Spyware, Viruses, & Security forum

General discussion

Multiple Browsers Dialog Origin Vulnerability Test

Introduction

Secunia Research has discovered a vulnerability in various browsers, which can be exploited by malicious web sites to spoof dialog boxes.

The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.

Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable.

Test Case / Demonstration
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

Discussion is locked
You are posting a reply to: Multiple Browsers Dialog Origin Vulnerability Test
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Multiple Browsers Dialog Origin Vulnerability Test
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Test Results

In reply to: different browser test.....

On the first test my browser failed so I am supposed to do this:

Solution:
Firefox:
Update to version 1.0.5.
http://www.mozilla.org/products/firefox/


I am using Firefox/1.5.0.7.
Maybe it's time to send those guys back to the drawing board?

My IE6 SP2 failed too, so I guess IE7 will remedy that. Wink

The browsers did pretty well with Jason's toolbox, though. I don't mind living on the edge with a few safe cookie crumbs.

It looks as if I'd better keep my supplemental protection.

Collapse -
NO problems at all with FF 1.5.0.7

In reply to: different browser test.....

in both tests on WinMe plus XP.

Collapse -
(NT) (NT) NO problems at all with SeaMonkey 1.0.5

In reply to: NO problems at all with FF 1.5.0.7

Collapse -
If it's...

In reply to: (NT) NO problems at all with SeaMonkey 1.0.5

''You are vulnerable, if a JavaScript dialog box appears in front of the Google.com web site without displaying information about its origin.''

I'm using only XP for this.
I get the box with the Google.secunia URL at the top. If THAT particular URL is what I'm supposed to be seeing, in that case, both browsers passed.B-)
Collapse -
(NT) (NT) I do NOT get a box at all.

In reply to: If it's...

Collapse -
NT???

In reply to: (NT) I do NOT get a box at all.

Ambiguous as usual, unfortunately. Are you referring to NT 4.0? If so, how many here do you suppose are still using that old Microsoft OS version?

For your information, the sequence is NT4.0, NT5.0 (W2k) and NT5.1 (XP). Vista will be NT6.0.

Collapse -
(NT) Never heard of NT as NO TEXT ???

In reply to: NT???

Collapse -
No Text???

In reply to: Never heard of NT as NO TEXT ???

In all the years I have been accessing computer-related sites, no I have not. Why on earth would you use an abbreviation for so short a phrase?

To most of us, NT means only one thing, a Microsoft OS. If you are not aware of that, where have you been all these years? Or maybe you are a Mac or Linux user?

Collapse -
...if dialog box appears without...

In reply to: If it's...

I find the ''if...without...'' statement to be ambiguous; I got the same result as bugbatter: dialog box does appear, and does have Google.secunia URL. Marianna's reply ''I do NOT get a box at all'' doesn't address 'batter's (or my) question...what if you get a dialog box WITH origin information? BTW, I am also on Firefox 1.5.07.

Collapse -
Do you have JavaScript disabled??

In reply to: ...if dialog box appears without...

Collapse -
Screenshot

In reply to: Do you have JavaScript disabled??

Collapse -
If Dialog Box . . .

In reply to: ...if dialog box appears without...

Don?t worry about it. Taking the test is a waste of time in that all the browser makers eliminated that problem at least a year ago. Secunia?s warning itself is dated back in the summer of 2005.

The originator of this thread has done a good job of scaring everyone needlessly. If you are up to date with Microsoft?s patches, which update IE, and have the latest Firefox version, you can safely ignore anyone posted security warnings here. At that, CNET itself is always late in informing its readers when Firefox has issued an updated version. If you depend on CNET for that kind of information, you will always be among the last to know.

I have seen some real junk in these forums, but this one takes the cake.

Collapse -
Strange, I Just Installed Sea Monkey 1.05 & Got Pop-Up Box!

In reply to: (NT) NO problems at all with SeaMonkey 1.0.5

I have Java enabled for Navigator. I have SM/Moz Pop-up Blocker enabled. Same result I got w/ Mozilla 1.7.13. Sad I suppose I could turn off Java except for pages where I know I have to enter script to post & turn on once I get there. I'm going to try "other" test on new Sea Monkey tonight. Confused

Collapse -
(NT) (NT) Same Here With FF 1.5.07.. Source URL Was Displayed

In reply to: NO problems at all with FF 1.5.0.7

Collapse -
Ditto Grif

In reply to: NO problems at all with FF 1.5.0.7

Same here with FF 1.5.0.7 on XP Home SP2. Java build 1.5.0_08-b03 Hmmm...

