Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
"It's not a code vulnerability," said Secunia's Kristensen, "but a design flaw."
The problem stems from how browsers handle frames. "Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone," said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
"In these times of phishing attacks and other scams, this is a problem," said Kristensen. "You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers."
Internet Explorer users can stymie such spoofing attacks by disabling the "Navigate sub-frames across different domains" setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
Test here: http://secunia.com/multiple_browsers_frame...erability_test/
Mozilla also has this flaw. I think it's pretty much any browser, so it's something to be aware of. The best thing you can do is make sure you don't have spyware, and that you don't browse other sites while doing something such as banking.
Archived topic from Iceteks, old topic ID:2469, old post ID:20749
Security flaw found in all browsers (design flaw)
-
Red Squirrel
- Posts: 29214
- Joined: Wed Dec 18, 2002 12:14 am
- Location: Northern Ontario
- Contact:
Security flaw found in all browsers (design flaw)
Honk if you love Jesus, text if you want to meet Him!
-
Chris Vogel
- Posts: 5140
- Joined: Fri Jan 10, 2003 1:14 am
Security flaw found in all browsers (design flaw)
I believe this was fixed in Firefox 0.9 and Mozilla 1.7 actually.
Bug 246448 - can spoof framed sites by changing frame contents
Archived topic from Iceteks, old topic ID:2469, old post ID:20750
Bug 246448 - can spoof framed sites by changing frame contents
Archived topic from Iceteks, old topic ID:2469, old post ID:20750
-
Red Squirrel
- Posts: 29214
- Joined: Wed Dec 18, 2002 12:14 am
- Location: Northern Ontario
- Contact:
Security flaw found in all browsers (design flaw)
cool, did not realize it was fixable.
Archived topic from Iceteks, old topic ID:2469, old post ID:20752
Archived topic from Iceteks, old topic ID:2469, old post ID:20752
Honk if you love Jesus, text if you want to meet Him!