Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Internet Explorer Mozilla Netscape The Internet IT

Big Day For Browser Vulnerabilities 429

An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."
This discussion has been archived. No new comments can be posted.

Big Day For Browser Vulnerabilities

Comments Filter:
  • by jea6 ( 117959 ) on Wednesday October 20, 2004 @10:02AM (#10575394)
    Stop the presses.

  • by byolinux ( 535260 ) * on Wednesday October 20, 2004 @10:02AM (#10575397) Journal
    So, a fairly common problem in all browsers bar IE (does it affect those browsers that embed IE to give tabs?)

    Possibly solutions that I've just thought up (for discussion)

    • Make the website launching any JavaScript event appear in the foreground
    • Make every dialog box give security information about the website it's from, if the website it's from is not the currently displayed tab.
    • Suspend various types of JavaScript until the tab is foremost again, but display a 'requires your attention' icon (I call shotgun on a panda [pandasecurity.com] for this)


    While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
    • I know Moz has this, so it can't be hard for everyone to have it.

      And while they are at it, how about fixing what ever is letting websites open an add window when I close them, even though I have all the "Allow websites to..." options turned off.
    • Very funny - am I glad I'm working from home today... Damn near deafened me though :-)
    • Konqueror (Score:2, Informative)

      by inc_x ( 589218 )
      > Make the website launching any JavaScript event appear in the foreground

      That's indeed how Konqueror has fixed this in KDE 3.3.1.
      • Nice.

        Perhaps now they can start taking some of the changes Apple have given them. Lots of very simple JavaScript events just don't work in Konq that work in Safari/WebCore.
    • Options 4 and 5. (Score:3, Insightful)

      by argent ( 18001 )
      Option 4: Don't allow webpages to open dialog boxes from Javascript. The only time I've seen this as being useful is for optional client-side form validation, and there are other ways to provide the same functionality (for example, using CSS to bring up the message in the same page).

      Option 5: Don't allow webpages to open windows without decorations. This is occasionally useful, but it's routinely abused by everything from pop-up ads to control-freaks who just don't want you to see how their site is structu
    • by CXI ( 46706 ) on Wednesday October 20, 2004 @10:37AM (#10575781) Homepage
      I would be more in favor of a tab not opening a dialog or firing any other events until it becomes active again. Allowing tabs to gain focus without user intervention has the potential to be annoying as hell. For example, an ad on a page could keep popping that tab to the front for you to see it. Ugh.
      • by argent ( 18001 ) <peter@@@slashdot...2006...taronga...com> on Wednesday October 20, 2004 @11:52AM (#10576706) Homepage Journal
        I would be more in favor of a tab not opening a dialog or firing any other events until it becomes active again

        That would alleviate the real problem slightly, but it wouldn't begin to address the general problem that javascript is given too much detailed control over the user interface. There are other ways to spoof websites, if you can get between the site and the user in any fashion.

        Basically, window creation should be under the user's control. It should always be obvious that any browser window, whether it's a dialog box or a pop-up window, is a browser window. It should have enough decorations to make sure you can't confuse it with a local application. Resizable windows and dialog boxes should be optional in all browsers if they're available at all, so that web designers have an incentive to create sites that work completely in a standard window.
  • Guess we're all getting pwnXored today, Windows, Linux and Mac.
  • by networkBoy ( 774728 ) on Wednesday October 20, 2004 @10:04AM (#10575413) Journal
    it's just that IE is so tied to the OS that when it goes down so does the whole 'puter
    -Nb
  • Phew! (Score:5, Funny)

    by acehole ( 174372 ) on Wednesday October 20, 2004 @10:05AM (#10575425) Homepage
    Lynx missed out!

  • by chjones ( 610558 ) <<chjones> <at> <aleph0.com>> on Wednesday October 20, 2004 @10:07AM (#10575440) Homepage Journal
    All browsers have been reported vulnerable to different vulnerabilities today.

    I use Lynx [isc.org], you insensitive clod!