Collapse -
I Really Liked This One, Marianna! Thanks, Unfortunately....

In reply to: different browser test.....

the only one I failed (enabled Javascripting for Navigator) when disablled, prevents me writing & submitting this post. I've re-enablled it. Devil

Collapse -
in my opinion

In reply to: Multiple Browsers Dialog Origin Vulnerability Test

Solution:
Firefox:
Update to version 1.0.5.
http://www.mozilla.org/products/firefox/

Provided and/or discovered by:
Jakob Balle, Secunia Research

Changelog:
2005-07-13: Updated "Solution" section and added original advisory.
2005-07-20: Added CVE reference.
2005-07-22: Updated "Solution" section.


that site is wayyyyyyyyy out of date, and as some else mentioned if you have FF1.5.0.1 then you "should" be OK?


jonah


.

Collapse -
Hmmmm...

In reply to: in my opinion

First of all, it is a demonstration !

Result
You are vulnerable, if a JavaScript dialog box appears in front of the Google.com web site without displaying information about its origin.

You are not vulnerable, if you do not experience the above behaviour.

Maybe something is NOT correct with your settings???

Collapse -
(NT) (NT) Hint:....... disable JavaScript !

In reply to: Hmmmm...

Collapse -
Better hint: enable a good pop-up blocker

In reply to: (NT) Hint:....... disable JavaScript !

Disabling Java doesn't necessarily stop the pop-up from google.com.secunia.com from appearing. Disabling pop-ups stops it regardless of which browser you have and if Java is enabled or not.

Collapse -
Disabling JavaScript

In reply to: (NT) Hint:....... disable JavaScript !

You do NOT want to advise people to disable JavaScript. Many web sites use it and the sites will not operate correctly if it is disabled.

If they do disable it and have problems with sites operating correctly, they will not realize that it is because they disabled JavaScript.

Collapse -
Wrong..Personal Choice Depending on Habits..

In reply to: Disabling JavaScript

First, JavaScript is NOT a requirement to run your computer or surf the internet. Disable it and most folks won't notice the difference.. And obviously, if a user notices a problem, it's easy to re-enable it. Of course, if you never visit dubious websites, there won't be a problem either but for many, that's easier said than done..

Second, MANY of the newest attacks on the net are using JavaScript coding to accomplish those attacks.. Certainly, the best way to fix those vulnerabilities is to patch the holes in the browsers that have them. Unfortunately, that doesn't get done quick enough for most. As a result, temporarily disabling JavaScript (or at least setting it to "Prompt") is an excellent way to prevent those type of vulnerabilities from causing a problem. If I remember correctly, Microsoft has suggested such during times before a patch has been applied. Another example is in the link below for Mozilla. A Workaround given before their patch was released yesterday.

http://www.mozilla.org/security/announce/2006/mfsa2006-57.html

In my case, on Internet Explorer, I set ActiveX and Scripting options to "Prompt". I use a different browser to surf the internet.

Hope this helps.

Grif

Collapse -
Your Habits Not Necessarily Everyone's

In reply to: Wrong..Personal Choice Depending on Habits..

First, I never said JavaScript is a requirement to use either a computer or the internet. It helps if you read my posts correctly. I said many internet sites use JavaScript and will not respond correctly if the user has disabled JavaScript. That is not my opinion; it is a fact. The particular sites you frequent may not use it, but the sites many others use will use it, particularly financial sites. How is the user to know that the site is not working properly because he has disabled it? Will he even remember that he disabled it?

Second, disabling JavaScript because it is used by hackers is not a solution. It is a temporary workaround for a specific problem that may not as yet been addressed by the browser maker. Further, setting your browser to prompt you when accessing a site that uses JavaScript soon becomes tiresome indeed for those who frequently access sites that do use it. They soon turn off the prompt. Additionally, there is no security issue concerning JavaScript expect when accessing ?malicious? sites as Microsoft has so often pointed out in its KB articles detailing how the user can become vulnerable to JavaScript exploits.

