Spoofing Flaw Haunts IE, Firefox, Safari
Posted by Hani on 21 June 2005 - 19:45 · 35 comments & 3435 views
About the Author
Full name: Unknown
Forum name: Hani
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: Hani
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(3 replies)
#1 Posted by rob.derosa on 21 Jun 2005 - 19:50
- I love how they bang on about it being an IE security hole, then only mention briefly at the end it is also present on several other browsers.
i think we know by now IE has security holes
-
#1.1 Posted by lare2 on 21 Jun 2005 - 19:52
- Please don't start the war
. at least not on the first post -
#1.2 Posted by rob.derosa on 21 Jun 2005 - 19:53
- the war never stops
-
(2 replies)
#2 Posted by lare2 on 21 Jun 2005 - 19:51
- Not an issue for a well informed websurfers that understand how to spot the origin of dialog boxes.
-
#2.1 Posted by mikill on 21 Jun 2005 - 19:56
- true, but unfortunately there are still too many uninformed surfers.
-
#3 Posted by Thorpe on 21 Jun 2005 - 20:01
- OMG. Why give the bad people ideas?
-
(1 reply)
#4 Posted by kitchenutensils on 21 Jun 2005 - 20:04
- hmm secunia seems to have come up with loads of 'security holes' that aren't really holes, but room in standard browsing for misconcieving of which webpage your on. i think this is a waste of time really because there will be much more critical holes in all browsers, that will reveal personally identifiable information and/or payment information to a hacker or website.
-
#5 Posted by krono6 on 21 Jun 2005 - 20:46
- "can be exploited by malicious hackers to trick surfers into disclosing confidential information, including credit card and social security numbers."
Does anyone else think, S-s-s-s-spam??
Not to mention, people who get this are, n-n-n-n-n00bs??
-
(2 replies)
#6 Posted by rm20010 on 22 Jun 2005 - 00:37
- Hmm. It says it affects Opera, but I disagree.
The reason: at the very top of the input box it reads "www.google.com.secunia.com" The other two browsers, IE and Firefox, don't display the origin.
(after reading the advisory page for Opera, it seems like 8.01's not affected, but the earlier versions are.) -
#6.1 Posted by RADicaLMMS on 22 Jun 2005 - 06:21
- You're right! the Java popup dialogue box does show 'www.google.com.secunia.com' in Opera 8.01, but how does an average Opera user avoid geting burned accidentally?
Social engineering and complacent surfing habits will surely get the better of us in this case. -
#6.2 Posted by jp10558 on 22 Jun 2005 - 15:25
- Yeah, but at some point I think the user has to take some responsibility. Computers don't have AI smart enough to make all decisions for the user. Putting the information in a redily accessable place (on the top of the box that is at issue) seems to be maybe the best they can do, though I suggested some possible improvements on the Opera forums, it will take some time to implement them I would guess, even if Opera Software thought they were worth while.
-
(5 replies)
#7 Posted by Galley on 22 Jun 2005 - 07:51
- Opera 8 always displays the domain name at the top of pop-up windows.
Also, you can view the Security Information for any page by pressing Ctrl+I. -
#7.2 Posted by tiagosilva29 on 22 Jun 2005 - 10:26
- Same as eAi...
But, it's really cool to have that. It should be implemented on FF and IE, also! I'd like it. -
#7.3 Posted by iandol on 22 Jun 2005 - 10:28
- Opera 8 also adds the domain source URL for javascript pop-ups too...
-
#7.4 Posted by eAi on 22 Jun 2005 - 10:50
- If you download the netcraft toolbar I'm pretty sure it adds somthing very similar to popup browser windows.
-
#8 Posted by elliot on 22 Jun 2005 - 08:02
- Big deal.
-
#9 Posted by gaekwad2 on 22 Jun 2005 - 09:28
- Another one that doesn't work in FF in single window mode (opens a new tab for the pop up bo
.