    CDJ
    • by byolinux ( 535260 ) * on Wednesday October 20, 2004 @10:09AM (#10575471) Journal
      I use Lynx [isc.org], you insensitive clod!

      Must you post in HTML? I use telnet to fetch/post my web traffic you insensitive clod! It's people like you who clog up the web! ;)

      • by jellomizer ( 103300 ) * on Wednesday October 20, 2004 @10:17AM (#10575566)
        I use telnet to fetch/post my web traffic you insensitive clod!

        Y ME 2 BUT MY IP/OP IS ALL ON PNCH CRDS IT PPLE LKE U WHO CLG UP THE WEB
      • Must you post in HTML? I use telnet to fetch/post my web traffic you insensitive clod! It's people like you who clog up the web! ;)

        You use telnet? Ah, the luxury. I have to use the uucp store-and-forward mechanism to access the web. I'm lucky if I can get a page to load in under 5 minutes!
        • D'oh. Modem is smoking, better get offline... can someone please fax me the web? QUICK! BEFOR...

          +++ATH
          NO CARRIER
        • Wow, Everyone doesn't use gopher???
        • Wow, you use uccp? That's lucky. I've got an antique Chinese abacus that I use to help me convert from digital information to text. Playing Doom is kind of difficult, but Space Invaders works. I move the pieces and my brother throws rocks at it.

          On the upside, there is a phone line a few miles away, and I can whistle at 75 baud.

          Of course, this was my one Slashdot post for the year, since it will take me another year just to get through the next article.
      • by mikael ( 484 )
        I get all my downloads from a CD-ROM delivered by snail-mail, which is then fetched by my dog and delivered onto my lap, without me ever leaving my armchair or having to use broadband.
  • I need to pull the plug! I gotta get off the net!
    someone is going to steal all my PORN!

    So, what now? I guess I pull this cord right her....

  • by nounderscores ( 246517 ) on Wednesday October 20, 2004 @10:08AM (#10575455)
    I guess the best defense is a good slashdotting.
  • by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday October 20, 2004 @10:09AM (#10575466)
    I just tried the exploit demonstration for Safari, but it did not work. The active tab switched back to the one providing the pop-up, not the target site. Did anyone else try it and have it work?
    • by Anonymous Coward
      In Firefox, the active tab also switched back. Also, I could not enter anything in the Zip Code box anyways. Yeah, it showed up in the "look what you typed" box on the first page, but wouldn't somebody notice that none of what they typed was being displayed in th Zip code box?
    • by droleary ( 47999 ) on Wednesday October 20, 2004 @10:50AM (#10575937) Homepage

      I just tried the exploit demonstration for Safari, but it did not work. The active tab switched back to the one providing the pop-up, not the target site. Did anyone else try it and have it work?

      It switched back for me, too, when using tabs, but not when I opened the URL in another window. It doesn't much matter, though, because I think the point is supposed to be that the dialog could say "Citibank needs your SSN to access your account on our site" and 90% of the people would only know that they just opened the URL, so they'd assume it was related to that page. What's great for the Mac is that there is already an interface element Apple can use to address this issue: the sheet [apple.com]!

  • by WIAKywbfatw ( 307557 ) on Wednesday October 20, 2004 @10:09AM (#10575467) Journal
    Slashdotted already. Would it kill the editors to, you know, edit and provide brief outlines of the stories they're linking to, especially in the case of stories on third party sites that they know will most likely not stand a slashdotting?
  • It's a clever one. (Score:5, Interesting)

    by jimicus ( 737525 ) on Wednesday October 20, 2004 @10:09AM (#10575473)
    For those who can't be bothered to RTFA, the Mozilla vulnerability is essentially a standard link with an "onMouseOver" bit which runs a little piece of JavaScript.

    The JavaScript pauses for a few seconds (while you presumably get distracted by another page) then flashes up a "Please enter some text" dialogue box.

    A similar effect could be achieved by calling the JavaScript on pretty much any event; the vulnerability relies on it being unclear which site caused the dialogue box to pop up. I can see how it could be classed a vulnerability, but it's hardly earth shattering.
    • For those who can't be bothered to RTFA...

