Category: Web Browsers

Posted on
by

Here’s an online security story to freak you out: Security firm Secunia has found a loophole [Edit: originally linked to Yahoo! News] in basic browser window handling that can let any site plug its code into a pop-up window generated by any other site. That’s not just ads, that includes pop-up help files, password dialogs, you name it.

They even have a demonstration: Start the code going on their site, open up Citibank, then click on a button on the Citibank site and it’ll open a page from Secunia.

And it works in every major browser, for the simple reason that it uses standard functionality that no one has questioned until now: The ability to open a page in a particular frame or window. All you need to know is the name of that window, and you’re set. As long as it hides the toolbars (SOP for pop-up windows of all stripes), the user will never notice. There is a workaround, at least for Firefox and Mozilla users, but it’s ugly: prevent sites from hiding the location bar.

Actually, the functionality has been questioned before: last July, when Secunia found a similar problem in frames. The solution for that was to prevent a page in one window (or tab) from accessing frames in another. But it’s a little more challenging to decide which pages should be allowed to update a top-level window.

In the short term, sites wanting to protect themselves from being hijacked can probably help by randomizing the names of their pop-up windows. In the long term, browsers are going to have to figure out how to separate windows that should have the ability to load new pages from windows that shouldn’t, knowing that they’ll undoubtedly end up breaking some websites in the process.

(via The War on Spam)

Posted on
by

CNET has posted a write-up of AOL’s new Netscape prototype based on Firefox, as well as a screenshot. It seems to be a combination of Firefox + theme + bundled extensions… plus a mode that embeds Internet Explorer for compatibility.

There are some nice ideas: adapting Firefox’s RSS capabilities to create a headline ticker, for instance, and the Firefox team has been talking about bundling extensions since it was called Phoenix. As for the embedded IE mode… on one hand it provides a convenient solution to the biggest criticism laid on all non-IE browsers: they don’t render pages exactly the way IE does. But it comes at the cost of all the security risks inherent in IE itself. It does remind me of the “View with Gecko” option Konqueror used to have (and probably still does on some systems).

But the clutter… The sheer number of buttons, icons, widgets etc. in that screenshot is staggering. Even after installing the web developer extension I don’t think I have that many buttons on Firefox. 3+ buttons on the tab bar, 3 icons on each tab…. I hope that CNET was just enabling every feature they could find to get them all in one screenshot, but if AOL is trying to bill it as “easier” than Firefox (which was created with a simple user interface as a design goal), they’ve got to try another approach.

Update (via WaSP): It seems BetaNews has more information on the dual-engine setup. Apparently they do have security settings to mitigate the IE issues… but then so does IE, and we all know how well that’s worked. Also, another screenshot, which looks even more cluttered than CNET’s. I think this will be a browser that requires you to run it maximized at 2000×1500. (Also of note: Firefox developer Blake Ross’ Open Letter to Netscape and Henrik Gemal’s collection of screenshots.)

Further Update: MozillaZine has posted a more thorough review.

Posted on
by

Netcraft reports on a series of malicious banner ads using a vulnerability in Internet Explorer 6 to spread the Bofra virus. Clicking on the banners sends you to a website that uses the recently-discovered IFRAME vulnerability to infect your computer. Of note are the facts that there is no patch for this yet, and XP SP2 is affected (whoops, I misread that part).

The Register found the ads on their own website and identified the source as ad server Falk AG. They have pulled Falk AG’s ads from their rotation and apologized to their readers. Netcraft adds that Falk AG’s clients include high-profile sites such as A&E, NBC, and Sony. The ad company has issued a statement, but the page currently consists of the line “Server Engine: Application error.”

Update 3pm: The statement from Falk [archive.org] is readable now. Apparently someone broke into one of their network load balancers and reconfigured it to redirect ads to the malicious site. Once they discovered it, they shut down the affected system and started checking the rest. The malicious ads ran for a total of about 6 hours on Saturday.

Update Tuesday: the Internet Storm Center has posted a write-up of the attack response.

Of course, there are several ways to protect yourself from this type of attack.

Browse Happy. Online. Worry-free. Switch today.

Posted on
by

I had to reboot one of the Windows servers on Thursday, at which point the GDI+ checker installed by Tuesday’s security fix popped up a message explaining that there was still some software with the JPEG vulnerability. OK, fine, I’ll run it again and see what’s missing. So I clicked on, well, OK, and it pulled up Internet Explorer.

More to the point, it pulled up Internet Explorer 2.0.

You see, that machine has some leftover files from a previous OS, and somehow the GDI+ utility picked up on that copy of iexplore.exe. Of course, it could barely handle the vulnerability info page — no ActiveX of course, and it even displayed raw JavaScript code at the top of the page because it wasn’t hidden inside a comment! (Even Lynx can handle that now!)

But once I fired up IE6 to actually run the test, I figured as long as I had the old one running, why not check a few site layouts? Or some browser sniffers, and see what it claimed and what it could handle?

Almost nothing, as it turns out. It couldn’t even find any of the sites I tried. And from the way it couldn’t find them, I realized exactly what was missing: it couldn’t handle virtual hosts. Continue reading

Posted on
by

Via Weblog about Markup & Style:

Dive Into Mark provides an excellent example of why a browser shouldn’t second-guess file types.

Safari content sniffing for XHTML

It’s a screenshot of Safari looking at a text document… but the first line mentions XHTML, so it’s decided that’s what it must be. I’ve had lots of trouble with Internet Explorer doing the same thing, and Safari’s been aiming at bug-for-bug compatibility in order to “break” as few sites as possible.

[Edit: After the source blog was taken down, I grabbed the screenshot from archive.org and uploaded it here.)

Posted on
by

Well, it’s official. After months of rumors and vague announcements, Netscape 7.2 has been released!

It’s been just over a year since AOL closed down Netscape and spun off the independent Mozilla Foundation. Despite the uncertainty of that transition, no one can deny that Mozilla has flourished. People everywhere are switching to Firefox and recommending it on security, usability, and capability grounds.

It’s really quite surprising, particularly since Netscape the company no longer exists. But Mozilla has been marching ahead, and all that stood between AOL and an updated Netscape was updating their proprietary features, like the AIM sidebar and access to AOL email, to work with the new Mozilla code.

For the past year, I’ve been advocating that people switch from Netscape to Mozilla, since it seemed the best upgrade path. (Someone on Mozillazine pointed out that AOL is actually promoting the Mozilla connection — an interesting switch.) I’ve been skeptical about the new version actually materializing, but here it is.

I’m going to stick with Firefox myself, but for Netscape fans and those looking for the full browser suite (complete with AIM/ICQ)…

  • Download Netscape 7.2

Posted on
by

Great. Just great. Now there are ad networks using banners to install malware.

The article from Netcraft goes on to say that some phishing attacks are using banners to install keystroke loggers and other spyware. So now, just by using an insecure browser* to click on the link in a message claiming to be from your bank can make it possible for hackers to steal your passwords, credit card numbers, etc., even if you realize the site’s a scam and don’t fill in the form. Fun, fun, fun!

Time to look into those alternative browsers again…

* Yes, security holes have been found in Mozilla, Opera, etc. With the rise in popularity of Firefox, some attackers are starting to target Mozilla. But aside from looking at the sheer number of holes in IE compared to other browsers, just about everyone seems to have a better track record at fixing vulnerabilities than Microsoft does.