Multiple vendor Web browsers could spoof a pop-up window

web-browser-popup-spoofing (18397) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor Web browsers could allow a remote attacker to spoof a pop-up Window. A remote attacker, with knowledge of a window's name, could create a specially-crafted Web page that would inject content into this window, which would cause the pop-up to appear to come from a trusted source, once the victim visits the malicious Web page. This vulnerability could then be used to gain sensitive information from unsuspecting users.

Web browsers include: Microsoft Internet Explorer, Netscape Navigator, Opera, Konqueror, Mozilla, Firefox, Safari, iCab and OmniWeb.


Consequences:

Other

Remedy:

For Gentoo Linux:
Upgrade to the latest version of kdelibs (3.2.3-r4, 3.3.1-r2, >= 3.3.2-r1 or later ) or kdebase (3.2.3-r3, 3.3.1-r2 or later), as listed in GLSA 200412-16 . See References.

For Gentoo Linux:
Upgrade to the latest version of Mozilla (1.7.6 or later), as listed in GLSA 200503-30. See References.

For Gentoo Linux (Firefox):
Refer to Gentoo Linux Security Announcement GLSA 2005-03-10 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Opera):
Refer to Gentoo Linux Security Announcement GLSA 2005-02-17 for patch, upgrade, or suggested workaround information. See References.

For Fedora Core 2 containing the kdelibs package:
Upgrade to the latest kdelibs package (3.2.2-10.FC2 or later), as listed in Fedora Update Notification FEDORA-2004-548. See References.

For Fedora Core 2 containing the kdebase package:
Upgrade to the latest kdebase package (3.2.2-8.FC2 or later), as listed in Fedora Update Notification FEDORA-2004-549. See References.

For Fedora Core 3 containing the kdelibs package:
Upgrade to the latest kdelibs package (3.3.1-2.4.FC3 or later), as listed in Fedora Update Notification FEDORA-2004-550. See References.

For Fedora Core 3 containing the kdebase package:
Upgrade to the latest kdebase package (3.3.1-4.3.FC3 or later), as listed in Fedora Update Notification FEDORA-2004-551. See References.