      Or those who can't get to it because it's slashdotted...

      On behalf of those of use who can't read it yet, we thank you for the summary.

      We also chastise you for both your condescending attitude and your not posting the article.
    • by stromthurman ( 588355 ) on Wednesday October 20, 2004 @10:18AM (#10575584)
      While I agree with that sentiment on the first exploit (though it would be nice if the parent of the dialog box were displayed when the dialog box is displayed, if the parent is not already active), the second one is a bit more serious.
      A form element should not be allowed to steal the focus when it's parent is not active. With a fairly simple timer (like the ones this guys already using), a javascript ...script, could call document.myform.submit after a few minutes to harvest all of the text entered in another page.
      Forms should be strictly tied to their containers, and focus requests should be restricted only to the currently active window/tab/whathaveyou. I suspect that the reason this is an issue is because technically the form and the citibank page are both in the same window, the tabs are merely controlling what components are visible at any given point in time.
    • A quick, easy, and usually painless solution to this is just to bring the tab with the active javascript into focus.

      You'd of course only want this for certain events (alerts being chiefest among them...).
  • all URLs slashdotted already

    don't peopole never learn a thing ? and they xcall themselves a security company.
  • For Windows Firefox users: Tools -> Options... -> Advanced icon (left side) -> Software update section -> Check Now button
  • I don't get it... (Score:2, Informative)

    by Anonymous Coward
    Using Safari 1.2, the tab where the JavaScript dialog is coming from is activated when the dialog shows up. Nothing unsecure there. I can _see_ that this is not a CitiBank pop-up.

    Anybody care to explain to me?

    --
    kTag
  • From TFA,
    Solution:
    Don't visit untrusted sites while visiting trusted ones.

    In other words, don't visit untrusted sites?

    Now what am I going to do -- how am I supposed to reply to my email?

  • Vulns text... (Score:5, Informative)

    by byolinux ( 535260 ) * on Wednesday October 20, 2004 @10:14AM (#10575538) Journal
    For Apple's Safari browser

    Description:
    Secunia Research has discovered a vulnerability in Safari, which can be exploited by malicious web sites to spoof dialog boxes.

    Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window. This can be exploited by a malicious web site to show a dialog box, which seems to originate from a trusted web site.

    Successful exploitation would normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new window.

    A test is available here:
    http://secunia.com/multiple_browsers_dialog _box_sp oofing_test/

    The vulnerability has been confirmed in Safari 1.2.3 (v125.9). Other versions may also be affected.

    Solution:
    Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.

    And for IE

    Description:
    http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.

    1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

    This vulnerability is related to:
    SA12321

    NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.

    2) A security zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents.

    NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.

    The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.

    Solution:
    Disable Active Scripting or use another product.
    • Re:Vulns text... (Score:3, Informative)

      Ok, that's odd. I'm using Safari 1.2.3 (v125.9) on OS X 10.3.5 and the test doesn't work as described for me. I keep getting switched back the the Secunia tab when the dialog box pops up, not staying on the Citibank page as warning suggests. Anyone else seeing this behavior?

      I have just three tabs open: This /. article, the Secuna advisory, and the Citibank page. (I opened the Citibank page by right-clicking the link in the Secunia page. I had to open the Secunia page with a command-T and then cut-n-p
  • by Gadzinka ( 256729 ) <rrw@hell.pl> on Wednesday October 20, 2004 @10:15AM (#10575542) Journal
    Seems like all the vulnerability reports are vulnerable to reporing them on /.

    Robert
  • Safari 1.2.3 (Score:2, Informative)

    by RaisinBread ( 315323 )
    Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window.

    When I tried this in Safari 1.2.3, the browser switched back to the test page as it gave me the phony dialog box. The Citibank page was only visible for a second or two before Safari switched back to the exploit test page.

