Vulnerability Affects Firefox and IE, New and Old

[Slimy]

A newly discovered vulnerability, which the CTO of security services firm Secunia described this morning as affecting Internet Explorer 7.0, can also affect not only IE6 but Firefox versions 1.5 and 2.0, as observed by BetaNews in our own tests.

The vulnerability can become an easy exploit, and has actually been an annoyance for developers for years: Essentially, code within a Web page has the capability to address new popup windows as they appear, by means of a JavaScript trigger. If the event that code is executed prior to the code for the popup window's own page, it can effectively pre-empt the popup window's content, substituting its own.

If a popup blocker is enabled, the exploit should theoretically be disabled. However, if popup blocking is turned off, or if a malicious page is open in one browser window while an "exception site" -- a page where popups are allowed -- resides in another, the exploit is still feasible.

BetaNews was able to trigger the exploit not only for both Internet Explorer versions 6 and 7, but also Firefox versions 1.5 and 2.0, in the latter case when such exception sites were open along with the Secunia test page.

In fact, on one system, we were able to trigger the exploit in Firefox 1.5 with popup blocking turned on.

While the vulnerability apparently remains an annoyance across the board, Secunia's message this morning was oriented specifically toward IE7. "A vigilant user has been testing IE7," Secunia reported, "and found that it actually is vulnerable in a default configuration to the 'Window Injection Vulnerability."'

Years ago, when the vulnerability was first discovered, Microsoft created a security setting for IE6, which is accessible from the Internet Options control panel. Specifically, this can be accessed from the Security tab: Click Custom Level, then from the Settings list, scroll down to find Navigate sub-frames across different domains, and below that, click the Disable option. As Secunia noted, on systems where IE7 is installed, this setting is now disabled by default.

On one Windows XP-based test system, where we left this setting disabled, IE7 passed the Secunia vulnerability test, both with popup blocking turned on and turned off. On another XP-based system, IE7 failed the Secunia test, but only when popup blocking was turned off. We don't know the reason yet. Also, in our Vista RC2-based Virtual PC environment, IE7 failed the Secunia test, regardless of the popup blocking setting.

Meanwhile, in BetaNews' test, Firefox 1.5 failed the Secunia test, both when popup blocking was engaged, as well as when the site which generated the popup was added to its list of allowed sites. All installations of Firefox 2.0 in Windows XP passed when popup blocking was engaged, though all failed when the popup generating site was made an exception. The only browser among the two brands and different versions to pass both tests was Firefox 2.0 in Vista RC2.

Though the page that testers see when a browser fails the test reports that the code within the page may as well have been malicious, questions could well be raised about that claim. Theoretically, even though the DOM (the document framework) for the popup was circumvented, the same type of restrictions that would apply to scripting on any other page, should apply to the popup as well.

Popup blocking in both Firefox and IE disable their appearance, not filter their content; therefore, disabling popup blocking should not disable filters as well.

A Secunia advisory from March 2005 records that the vulnerability was discovered in Firefox in December 2004, but that Mozilla released a patch for it, for use in Firefox 1.0.1, the following February. No follow-ups were added to the advisory since that time.

Source