Those ?malicious sites are sites deliberately set up by hackers to which the user must be lured usually by a link in a email message, file sharing sites and blogs that have been hacked.

If you are going to disable an accepted feature of many internet sites, then you might as well stay off the internet altogether.

Collapse -
Exactly Correct! Your Habits Aren't Everyone's..

In reply to: Your Habits Not Necessarily Everyone's

I read correctly from your statement about Marianna's suggestion: "You do NOT want to advise people to disable JavaScript." I've already made my point that almost all JavaScript enabled browsers have, at one point or another, done exactly that..they've advised people to "harden" their browser security settings by disabling JavaScript. That's EXACTLY the point here..to make them so they "will not repond correctly." You may not choose to make the changes because of YOUR habits, but the advise isn't incorrect or bad.

There's also a problem with your defining of "malicious" sites. Those sites can change quickly and who knows when it's going to happen.. A number of well known "good" sites have been hacked and turned into "malicious" sites.. Although generally corrected quickly, the first to notice the vulnerability are those with the least hardened browser.

Unfortunately, sometimes those "workarounds" can become "solutions" because the browser maker refuses to patch various vulnerabilities. (Note Microsoft in particular.)

"How is the user to know that the site is not working properly because he has disabled it?" Easy..Pay attention.. There are lots of options available. If you don't want to harden your browser and if you need to visit a financial site or Windows Updates, or such, that requires Scripting, use Internet Explorer with all the medium settings allowed. Use it on a limited basis only.. For all other surfing, use something like Firefox, Opera, etc. with JavaScript disabled... Or maybe you're experienced enough to know when you're going to venture into "shark infested waters" and you can disable it then.. Lots of options for various habits and experiences.

"If you are going to disable an accepted feature of many internet sites, then you might as well stay off the internet altogether." We hear this particular statement a lot from those that don't want to take the appropriate security steps. I repair their computers as a side business and I make pretty good money at it too.

And yet for example, a number of browsers don't use ActiveX, or allow pops ups..etc. There must be a reason why the browser creators have chosen to disable such..all of which block "accepted" features from many internet sites. Surfing habits will cause one user to accept a security setup that another user won't.

Please remember that there are a number of different types of users that visit these forums, from newbies to advanced, and each one has a different perception of how much "risk" to take while surfing.

Hope this helps.

Grif
Collapse -
Your Point?

In reply to: Exactly Correct! Your Habits Aren't Everyone's..

?'ve already made my point that almost all JavaScript enabled browsers have, at one point or another, done exactly that..they've advised people to "harden" their browser security settings by disabling JavaScript.?

No browser maker has ever recommended that JavaScript be disabled on a permanent basis. To do so would be to recommend that an ever more common feature of the web be disabled. They have recommended only that it be disabled temporarily on those occasions when a known exploit is already in the wild, but no definition or patch is yet available for it.

?There's also a problem with your defining of "malicious" sites. Those sites can change quickly and who knows when it's going to happen.?

There is no problem with my definition of malicious sites. They are exactly what I have mentioned. Nor is it true that a number of good sites have been hacked. Of course that depends on what you consider good sites. You probably consider ?social? sites to be good sites for example if only based on their popularity. Yet those sites along with file sharing sites, despite their popularity, are exactly the sites notorious for being hacked. Kazaa was a very popular site and yet one of the greatest offenders. The really good sites, those that are hosted by well known large corporations have never been hacked despite all the scare rumors to the contrary.

?Unfortunately, sometimes those "workarounds" can become "solutions" because the browser maker refuses to patch various vulnerabilities. (Note Microsoft in particular.)?

You are a victim of nonsense rumors. The only alleged vulnerabilities Microsoft has not offered a patch for are those that require active intervention by the user before they can even be exposed to the exploit and that active intervention does not include simply accessing a site. Again, those are facts. Only the tiresome anti-Microsoft types believe otherwise.

?And yet for example, a number of browsers don't use ActiveX, or allow pops ups..etc. There must be a reason why the browser creators have chosen to disable such..all of which block "accepted" features from many internet sites.?