    Doesn't seem to be a problem here... ?
  • by AbbyNormal ( 216235 ) on Wednesday October 20, 2004 @10:17AM (#10575565) Homepage
    Spoofing Demo 0
    Slashdot 1

    Take that you evil spoofers!
  • Tabs bug explained (Score:5, Insightful)

    by Tom ( 822 ) on Wednesday October 20, 2004 @10:17AM (#10575571) Homepage Journal
    Essentially, it's an interface error. The problem seems to be that dialog boxes don't explain which tab they belong to.

    So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.

    I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're /.'ed, but I wouldn't be surprised if it works just as well for opening the external site in a new window.
  • Mozilla*.* (Score:3, Informative)

    by ParnBR ( 601156 ) on Wednesday October 20, 2004 @10:17AM (#10575572) Homepage
    Although they list Mozilla*.* vulnerabilities as not very serious, they must be acknowledged anyway. One is fairly trivial, I've seen it many times: typing in a text box in a tab may send keypresses to a text box in another tab. It happens when I open many tabs at once; the last tab to load usually steals the focus. It's a minor annoyance, though, and can be easily noticed looking at the screen, since typing doesn't appear where it should. However, spoofing dialog boxes can be more serious. Although suspending script execution in inactive tabs could solve this problem, it can break other things.

    At any rate, I'm fairly confident this will be solved in a sensible way by Mozilla*.* developers.
  • by ESqVIP ( 782999 ) on Wednesday October 20, 2004 @10:20AM (#10575608)
    This was already filed as bug 124750, and has already been fixed. I'm using a 2004-10-19 build, and I can assure I already tested it.

    As I can't link bugzilla form Slashdot... go to http://bugzilla.mozilla.org/ and type in there the bug number. (None: it's not marked there as FIXED, but you should look at the "fixed-aviary1.0" keyword, which is what matters for Firefox 1.0)

  • the javascript is displayed when another tab is in focus and seems to appear from another tab. This is a usability problem anyways because you should have a way of knowing where the JS popup comes frome exactly.
  • I am using "telnet 80" from now on... and if by chance that is vulnerable I'll write my own minimal telnet client... so what... my eyes will bleed of html tags and other cruft... ok so where do I get a ssl capable telnet client so that I can do my online banking?

    SIMPLICITY FOLKS!!!

    Less features is better.
  • by freelunch ( 258011 ) on Wednesday October 20, 2004 @10:25AM (#10575657)
    Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".

    Other steps must be taken to deal with these issues. What we can do is treat the symptoms.

    For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.

    I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.

    Chroot, in particular, is very tricky.
    • How would this help against URL spoofing?

    • chroot for a browser seems a bit extreme... It's a lot of effort and I think the following offers similiar protection for a lot less work.

      Create a disposable unprivledged account "luser".
      From your primary user account enter at the shell prompt:

      $ xhost + local:
      $ su luser
      (enter password)
      $ mozilla &

      You can keep a publicly readable download directory in that account to retreive files you downloaded. Otherwise "luser" should have no access to other user files anywhere else, and that account can be easily
  • by Anonymous Coward on Wednesday October 20, 2004 @10:25AM (#10575662)

    This is an excellent example of two facts:

    • All software suffers security problems, and many of the security holes are actually just unintended side effects of useful features; and
    • Microsoft's software is much, much worse than the rest, because it's plagued by old design decisions that make it easy to turn a minor security problem into a remote root exploit.

    Here's what the vulnerabilities are:

    In all the non-IE browsers, there's a potential issue with how tabbed browsing works. Basically, the problem is that stuff on tabs other than the active tab can still (a) pop dialogs and (b) have the keyboard focus. It's pretty clear that (b) is just a problem that should be fixed, because although it's possible to concieve of a circumstance where a user would want to look at one tab while typing into a box on another, it's clearly way too surprising and not nearly useful enough to be allowed. But (a) is more interesting. It's a side effect of the fact that pages continue functioning in all ways even when they're not the active tab. This includes running Javascript/Java/Flash programs, loading, rendering, etc. And that's a good and useful thing. But when a background tab pops a dialog, it may appear to the user that the dialog was created by the active page. If the user trusts one page more than the other, that can lead to problems.

