SillyDog701

[Antony]

According to Secunia, an old vulnerability was discovered in many modern browsers, allowing malicious people to spoof the content of websites. The affected browsers include Safari, Konqueror, Opera, MSIE, and all Mozilla (Gecko-based) browsers.

The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.

You can test your browser with this detailed instructions.

> More information: Multiple Browsers Frame Injection Vulnerability
Internet Explorer Frame Injection Vulnerability

I do not know if there's any fixes available, however, you can safeguard yourself by checking the Page Info from context menu or View menu and check the child-window (frame)'s actual URL.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8

[DJGM]

I've just tested that vuln using the instructions in Secunia's advisory. The browser I'm using at the
moment (Mozilla 1.7 on SUSE Linux) does not appear to be affected. No content from Secunia
appeared in any frames on the MSDN website that opened in the second browser window.

EDIT 1:
Having now just tested this in Netscape 7.1, the vuln is apparent in this browser.

EDIT 2:
Konqueror 3.2 on Linux also appears to be vulnerable to this bug.

EDIT 3:
Mozilla Firefox 0.9.1 is not affected.

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040618

[Edward]

Opera 7.51 for Linux is affected by this.

UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i586) Opera 7.51 [en]

[Antony]

The browser I'm using at the
moment (Mozilla 1.7 on SUSE Linux) does not appear to be affected. No content from Secunia
appeared in any frames on the MSDN website that opened in the second browser window.

...

EDIT 3:
Mozilla Firefox 0.9.1 is not affected.

Thanks, DJGM,
Is the Mozilla Firefox 0.91 the Windows version or Mac version?

According to the Secunia,

the vulnerability has been confirmed in the following browsers:

• Opera 7.51 for Windows
• Opera 7.50 for Linux
• Mozilla 1.6 for Windows
• Mozilla 1.6 for Linux
• Mozilla Firebird 0.7 for Linux
• Mozilla Firefox 0.8 for Windows
• Netscape 7.1 for Windows
• Internet Explorer for Mac 5.2.3
• Safari 1.2.2
• Konqueror 3.1-15redhat
• Internet Explorer 5.01, 5.5, 6 for Windows.

However, that's not the whole list.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8

[DJGM]

Thanks, DJGM,
Is the Mozilla Firefox 0.9.1 the Windows version or Mac version?

Neither. It's the version for Linux.

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040618

[marcoos]

Browsers based on Gecko 1.7 (for all operating systems), such as Mozilla suite 1.7 and Firefox 0.9.1 are immune to this attack (Secunia's report says this, too).

UserAgent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.7) Gecko/20040626 Firefox/0.9.1

[Mandrake]

It's good to see that Mozilla and Firefox are not effected by this latest flaw. This is certainly a good reason to upgrade to FireFox 0.9.1 or Mozilla 1.7.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616

[Wellander]

Hi,
How about Netscape 4.x and lower?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a1) Gecko/20040520

[Wellander]

Hi,
I can not find it in 1.7 and 1.8a1.
I think that these browsers are safe.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a1) Gecko/20040520

[Edward]

Also affects Konqueror 3.2.1 under Linux.

UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i586) Opera 7.51 [en]

[Phoenix21692]

I just tested the bug on Netscape Communicator 4.8 and it doesn't appear to be vulnerable. And yes, it doesn't affect Mozilla 1.7 either. Also, I tested the bug on the Release Candiates 1, 2, and 3 of Mozilla 1.7 and these were affected by the bug. Not only that, the flaw also affects Mozilla 1.3.1 and 1.4.2. I'm sure it would affect many of the older builds. So, that means most of the Mozilla builds, up to version 1.7 RC 3 are vulnerable.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616

[DJGM]

I just tested the bug on Netscape Communicator 4.8 and it doesn't appear to be vulnerable.

Now that's surprised me. Mind you, I'm sure Netscape 4.x has a ton of other security vulnerabilities,
so with that in mind, and also with it being technically ancient, Ns4.x is best avoided these days!

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040618

[Don_HH2K]

Great.. Any suggestions on what to do with my old PCs running NS6.1? K-Meleon appears to also be vulnerable, Mozilla won't work in versions above 0.9.4, and Firefox is just as slow for me as 0.9.5+ is...

If NS7.2 isn't released soon, I'll probably switch to Mozilla and possibly stay there. In that case, I hope I'll find a way to get AIM to integrate into Moz1.7..

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[akbash]

Of all the security and crash fixes made since Netscape 6, this is a relatively minor one.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040704 Firefox/0.8.0+

[Fulvio]

Great.. Any suggestions on what to do with my old PCs running NS6.1? K-Meleon appears to also be vulnerable, Mozilla won't work in versions above 0.9.4, and Firefox is just as slow for me as 0.9.5+ is...

If NS7.2 isn't released soon, I'll probably switch to Mozilla and possibly stay there. In that case, I hope I'll find a way to get AIM to integrate into Moz1.7..

1. The probability that anything so dangerous will happen to you, is, IMHO, unlikely.
2. Do not store sensitive information on your computer.
3. Give up.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616