knew about prior to IE7's release) right when IE7 was released. Anyways,
This is why I dont believe the hype about browser "Security" anymore and just ensure my software is up to date (regardless of the type of software, in this case I use opera anyways). Vendors patch software all the time and quite frankly, I dont care how many patches I require or how often a vendor releases them, just as long as I can do it easily (which I can in all of the major browsers and software packages I utilize).
Good to see that IE is not the only vulnerable browser here through this vulnerability and that the truth finally comes out.
Score: 0
|Has anyone tested this on Opera? http://www.opera.com
Thanks.
Score: 0
|Yes! It's a ROCK!! ;-)
P.S.
oopss scuse me: Opera 9.02 italian version
Score: 0
|