Monday, December 13, 2004

Browser injection flaws affect multiple browsers and platforms

Browser injection flaws affect multiple browsers and platforms:
Two newly-revealed Web browser vulnerabilities, a window-injection flaw and a frame-injection flaw, could allow attackers to steal sensitive information. Unfortunately, IT pros will have a hard time mitigating the threats.

Secunia Research has announced a newly discovered a window-injection vulnerability that can let attackers inject information into an open browser window. The most important concern is that this vulnerability can be used to spoof secure sites.

This is especially dangerous because it doesn't just affect Microsoft's Internet Explorer (CAN-2004-1155), but also KDE Konqueror (CAN-2004-1158), Opera (CAN-2004-1157), Mozilla FireFox (CAN-2004-1156), and even Apple Safari (CAN-2004-1122). Those are the links to SecurityTracker.com reports.

Some initial reports caused confusion over which browsers are affected and whether there is more than one very similar threat, but there are definitely two different vulnerabilities that pose similar dangers.

Making things more difficult for IT professionals, there was also a similar-sounding frame-injection vulnerability reported in June 2004. As a result, some IT pros may think they have already addressed this new threat. Secunia Research reported that the frame-injection vulnerability also affects most brands and versions of Internet browsers. That earlier vulnerability also allows a remote attacker to cause the browser window to display arbitrary content and can therefore be used to spoof sites.

Secunia lists different Mitre vulnerability codes for the frame-injection threat in addition to those listed above and this was a different vulnerability. The following links relate to the earlier frame-injection vulnerability, which has similar dangers: Internet Explorer (CAN-2004-0719); Opera (CAN-2004-0717); Mozilla, FireFox, and Netscape (CAN-2004-0718); Safari (CAN-2004-0720); and KDE Konquerer (CAN-2004-0721).

Secunia has made available a demonstration site to help you determine if your browser version is vulnerable. Go here for the test and more details about the new threat.”


From TechRepublic — free membership
http://techrepublic.com.com/5100-6264_11-5487760.html?tag=fdnew

No comments: