A serious new vulnerability that can allow attackers to hack
a browser window is a threat to a variety of browsers and platforms. There are
patches available for some browsers but, at the time this was written, there is
no known fix for other browsers. This is a new threat and may be ignored by
some IT pros who might mistake this as a repeat of other recent browser
warnings.

Details

Secunia Research has announced a
newly discovered a window-injection vulnerability that can let attackers inject
information into an open browser window. The most important concern is that
this vulnerability can be used to spoof secure sites.

This is especially dangerous because it doesn’t just affect Microsoft’s
Internet Explorer
(CAN-2004-1155), but also KDE Konqueror (CAN-2004-1158), Opera (CAN-2004-1157), Mozilla FireFox (CAN-2004-1156), and even Apple Safari
(CAN-2004-1122). Those are the links to SecurityTracker.com
reports.

Some initial reports caused confusion over which browsers
are affected and whether there is more than one very similar threat, but there
are definitely two different vulnerabilities that pose similar dangers.

Making things more difficult for IT professionals, there was
also a similar-sounding frame-injection vulnerability reported in June 2004. As
a result, some IT pros may think they have already addressed this new threat.
Secunia Research reported
that the frame-injection vulnerability also affects most brands and versions of
Internet browsers. That earlier vulnerability also allows a remote attacker to
cause the browser window to display arbitrary content and can therefore be used
to spoof sites.

Secunia lists different Mitre vulnerability codes for the frame-injection
threat in addition to those listed above and this was a different
vulnerability. The following links relate to the earlier frame-injection
vulnerability, which has similar dangers: Internet Explorer (CAN-2004-0719); Opera (CAN-2004-0717); Mozilla, FireFox, and Netscape (CAN-2004-0718); Safari (CAN-2004-0720); and KDE Konquerer (CAN-2004-0721).

Secunia has made available a demonstration site to help you
determine if your browser version is vulnerable. Go here
for the test and more details about the new threat.

Applicability

It is important to note that the vulnerabilities are tied to
the browser version, not any particular version of the operating system(s) it
runs on. Also, the list below is almost certainly incomplete since more
browsers were added while this list was being compiled. Unless you conduct both
tests yourself using the Secunia or other test sites, you can’t be certain you
aren’t vulnerable just because your specific browser version isn’t listed
below. Here are the browsers and systems known to be affected:

  • Microsoft
    Internet Explorer (Windows) versions 5 and 6 and IE for Mac version 5.2.3.
    Specifically, the new threat has been confirmed on a fully-patched XP SP1
    and SP2 system running IE 6.
  • Apple
    Safari (OS X) version 1.x
  • KDE
    Konqueror (Linux) version 3.2.2
  • Mozilla
    FireFox (Windows, Unix, and Linux) version 0.x and 1.0
  • Mozilla
    versions 0.x through 1.6
  • Netscape
    versions 6.x and 7.x
  • Opera
    (BeOS, Linux, MacOS, QNX, FreeBSD, OS X, and Windows) versions 7.50
    (Linux) and 7.51 (Windows) as well as versions 5.x, 6.x, and 7.x for
    various platforms.
  • Solaris
    (SunOS and Windows) version 7.54
  • OmniWeb
    version 5.x
  • Camino
    version 0.x

Secunia reports that these versions: Mozilla Firefox 0.9 and
later, Mozilla 1.7, Opera 7.52, Netscape 7.2, and Camino 0.8 (build 2004062308)
are not vulnerable to the earlier frame-injection threat.

Risk level – Moderate to Severe

Exploits of either of these vulnerabilities would probably
not be detectable and could allow an operator of a malicious site to possibly
spoof a secure site and gather any information a user would enter on the spoofed
site, including financial information.

Mitigating factors

The attacker must be able to determine the open browser
window’s target address for the window-injection threat.

Fix – Apply patches where available

For those browsers that don’t have any workaround or patch
available for one or both of these vulnerabilities, you should keep updated on
any vendor announcements. Also, be aware that patching one of these
vulnerabilities probably won’t fix the other, so be certain whether one or both
are fixed by any vendor patches.

  • Apple
    has provided a Safari patch in Security
    Update 2004-12-2
    for OX X 10.3.6 Client and Server as well as OX X
    10.2.8 Client and Server. The downloads range from 16 to 24 megabytes in
    size. This is a major set of patches and may fix both problems but I
    suggest you verify this for yourself. Secunia has a page devoted to this Apple
    patch
    .
  • Microsoft
    Windows Internet Explorer – No fix available for the window-injection
    vulnerability
  • KDE Konqueror – No fix available for the window-injection
    vulnerability but there is a patch for the frame-injection flaw
  • Mozilla FireFox – No
    fix available for the window-injection vulnerability
  • Opera – No fix available for the window-injection
    vulnerability
  • OmniWeb
    – No fix available for the window-injection vulnerability

Final word

This problem is really complicated by the fact that there
are two completely separate “injection” threats here, making it difficult to
patch, difficult to be certain you are patched, and difficult to decide whether
you need to patch because your browser version isn’t affected.

As for what to do about this threat in the meantime, I
haven’t a clue what advice to offer other than to use caution when accessing
“secure” sites and not to have any other browser windows open at the same time
– that provides some protection (perhaps complete protection) against the
frame-injection threat, but not the window-injection vulnerability. Switching
browsers or using Linux obviously aren’t useful options in this case since all
platforms and most browsers are vulnerable to one or the other or both threats.


Also watch for …