Again, you are mistaken. Blocking popups is an option in every browser, although in some the option to block is the default. You need to get your facts straight. ActiveX is not allowed in most browser precisely because it is NOT a common feature on web sites, while JavaScript is despite your denial.


?We hear this particular statement a lot from those that don't want to take the appropriate security steps. I repair their computers as a side business and I make pretty good money at it too.?

Your security steps are not appropriate except in those cases I have already mentioned ? when an exploit already exists in the wild, but not yet covered by patches or definitions. Your steps are rather like using a sledge hammer to swat a fly. You are going to extremes in recommending a blanket approach that will only cause unnecessary problems for users by disabling a widely used feature in web sites ? and despite your claims, it is a widely used feature. If I were to disable JavaScript, I could no longer use any of my financial sites. But perhaps you don?t use such sites. But I do, every day. So do many others.

We will have to agree to disagree on this issue. Frankly, on the basis of your posts on this issue, if you were to come to my place and made such a recommendation, it would be your last visit. But then I have never employed anyone to service my computers. There is nothing they can do that I am not already aware of. At that, when encountering such people on certain web sites, I some times disagree with their advice. And to good effect. I have been using computers since DOS days and have never, ever, experienced malware of any kind on any of the computers I have used. The worst I have ever had were ad tracking cookies and about those I couldn?t care less.

Collapse -
Ah..You've Given Us Clues..

In reply to: Your Point?

"But then I have never employed anyone to service my computers. There is nothing they can do that I am not already aware of."

"I have been using computers since DOS days and have never, ever, experienced malware of any kind on any of the computers I have used."

Yep, indeed. Further discussion is pointless.

"We WILL have to agree to disagree on this issue."

http://blog.washingtonpost.com/securityfix/2006/08/javascript_attacks_on_steroids.html

http://reviews.zdnet.co.uk/software/internet/0,39024165,39281434,00.htm

Hope this helps.

Grif

Collapse -
Re: Wrong..Personal Choice Depending on Habits..

In reply to: Wrong..Personal Choice Depending on Habits..

in your answer you said
As a result, temporarily disabling JavaScript (or at least setting it to "Prompt") is an excellent way to prevent those type of vulnerabilities from causing a problem. If I remember correctly
Just how do you set it to prompt you?

Collapse -
Setting To Prompt...

In reply to: Re: Wrong..Personal Choice Depending on Habits..

In Internet Explorer, click on "Tools", choose "Internet Options", then click on the "Security" tab. When that loads, click on the "Internet" icon (the world globe), then click on the "Custom Level" button. When that loads, scroll to the "Scripting" section and select "Prompt" in the "Active Scripting" option. (Just to be sure, select "Prompt" in the "Scripting of Java applets" section as well.) Click on OK, then choose "Yes/OK" when it asks: "Are you sure?". Then click on Apply, then OK, etc.

This same procedure can be used for other controls in Internet Explorer such as ActiveX, etc.

I'm not familiar with a method to "Prompt" in Netscape but it is a JavaScript enabled browser so there should be a way to at least disable it.. For Firefox, I only know of a method to temporarily disable it.. Open FF, click on "Tools", then "Options", then click on the "Content" tab. UNCHECK the box next to "Enable JavaScript".

Remember though.. As mentioned elsewhere in this discussion, if you frequently go to websites that use JavaScript, you'll get a number of Prompts to get rid of. You'll find out fast which ones those are. In my case, because I don't surf with Internet Explorer much, it's not a problem. I choose "NO" when the prompt comes up..(I place "Trusted" sites in the "Trusted Sites" section of Internet Options so the prompt doesn't pop up.)

Hope this helps.

Grif

Collapse -
Re setting to prompt

In reply to: Setting To Prompt...

Grif Thanks for the life of me i couldn't remember how to set it up so it would prompt me i know sometimes i'm going to regret setting it this way but it may be for the better.
Believe it or not i switched from netscape to explorer a long time ago when netscape was so hard to manage and i'm not that savy on firefox so i'm waiting till explorer gos the way netscape did back in the 90's and it will one day it will get so top heavy i'll have to switch to something easier and smarter its the way of the web but not just yet but thanks for your reply Happy
Grayfrier

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.