Java Tab Spoofing Vulnerability in NS7.2 using Mac OS X 10.x

J-M · Joined: 25 Jul 2004 Posts: 777 Location: Helsinki, Finland

Another point of view:
It is always very important that there are workarounds available to issues like this and people know about them. A very practical solution is disabling Java and it was reported to Secunia on 27th August by me. Wink

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040919 Firefox/0.10.1

Antony · *07 Nov, 2004 5:53 pm*

The Java applets from one tab being displayed on another tab page is not that serious to me. It just reminds me the old Layer not covering the form elements and Java applets back in old Communicator days.

What I mean is...

We all know that Netscape Communicator supports <layer> and <div> tags for positioning elements. If you have form elements (e.g. drop-down menu, input box) and Java applets on layer 1, and you have layer 2 on top of layer 1 (overlapping). The form elements and Java applets would also appear on layer 2 (not covered).

(The workaround was to hide or clip layer 1.)

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

MozInfo701

| MacCentre701

| AntBlog701

| don't steal music.

J-M · Joined: 25 Jul 2004 Posts: 777 Location: Helsinki, Finland

Is there anything new with this issue, according to my knowledge the newest Java implementation is 1.4.2 Update 2; http://www.apple.com/support/downloads/javaupdate142.html

Sun has released it's own JRE 1.4.2_06 update, look at these advisories published on 23rd November:
http://secunia.com/advisories/13271/

http://www.kb.cert.org/vuls/id/760344

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

J-M · Joined: 25 Jul 2004 Posts: 777 Location: Helsinki, Finland

Experiences from Mac OS users, with different Java versions are more than welcome now. Smile

Especially issues tested with Firefox 1.0.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

J-M · Joined: 25 Jul 2004 Posts: 777 Location: Helsinki, Finland

How about after upgrading to new OS X Java related security release, discussed in this thread
http://sillydog.org/forum/viewtopic.php?t=8382

at Mac OS and Linux section.

According to Secunia both Netscape and Firefox issues are related "to a known behaviour in Apple's implementation of Java".

Their advisory of Netscape, and Firefox, is marked as unpatched, naturally.

See details:

Netscape Apple Java Plugin Tab Spoofing Vulnerability
http://secunia.com/advisories/12392/

Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability
http://secunia.com/advisories/12403/

[edited by j-m: added Firefox SA as unpatched too]

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

J-M · Joined: 25 Jul 2004 Posts: 777 Location: Helsinki, Finland

This 'old' Radar site from August is still available:

http://www.securitywizardry.com/radar.htm

.

It can be used to test this issue.
(I remember several _very_ short nights when this thread was opened at summer Sad

).
However, there is some RealPlayer related problems mentioned too at http://bugzilla.mozilla.org/show_bug.cgi?id=162134

.
This Bugzilla report is Secunia's Bugzilla reference link too.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

Antony · *24 Feb, 2005 7:48 pm*

J-M · Joined: 25 Jul 2004 Posts: 777 Location: Helsinki, Finland

Now, in June, this is still marked as unpatched at http://www.securityfocus.com/bid/11059/info

, http://secunia.com/advisories/12392/

and http://secunia.com/advisories/12403/

.

Mac OS users, do you have any new experiences?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

	Forum Index > Firefox, SeaMonkey and Netscape	All times are CST (GMT -6)
page 2 of 2	page previous 1, 2