    The solution to this dialog-popping problem isn't obvious. Perhaps dialogs need to be labeled with the name of the site that created them. Perhaps some other solution. But it will be worked on, even though the risk is fairly small.

    The IE vulnerability is very different in that it's a system compromise flaw. It's similar in one way, though: it's caused by a subtle interaction of features. In this case, dragging and dropping of image or media files with embedded HTML code, which may be malicious. This malicious code isn't a problem, really, because IE is security-conscious and won't execute it -- except that Microsoft has that terrible "security zones" design feature. Once the malicious code is moved from the "Internet" zone to the "Local Computer" zone, the code will be executed. What makes it especially funny is that Microsoft fixed this problem in SP2 by changing the Local Computer zone so tht it will no longer execute Active Scripts. But yet another bug in the security zones can be exploited to bypass that "problem" so SP2 is vulnerable as well.

    Security flaws are everywhere, but what really kills Microsoft is their rash of bad design decisions in the past, turning little holes into remote root exploits. They're getting better, I believe, but it's going to be a long hard road for them to patch all of the problems that are created by their bad design decisions. It's too late, of course, to change the design. Too much depends on it.

    • Easy solutions (Score:3, Insightful)

      by billybob ( 18401 )
      There are two solutions that would be pretty easy I think, I'm not sure which would be better.

      a) Delay displaying alert() calls until the tab is activated by the user.

      b) When alert() is called, make the tab that called it become active automatically. This should provide a good visual cue of who it belongs to.

      I think I would prefer the first option just so I wouldnt be distracted by the alert() box until I was going to use that tab anyways.
  • ...for secunia.com, it's called /. effect!

  • by wowbagger ( 69688 ) on Wednesday October 20, 2004 @10:26AM (#10575667) Homepage Journal
    Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.


    Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:

    SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!

    Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.

    But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!

    Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
    • by Dr_Ish ( 639005 ) on Wednesday October 20, 2004 @10:54AM (#10576003) Homepage
      The advice here is sound. There are all sorts of evil things that can be done with javascript. I know how to do some of them and I am one of the 'good guys'. Goodness knows what can be done by those who are less well intentioned. I always run with javascript disabled, simnple as that. Not only does this prevent the problem of pop-ups, it also keeps one safe from many other dangers. If a site requires javascript, then either I will simply not use it, or I will briefly enable javascript only as necessary. One of the reasons I do not own a Subaru, is due to their love of javascript, even though their cars are great. So, webmasters be aware, your choices can influence consumer habits!
  • Easy to work around (Score:2, Informative)

    by Todd Knarr ( 15451 )
    I note the vulnerability Secunia found in Mozilla et. al. is easy enough to block. It depends on onMouseOver triggers and the launchTimedPrompt() function. Block either of those via the capability.policy.* settings and the problem ceases. I'm tempted to add launchTimedPrompt() blocking across the board simply because no Web site has any business launching a delayed dialog box.
  • by museumpeace ( 735109 ) on Wednesday October 20, 2004 @10:49AM (#10575929) Journal
    after all, I love to bash poor Microsoft, but exhaustion is rapidly setting in here. I am what passes for a careful user: I don't use IE, I run the latest Mozilla, I use a firewall and anti-spyware and when its all said and done...not much gets done because I am fretting over yet another patch or vulenrability. I have sympathetic talks with my sysadmins but my family thinks I am the the Home Network Nazi.
    I feel like a small town policeman burried under a barrage of "sky-is-falling-alert-level-puce" faxes from the HomelandSecurity to be dealt with on zero budget.
    The color codes provided by Secunia are ,despite seeming like imitations of the nation's goofy alert color codes, a step in right direction. But what I want is an alert level made meaningful by contrasting it with risks I do understand: Since we perceive risk as a product of CHANCE_OF_OCCURANCE X COST_OF_OCCURANCE, I want a system where I can set a threshold for ignoring the drivel. The basis could be a chance_of_occurance = to my chances of a serious car accident on the way to work for instance [say its 1 in 5000] and the cost is monitarized in the range from 0$ to the 1.7million [or what ever it is] that the insurance industry pays out on average for a loss of life. ...if I am fithy rich, a vulnerability that opens my brokerage account could be > than loss of life but that is for me to set. All the stuff that falls below the threshold, I don't want to hear about, at least not more than once a year in a round-up batch of patches. Enough already!
  • MirrorDotting time (Score:5, Informative)