-
(1 reply)
#10 Posted by eAi on 22 Jun 2005 - 10:00
- I've known about this issue for ages, and I'm suprised nobody has brought this up for a bit of PR (like they have now) sooner. Its obviously an issue and its hard to solve... whatever they put in the titlebar of the page its still easy to fool someone.
One way to do it would be to not display the popup until the window is switched to focus, but that doesn't really work with windows, works better on mac...
-
(3 replies)
#11 Posted by VikingStorm on 22 Jun 2005 - 13:07
- I can't remember the last time a decent site actually utilized a js dialog box.
-
#11.1 Posted by jp10558 on 22 Jun 2005 - 15:27
- That's the other thing, I don't ever think I've seen such a dialogue. Certainly not in the past 4 or more years. So I'd at least be on alert that something odd was being used here.
-
(4 replies)
#12 Posted by entropyx on 22 Jun 2005 - 19:49
- Firefox has so many bugs and holes... ugh...
-
#12.1 Posted by rm20010 on 22 Jun 2005 - 22:25
- Let me be the first to point these out:
20 / 82 advisories still not patched
*6 / 19 advisories still not patched*
0 / 5 advisories still not patched
I'll let you figure out which browser goes with each link. -
#12.2 Posted by Kushan on 22 Jun 2005 - 23:19
- That does show just how much they concentrate on each browser, but look at it percentage wise:
IE - 24% of vulnerabilities unpatched
FF - 31% of vulnerabilities unpatched
When you put it like that, the numbers are a lot closer, which shows that both FF and MS aren't really any better or worse at patching stuff, it's just that MS has more to patch because securitiy companies concentrate on IE more than the rest. Same to Opera, although it looks like a very secure browser from those statistics, you can bet that there are just as many vulnerabilities just waiting to be discovered as any other browser.
I'm not taking sides here, I'm just trying to point out that in these pathetic browser flame wars that crop up, there's always one person from each camp going on about security when really all 3 browsers are pretty much equal. -
#12.3 Posted by TheSarge on 23 Jun 2005 - 07:51
- Arguing that Firefox might have unknown, unpatched vulnerabilies and then backing that up with a derth of evidence is analguous to me agruing that the moon might contain a rich creamy filling or that motor oil might be a tasty breakfast treat. It might be so, but I'd like to see you prove it; if not for the sake of science then just becasue I enjoy a good laugh.
-
#13 Posted by Jeebus McChrist on 23 Jun 2005 - 00:33
- No software is perfect. Jeez, it doesn't matter what browser you use. If you use a browser because it's "LOL MOR SECURE
" then just... no. I use Firefox because I'm used to it, and I like it. It's my favorite browser.
And someone going "teh opra is betr" isn't going to change my mind, or any other Firefox user's.
Same goes all three ways. So the wars need to stop, and people need to shut up.
-
#14 Posted by lbmouse on 24 Jun 2005 - 14:59
- Simple fix, download this and click here.
"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open a prompt dialog box, which appears to be from a trusted site," Secunia said in a public advisory. "Successful exploitation normally requires that a user is tricked into opening a link from a malicious Web site to a trusted Web site," the company added.
