New Vulnerability Affects All Browsers

Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"

Re:Sniff, our little browser's all grown up...

[Indy+Media+Watch]

Now we can move from the myth that free software is impervious to exploits

Uh, who was saying that?

Re:Sniff, our little browser's all grown up...

[Frogbert]

What are you talking about? Firefox has always had bugs, why do you think we get security updates? The difference, as we will soon see, is that the Firefox will have a patch weeks, or perhaps months before IE.

Here's how it works

[sbszine]

The links to Citibank from the Secunia site are actually handled by JavaScript. The script sets a timer, then opens citibank. Every second or so, Secunia's script then checks whether you've opened Citibank's pop-up. If you have, it opens a window with the same name (i.e. variable name) as Citibank's window, thus overwriting their content.

So the attacker doesn't need you to click on anything, they just need you to have their site open -- with the timer going -- in another window. Also, the attacker needs to know in advance what name the victim site's pop-up is referenced by. A dynamically generated name could possibly defeat this attack, though the attacker could always crawl the DOM for a handle to the pop-up.

Once again, why needless use of Javascript is BAD!

[wowbagger]

This all boils down to a Javascript vulnerability.

If web masters would stop NEEDLESSLY using Javascript to do things like open new windows, and would use it ONLY when there is no way using HTML to accomplish the same goal, then people would not need to have Javascript active all the time, and the impact of exploits like this would be greatly reduced.

If, instead of using <a href="#" onclick="foo"> or <a href="javascript(foo)"> type constructs, web designers would use <a target="_blank" href="something.html" onclick="javascript(stuff)"> type constructs, then if the user HAS Javascript active, then the web master can micromanage the newly created window. If not, then the user STILL gets a new window, just not one that the web master can remove all the chrome from.

Seriously - when was the last time you heard of an exploit that used straight HTML? All of the recent exploits in ALL browsers, IE included, have been in either Javascript or Active-X, not in the core HTML rendering.

There is a REASON for that.

Of course it's a bug

[Chuck+Chunder]

Target names should only exist within the namespace of the site that created them.

Site A should be able to create and interact with a window named "popup".
Site B should be able to create and interact with a window named "popup".
This should happen without either site interfering, blocking or overwriting the other. They should simply be invisible to each other, existing in completely seperate little worlds.

Re:Of course it's a bug

OF course that seems sensible. But when you say "should" do you mean "should" because you think so, or because some W3C or other standard says so?

Re:Once again, why needless use of Javascript is B

[dghcasp]

And this is part of a larger user interface principle, "Don't try to control your user's behaviour if you don't need to."

Example: Sites that pop up their "main" window from their "entry tunnel." Exactly what justification do you have for thinking I still need to view your entry tunnel?

Example: (as mentioned,) sites that use Javascript to open windows. Granted, this practice came around before Opera/Mozilla introduced us to the wonders of tabbed browsing, but what's the point of pulling up a "diversionary" window and forcing the user to close it? Afraid they might not understand the concept of the "back" button?

Example: using flash/java/shockwave/etc to perform functions that could be handled in HTML, especially now that we have DHTML. I have trouble with understanding the argument "we will be more successful if we deny access to some percentage of the population."

etc etc etc.IMHO, this is a symptom of the problem where people assume "everyone else thinks / acts / behaves in the same way I do."

Re:Doesn't work for me

[Atrax]

... useless as blink tags.

I disagree. I think they have their moments. Such as displaying incidental information without interrupting the flow of something you're already doing (say, a help link in a wizard-style sequence of pages)

like everything else, popups are a tool which can be used or misused. Unfortunately they're mostly misused.

Re:Mozilla/Firefox Workaround

[Fnkmaster]

All these damned Secunia bugs are basically human error bugs anyway. If you know what's in the popup, it's impossible to be spoofed - if the URL bar shows a site that's not what you expect, close it.

In general, it's always going to be possible if you are browsing sketchy and secure sites at the same time that the sketchy site might pop up some deceptive window, and if you are confused, and can't see the URL bar, you might think it came from the secure site, with or without this specific injection issue. Which is why this workaround out to be default behavior anyway (I HATE sites that try to hide my location bar and navigation toolbar, those bastards).

Anyway, the point is, yes the issue should be fixed, but if you applied the workaround, it makes the exploit essentially worthless to an adversary.