Earlier today, security consulting firm Secunia released details of exploits affecting both IE and non-IE browsers. Many users of non-Microsoft browsers may have a false sense of security, and will want to pay extra attention to the threat affecting their browsers identified in this thread. Although this is not a code execution exploit, or something similar, it still is worth taking seriously.
IE:
Microsoft does not offer a fix for this yet.
Other Browsers:
Here are the solutions for the above problems:
http://secunia.com/secunia_research/2004-10/advisory
Browser manufacturers are curringly preparing a bugfix for the non-IE exploit. In the meantime, Secunia recommends changing scripting preferences and habits to lessen the potential of becoming a victim. Currently no sites have been discovered using this, but may soon. This second exploit is of special interest to identity theives, who may fool a user into viewing his site at the same time as the user checks email/banks/visits paypal.
The non-IE browsers may be used in safety as long as secure websites are visited alone, as opposed to with other, possibly unsafe sites in the background. Simple Fix: Don't randomly browse the internet or look at porn while using a secure website. Case closed.
IE:
http://secunia.com/advisories/12889Description:
http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
This vulnerability is a variant of:
SA12321
NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.
2) A security zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents.
NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.
The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Solution:
Disable Active Scripting or use another product.
Microsoft does not offer a fix for this yet.
Other Browsers:
You may test the first vulnerability hereVulnerability "A"
It is possible for a inactive tab to spawn dialog boxes e.g. the
JavaScript "Prompt" box or the "Download dialog" box, even if the user
is browsing/viewing a completely different web site in another tab.
The problem is that the browsers does not indicate, which tab launched
the dialog boxes, which therefore could lead the user into disclosing
information to a malicious web site or to download and run a program,
which the user thought came from another trusted web site e.g. their
bank.
Vulnerability "B"
It is possible for a inactive tab to always gain focus on a form
field in the inactive tab, even if the user is browsing/viewing a
completely different web site in another tab.
This is escalated a bit by the fact that most people do not look at
the monitor while typing data into a form field, and therefore might
send data to the site in the inactive tab, instead of the
intended/viewed tab.
Here are the solutions for the above problems:
4) Solution
Mozilla:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Mozilla Firefox:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Camino:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Not affected by this vulnerability.
Opera:
Vulnerability "A":
Will be fixed in Opera 7.60.
Until Opera 7.60 becomes available, Opera Software will release an
advisory on this issue, which will be available on the Opera
website.
Vulnerability "B":
Not affected by this vulnerability.
Avant Browser:
Vulnerability "A":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Konqueror:
Vulnerability "A":
The Vendor reports that KDE version 3.3.1 fixes this
vulnerability.
Vulnerability "B":
Not affected by this vulnerability.
Netscape:
Vulnerability "A":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Maxthon:
Vulnerability "A":
Will be fixed in an upcoming version.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.
Vulnerability "B":
Will be fixed in next version.
Disable JavaScript or do not visit untrusted and trusted websites
http://secunia.com/secunia_research/2004-10/advisory
Browser manufacturers are curringly preparing a bugfix for the non-IE exploit. In the meantime, Secunia recommends changing scripting preferences and habits to lessen the potential of becoming a victim. Currently no sites have been discovered using this, but may soon. This second exploit is of special interest to identity theives, who may fool a user into viewing his site at the same time as the user checks email/banks/visits paypal.
The non-IE browsers may be used in safety as long as secure websites are visited alone, as opposed to with other, possibly unsafe sites in the background. Simple Fix: Don't randomly browse the internet or look at porn while using a secure website. Case closed.