    by ggvaidya ( 747058 ) on Wednesday October 20, 2004 @11:00AM (#10576086) Homepage Journal
    1. Microsoft Internet Explorer [mirrordot.org]
    2. Opera [mirrordot.org]
    3. Mozilla Suite/Firefox [mirrordot.org]
    4. Netscape [mirrordot.org]
    5. Konqueror [mirrordot.org]
    6. Avant [mirrordot.org]
    7. Maxthon [mirrordot.org]

    Demonstrations of vulnerabilities: here [mirrordot.org] and here [mirrordot.org]

  • by kitzilla ( 266382 ) <paperfrog&gmail,com> on Wednesday October 20, 2004 @11:54AM (#10576729) Homepage Journal
    I left Javascript enabled in Konqueror, but set "open new windows" to "ask" in preferences and set the other JS policies to "ignore." Site displayed normally, and the spoofed text entry box didn't launch.
  • by Animats ( 122034 ) on Wednesday October 20, 2004 @12:50PM (#10577495) Homepage
    Browser windows are going to have to become hierarchical. If the code in window A causes the opening of window B, window B must be considered a child of window A. If window A closes, so must window B.

    This means popups can't survive their parents, which is probably a good thing.

    Visual parenting is needed, too. If the parent window is minimized or goes to the back, so should its child windows. Window headers should reflect the parent window's header.

    Child windows shouldn't be allowed to position themselves entirely outside of the parent window. They should have to overlap, at least marginally. (Strict users might turn on a mode where they have to overlap totally, like subwindows in an application.) This creates a visual association between the parent and child windows.

    With this, multiple window sites behave in a more tolerable manner.

  • by gelfling ( 6534 ) on Wednesday October 20, 2004 @01:10PM (#10577787) Homepage Journal
    We need to accept that all browsers are fundamentally broken and exposed and can't be fixed. We need therefore to understand security as that set of tools and behaviors that minimize our own exposures and risks with the understanding that Browsers, in fact all desktop tools are to some extent nothing more than Dreadnoughts and Maginot Lines too big and stupid to get out of their own way and only as effective as the stupidity of the attack that tries to hit them head on.

    The notion that browsers are exposed is really only relevant in term of what is exposed and how meaningful that exposure might be to you or your enterprise. If your browser gets hijacked - ok then what are you going to lose your bank account or credit card? Are you going to lose your health management PPO records? Are you going to go to jail when the FBI finds your kiddyporn? Or do you simply take other steps to protect yourself in the case when not if your machine is cracked and taken over.

  • by Balinares ( 316703 ) on Wednesday October 20, 2004 @01:21PM (#10577939)
    I tested the spoof vulnerability in Konqueror 3.3.1 (the latest).

    When displaying the popup, it 1) switched back to the tab that owns it, and 2) the popup clearly contained the server name "secunia.com".

    I was about to call this unhealthy sensationalism, but I haven't checked out older versions. Can anyone confirm the vulnerability in 3.3.0 and older? Thanks.
  • Firefox's tabs (Score:5, Informative)

    by dfj225 ( 587560 ) on Wednesday October 20, 2004 @02:20PM (#10578639) Homepage Journal
    The window from an unactive tab coming to the front in Firefox does not really seem like that big of a deal. I kind of like the fact that it does this. At work, the server needs to resart to load a new java war file so I usually browse on other tabs while the server is restarting. when it starts, the notification window pops to the top. Perhaps there should be an option to turn this on or off (the option could default to off)...I don't really see that many people putting really important information into a javascript notification window anyway.

Fast, cheap, good: pick two.

Working...