What's Included: (new/updated entries are marked like this):
Windows XP SP2 - Critical Updates
KB834707: Cumulative Security Update for Internet Explorer
KB873339: Vulnerability in HyperTerminal could allow code execution
KB873374: Microsoft GDI+ Detection Tool
KB885626: Your computer stops responding when you restart to complete the installation of Windows XP SP2
KB885835: Vulnerabilities in Windows Kernel and LSASS could allow elevation of privilege
KB885836: A vulnerability in WordPad could allow code execution
KB886185: Windows Firewall "My Network (subnet) only" scoping
KB890175: Vulnerability in HTML Help could allow code execution
KB890830: Malicious Software Removal Tool
KB867282: Cumulative Security Update for IE for XP Service Pack 2
KB873333: Security Update for Windows XP
KB885250: Security Update for Windows XP
KB886903: Security Update for .NET Framework 1.1 SP1
KB888113: Security Update for Windows XP
KB888302: Security Update for Windows XP
KB890047: Security Update for Windows XP
KB891781: Security Update for Windows XP
KB890923: Cumulative Security Update for Internet Explorer
KB892944: Vulnerability in Message Queuing Could Allow Code Execution
KB893066: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service
KB890859: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service
KB893086: Vulnerability in Windows Shell that Could Allow Remote Code Execution
KB890830: Malicious Software Removal Tool v1.4
KB883939: Cumulative Security Update for IE for Windows XP SP2
KB890046: Security Update for Windows XP
KB890830: Malicious Software Removal Tool v1.5
KB896358: Security Update for Microsoft Windows XP
KB896422: Security Update for Windows XP
KB896428: Security Update for Windows XP
KB898458: Security Update for Windows XP
Windows XP SP2 - Recommended updates
KB831240: Update for HighMAT support in the Windows XP CD Writing Wizard
KB884020: Loopback IP address range problem
KB885222: Performance of 1394 devices may decrease after you install Windows XP SP2
KB886677: Corrupt DBCS characters in Internet Explorer on Windows XP
KB887742: Stop error "Stop 0x05" in Windows XP SP2 or Windows Server 2003
KB887797: Cumulative Update for Outlook Express for Windows XP
KB888240: Add-ons not listed in Internet Explorer on Windows XP SP2
KB890831: Input Method Editor disabled when using MSN Messenger in Windows XP SP2
KB891122: Update for DRM-enabled Media Players
KB892313: Fix for problems when playing MPEG4 videos in WMP 10
KB893357: Update for Windows XP
KB895181: Fix for MPEG4 videos in Windows Media Player 10
KB888656: FIX: Update to enable DirectX Video Acceleration of Windows Media Video content in WMP 10
KB894391: Update for Windows XP
KB896344: Update for Windows XP
Components
.NET Framework 1.1 (+SP1) (only in Full)
Windows Media Player 10.0.3802 (only in Full)
Microsoft Data Access Components 2.8 SP1 (only in Full)
Windows Installer 3.1 (v2)
Windows Script 5.6 for Windows XP (v5.6.0.8825) (only in Full)
Add-ons
Adaptec ASPI
Bootvis 1.3.37 (only in Full)
Official Windows XP PowerToys
Copy Profile Tool
DirectX Control Panel
PowerMenu 1.5.1
Startup Control Panel 2.8
New XP Style Wallpapers (only in Full)
New XP Screensavers (only in Full)
Windows Messenger 5.1 (only in Full)
Macromedia Shockwave Player (only in Full)
Windows Media Connect (only in Full)
MSN Messenger 7.0.0813 (only in Full)
New Theme: Royale (only in Full)
New Wallpapers (only in Full)
New AutoPatcher Wallpaper (only in Full)
Sun Java 1.5.0_03 (only in Full)
Google Toolbar 3.0.123.2 (only in Full)
Internet Explorer Spellcheck Tool 2.1.1 (325) (only in Full)
Microsoft Journal Viewer 1.5.2316.0 (only in Full)
And of course a lot of registry tweaks which improve speed, appearance, functionality and security!
File Size & MD5 Hashes
English June 2005 Full File Size: 149 MB (156786445 bytes)
English June 2005 Full MD5 Hash: 8931096F53811F2CF285B47E17D8E5BB
English June 2005 Lite File Size: 66.9 MB (70243062 bytes)
English June 2005 Lite MD5 Hash: 791234ACB72288AB2D6F0B03501D37BE
Portuguese June 2005 Full File Size: 141 MB (148037798 bytes)
Portuguese June 2005 Full MD5 Hash: 98042AE3F4230B1D9FC7EE5F48DB8E84
Portuguese June 2005 Lite File Size: 58.4 MB (61313967 bytes)
Portuguese June 2005 Lite MD5 Hash: FC5E8B285135F9FF71AE81F10CD80F5A