For Red Hat Linux (Firefox):
Refer to RHSA-2005:176-11 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Mozilla):
Refer to RHSA-2005:384-11 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (kdelibs, kdebase):
Refer to RHSA-2005:009-19 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-149-3 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • CIAC INFORMATION BULLETIN P-149: Firefox Security Update.
  • Fedora Update Notification FEDORA-2004-548: Fedora: kdelibs-3.2.2-10.FC2 update.
  • Fedora Update Notification FEDORA-2004-549: kdebase-3.2.2-8.FC2 update.
  • Fedora Update Notification FEDORA-2004-550: kdelibs-3.3.1-2.4.FC3 update.
  • Fedora Update Notification FEDORA-2004-551: kdebase-3.3.1-4.3.FC3 update.
  • Microsoft Security Response Center Blog, Tuesday, October 31, 2006 2:05: Information on New Address Bar Issue.
  • BID-11852: Netscape Remote Window Hijacking Vulnerability
  • BID-11853: KDE Konqueror Remote Window Hijacking Vulnerability
  • BID-11854: Mozilla Browser and Mozilla Firefox Remote Window Hijacking Vulnerability
  • BID-11855: Microsoft Internet Explorer Remote Window Hijacking Vulnerability
  • BID-11856: Opera Web Browser Remote Window Hijacking Vulnerability
  • BID-11857: Apple Safari Remote Window Hijacking Vulnerability
  • BID-11875: Omni Group OmniWeb Browser Remote Window Hijacking Vulnerability
  • BID-11876: ICab Web Browser Remote Window Hijacking Vulnerability
  • CVE-2004-1122: Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the Dialog Box Spoofing Vulnerability
  • CVE-2004-1155: Internet Explorer 5.01 through 6 allows remote attackers to spoof arbitrary web sites by injecting content from one window into another window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the window injection vulnerability. NOTE: later research shows that Internet Explorer 7 on Windows XP SP2 is also vulnerable.
  • CVE-2004-1156: Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the window injection vulnerability.
  • CVE-2004-1157: Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the window injection vulnerability.
  • CVE-2004-1158: Konqueror 3.x up to 3.2.2-6, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window or tab whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the window injection vulnerability.
  • CVE-2004-1160: Netscape 7.x to 7.2, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the window injection vulnerability.
  • CVE-2004-1314: Safari 1.x allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the window injection vulnerability, a different vulnerability than CVE-2004-1122.
  • GLSA-200412-16: kdelibs, kdebase: Multiple vulnerabilities
  • GLSA-200502-17: Opera: Multiple vulnerabilities
  • GLSA-200503-10: Mozilla Firefox: Various vulnerabilities
  • GLSA-200503-30: Mozilla Suite: Multiple vulnerabilities
  • MDKSA-2004:150: Updated kdelibs and kdebase packages fix vulnerability
  • OSVDB ID: 12313: Microsoft IE Cross-domain Browser Window Injection Content Spoofing
  • OSVDB ID: 13183: Apple Safari Cross-domain Browser Window Injection Content Spoofing
  • OSVDB ID: 59844: Opera Cross-domain Browser Window Injection Content Spoofing
  • OSVDB ID: 59845: Netscape Cross-domain Browser Window Injection Content Spoofing
  • RHSA-2005-009: kdelibs
  • RHSA-2005-176: firefox security update
  • RHSA-2005-384: Mozilla security update
  • SA12892: Safari Dialog Box Spoofing Vulnerability
  • SA13129: Mozilla / Mozilla Firefox Window Injection Vulnerability
  • SA13251: Microsoft Internet Explorer Window Injection Vulnerability
  • SA13252: Safari Window Injection Vulnerability
  • SA13253: Opera Window Injection Vulnerability
  • SA13254: Konqueror Window Injection Vulnerability
  • SA13402: Netscape Window Injection Vulnerability
  • SA22628: Internet Explorer 7 Window Injection Vulnerability
  • SUSE-SA:2005:034: opera: various problems
  • SUSE-SR:2004:004: SUSE Security Summary Report
  • SUSE-SR:2004:005: SUSE Security Summary Report
  • SUSE-SR:2005:001: SUSE Security Summary Report
  • SUSE-SR:2005:003: SUSE Security Summary Report
  • USN-149-3: Ubuntu 4.10 update for Firefox vulnerabilities

Platforms Affected:

  • Apple Safari 1.2.4
  • Canonical Ubuntu 4.10
  • FedoraProject Fedora Core 2
  • FedoraProject Fedora Core 3
  • Gentoo Linux
  • iCab Company iCab 2.9.8
  • KDE Konqueror 3.2.2-6
  • MandrakeSoft Mandrake Linux 10.0 AMD64
  • MandrakeSoft Mandrake Linux 10.0
  • MandrakeSoft Mandrake Linux 10.1 X86_64
  • MandrakeSoft Mandrake Linux 10.1
  • Microsoft Internet Explorer 6.0
  • Microsoft Windows XP SP1
  • Microsoft Windows XP SP2
  • Mozilla Firefox 1.0
  • Mozilla Mozilla 1.7.3
  • Netscape Navigator 7.2
  • Omni Group OmniWeb 5.0.1
  • Opera Opera Browser 7.54
  • RedHat Enterprise Linux 2.1 WS
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Enterprise Linux 2.1 ES
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 3 WS
  • RedHat Enterprise Linux 3 Desktop
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 ES
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • SUSE SuSE Linux 8.2
  • SUSE SuSE Linux 9.0
  • SUSE SuSE Linux 9.1
  • SUSE SuSE Linux 9.2
  • SUSE SuSE Linux 9.3

Reported:

Dec 08, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page