A serious new vulnerability that can allow attackers to hack a browser window is a threat to a variety of browsers and platforms. There are patches available for some browsers but, at the time this was written, there is no known fix for other browsers. This is a new threat and may be ignored by some IT pros who might mistake this as a repeat of other recent browser warnings.
Secunia Research has announced a newly discovered a window-injection vulnerability that can let attackers inject information into an open browser window. The most important concern is that this vulnerability can be used to spoof secure sites.
This is especially dangerous because it doesn't just affect Microsoft's Internet Explorer (CAN-2004-1155), but also KDE Konqueror (CAN-2004-1158), Opera (CAN-2004-1157), Mozilla FireFox (CAN-2004-1156), and even Apple Safari (CAN-2004-1122). Those are the links to SecurityTracker.com reports.
Some initial reports caused confusion over which browsers are affected and whether there is more than one very similar threat, but there are definitely two different vulnerabilities that pose similar dangers.
Making things more difficult for IT professionals, there was also a similar-sounding frame-injection vulnerability reported in June 2004. As a result, some IT pros may think they have already addressed this new threat. Secunia Research reported that the frame-injection vulnerability also affects most brands and versions of Internet browsers. That earlier vulnerability also allows a remote attacker to cause the browser window to display arbitrary content and can therefore be used to spoof sites.
Secunia lists different Mitre vulnerability codes for the frame-injection threat in addition to those listed above and this was a different vulnerability. The following links relate to the earlier frame-injection vulnerability, which has similar dangers: Internet Explorer (CAN-2004-0719); Opera (CAN-2004-0717); Mozilla, FireFox, and Netscape (CAN-2004-0718); Safari (CAN-2004-0720); and KDE Konquerer (CAN-2004-0721).
Secunia has made available a demonstration site to help you determine if your browser version is vulnerable. Go here for the test and more details about the new threat.
It is important to note that the vulnerabilities are tied to the browser version, not any particular version of the operating system(s) it runs on. Also, the list below is almost certainly incomplete since more browsers were added while this list was being compiled. Unless you conduct both tests yourself using the Secunia or other test sites, you can't be certain you aren't vulnerable just because your specific browser version isn't listed below. Here are the browsers and systems known to be affected:
- Microsoft Internet Explorer (Windows) versions 5 and 6 and IE for Mac version 5.2.3. Specifically, the new threat has been confirmed on a fully-patched XP SP1 and SP2 system running IE 6.
- Apple Safari (OS X) version 1.x
- KDE Konqueror (Linux) version 3.2.2
- Mozilla FireFox (Windows, Unix, and Linux) version 0.x and 1.0
- Mozilla versions 0.x through 1.6
- Netscape versions 6.x and 7.x
- Opera (BeOS, Linux, MacOS, QNX, FreeBSD, OS X, and Windows) versions 7.50 (Linux) and 7.51 (Windows) as well as versions 5.x, 6.x, and 7.x for various platforms.
- Solaris (SunOS and Windows) version 7.54
- OmniWeb version 5.x
- Camino version 0.x
Secunia reports that these versions: Mozilla Firefox 0.9 and later, Mozilla 1.7, Opera 7.52, Netscape 7.2, and Camino 0.8 (build 2004062308) are not vulnerable to the earlier frame-injection threat.
Risk level – Moderate to Severe
Exploits of either of these vulnerabilities would probably not be detectable and could allow an operator of a malicious site to possibly spoof a secure site and gather any information a user would enter on the spoofed site, including financial information.
The attacker must be able to determine the open browser window's target address for the window-injection threat.
Fix – Apply patches where available
For those browsers that don't have any workaround or patch available for one or both of these vulnerabilities, you should keep updated on any vendor announcements. Also, be aware that patching one of these vulnerabilities probably won't fix the other, so be certain whether one or both are fixed by any vendor patches.
- Apple has provided a Safari patch in Security Update 2004-12-2 for OX X 10.3.6 Client and Server as well as OX X 10.2.8 Client and Server. The downloads range from 16 to 24 megabytes in size. This is a major set of patches and may fix both problems but I suggest you verify this for yourself. Secunia has a page devoted to this Apple patch.
- Microsoft Windows Internet Explorer – No fix available for the window-injection vulnerability
- KDE Konqueror - No fix available for the window-injection vulnerability but there is a patch for the frame-injection flaw
- Mozilla FireFox – No fix available for the window-injection vulnerability
- Opera – No fix available for the window-injection vulnerability
- OmniWeb – No fix available for the window-injection vulnerability
This problem is really complicated by the fact that there are two completely separate "injection" threats here, making it difficult to patch, difficult to be certain you are patched, and difficult to decide whether you need to patch because your browser version isn't affected.
As for what to do about this threat in the meantime, I haven't a clue what advice to offer other than to use caution when accessing "secure" sites and not to have any other browser windows open at the same time – that provides some protection (perhaps complete protection) against the frame-injection threat, but not the window-injection vulnerability. Switching browsers or using Linux obviously aren't useful options in this case since all platforms and most browsers are vulnerable to one or the other or both threats.
Also watch for …
- RedHat has released an update for ImageMagick. See CAN-2004-0827 and CAN-2004-0981 for details of the threats.
- KDE has released a fix for threats addressed in KDE Security Advisory 20041209-1 and KDE Security Advisory 20041209-2. It is related to kfax, see CAN-2004-0803, CAN-2004-0804, CAN-2004-0886 and CAN-2004-1171.