Security flaw found in all browsers (design flaw)
Posted: Sat Jul 03, 2004 7:28 pm
Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
"It's not a code vulnerability," said Secunia's Kristensen, "but a design flaw."
The problem stems from how browsers handle frames. "Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone," said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
"In these times of phishing attacks and other scams, this is a problem," said Kristensen. "You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers."
Internet Explorer users can stymie such spoofing attacks by disabling the "Navigate sub-frames across different domains" setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
Test here: http://secunia.com/multiple_browsers_frame...erability_test/
Mozilla also has this flaw. I think it's pretty much any browser, so it's something to be aware of. The best thing you can do is make sure you don't have spyware, and that you don't browse other sites while doing something such as banking.
Archived topic from Iceteks, old topic ID:2469, old post ID:20749
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
"It's not a code vulnerability," said Secunia's Kristensen, "but a design flaw."
The problem stems from how browsers handle frames. "Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone," said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
"In these times of phishing attacks and other scams, this is a problem," said Kristensen. "You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers."
Internet Explorer users can stymie such spoofing attacks by disabling the "Navigate sub-frames across different domains" setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.
Test here: http://secunia.com/multiple_browsers_frame...erability_test/
Mozilla also has this flaw. I think it's pretty much any browser, so it's something to be aware of. The best thing you can do is make sure you don't have spyware, and that you don't browse other sites while doing something such as banking.
Archived topic from Iceteks, old topic ID:2469, old post ID:20749