Security advisory affecting tabed browsers, including Avant

These archives contain old topics that were moved here to prevent clutter in the forums. These threads may still contain some useful information.

Moderators: Support Staff², Support Staff, AvantGuard, Developer

Locked
User avatar
joeblow
Newbie
Newbie
Posts: 22
Joined: Mon Mar 29, 2004 9:34 pm
Avant Version:

Security advisory affecting tabed browsers, including Avant

Post by joeblow » Wed Oct 20, 2004 7:35 pm

Secunia reports spoofing vulnerabilities in several tabbed browsers.

Synopsis:
Affected Software-
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039
Prior versions of all above software may also be vulnerable.
All vendors notified on Oct 4th-5th.

Vulnerability "A":
It is possible for a inactive tab to spawn dialog boxes e.g. the JavaScript "Prompt" box or the "Download dialog" box, even if the user is browsing/viewing a completely different web site in another tab.

Vulnerability "B":
It is possible for a inactive tab to always gain focus on a form field in the inactive tab, even if the user is browsing/viewing a completely different web site in another tab.

Solutions for A & B:
Disable JavaScript or do not visit untrusted and trusted websites at the same time.

Full details & exploit demonstrations available here:
http://secunia.com/advisories/12717/

I have not tested this, but I suspect disabling javascript for all but the Trusted Zone should help minimize these problems. Of course, that can make regular browsing pretty difficult considering the widespread use of javascript on the web, so I hope Anderson can find a proper solution.

Wilson
Fan
Fan
Posts: 116
Joined: Mon Jun 30, 2003 9:32 pm
Windows Version: Windows
Avant Version:
Location: Newfoundland, Canada
Contact:

Post by Wilson » Wed Oct 20, 2004 8:00 pm

That page says only Avant Browser 9.x/10.x is affected now.
- Wilson

User avatar
hornakapopolis
AvantGuard
AvantGuard
Posts: 11321
Joined: Thu Jul 31, 2003 2:09 pm
Windows Version: Windows 10 Pro 64
Avant Version: 2015
Default engine: Chrome
IE Version: 11
Skin: Stickers
Location: Ohio, USA
Contact:

Post by hornakapopolis » Wed Oct 20, 2004 8:05 pm

But, it also says that other versions may be vulnerable.

Wilson
Fan
Fan
Posts: 116
Joined: Mon Jun 30, 2003 9:32 pm
Windows Version: Windows
Avant Version:
Location: Newfoundland, Canada
Contact:

Post by Wilson » Wed Oct 20, 2004 8:08 pm

Yes, but it doesn't say Maxthon, Mozilla, etc are like it does in your post. Have they fixed it, or did you paste your post from somewhere else?
- Wilson

User avatar
Sara
AvantGuard
AvantGuard
Posts: 6283
Joined: Thu Dec 12, 2002 11:16 pm
Windows Version: Windows 7
Avant Version: 2015 build 27lite
Default engine: N/A
IE Version: IE 10(64 bit)
Skin: Crystal
Location: Butler, PA

Post by Sara » Wed Oct 20, 2004 8:10 pm

Robc posted:

The following appeared today on the NTBugTraq mailing list regarding Avant and most (all?) other tabbed browsers, and I thought it might be of interest. If NTBugTraq is unknown to you, please browse to http://www.ntbugtraq.com/

----

Code: Select all

======================================================================

                     Secunia Research 20/10/2004

        - Multiple Browsers Tabbed Browsing Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039

Prior versions of all above software may also be vulnerable.

======================================================================
2) Severity

Rating: Less/Moderately critical
Impact: Spoofing
Where:  From remote

======================================================================
3) Description of Vulnerabilities


Vulnerability "A":
It is possible for a inactive tab to spawn dialog boxes e.g. the JavaScript "Prompt" box or the "Download dialog" box, even if the user is browsing/viewing a completely different web site in another tab.

The problem is that the browsers does not indicate, which tab launched the dialog boxes, which therefore could lead the user into disclosing information to a malicious web site or to download and run a program, which the user thought came from another trusted web site e.g. their bank.

Demonstration: http://secunia.com/multiple_browsers_dialog_box_spoofing_test/

Vulnerability "A" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039


Vulnerability "B":
It is possible for a inactive tab to always gain focus on a form field in the inactive tab, even if the user is browsing/viewing a completely different web site in another tab.

This is escalated a bit by the fact that most people do not look at the monitor while typing data into a form field, and therefore might send data to the site in the inactive tab, instead of the intended/viewed tab.

Demonstration: http://secunia.com/multiple_browsers_form_field_focus_test/

Vulnerability "B" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039

======================================================================
4) Solution

Mozilla:
  Vulnerability "A":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Mozilla Firefox:
  Vulnerability "A":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Camino:
  Vulnerability "A":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Not affected by this vulnerability.


Opera:
  Vulnerability "A":
    Will be fixed in Opera 7.60.

    Until Opera 7.60 becomes available, Opera Software will release an
    advisory on this issue, which will be available on the Opera
    website.

  Vulnerability "B":
    Not affected by this vulnerability.


Avant Browser:
  Vulnerability "A":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Konqueror:
  Vulnerability "A":
    The Vendor reports that KDE version 3.3.1 fixes this
    vulnerability.

  Vulnerability "B":
    Not affected by this vulnerability.


Netscape:
  Vulnerability "A":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Maxthon:
  Vulnerability "A":
    Will be fixed in an upcoming version.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Will be fixed in next version.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


======================================================================
5) Time Table

04/10/2004 - Vulnerabilities reported to Netscape, Mozilla, Opera and
             Avant Browser.
05/10/2004 - Vulnerabilities reported to KDE (Konqueror) and Maxthon. 08/10/2004 - Netscape and Avant contacted again as they have not
             responded.
20/10/2004 - Public disclosure.

======================================================================
6) Credits

Discovered by Jakob Balle, Secunia Research.

======================================================================
7) References

Secunia Advisories:
http://secunia.com/SA12706
http://secunia.com/SA12712
http://secunia.com/SA12713
http://secunia.com/SA12714
http://secunia.com/SA12717
http://secunia.com/SA12731

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia web site:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia web site: http://secunia.com/secunia_research/2004-10/

======================================================================

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

User avatar
joeblow
Newbie
Newbie
Posts: 22
Joined: Mon Mar 29, 2004 9:34 pm
Avant Version:

Post by joeblow » Thu Oct 21, 2004 12:27 am

Yah, that was the Avant specific page, you had to click a few links to get to the details Sara & robc posted. Sorry for any confusion.

Wilson
Fan
Fan
Posts: 116
Joined: Mon Jun 30, 2003 9:32 pm
Windows Version: Windows
Avant Version:
Location: Newfoundland, Canada
Contact:

Post by Wilson » Thu Oct 21, 2004 12:46 am

Ah. 'Sok :P
As for the form field exploit, I look at the screen when I type so I would notice if what I was typing were not appearing in the field I want it to. I usually only visit sites I trust anyhow, so I'm not overly concerned.
- Wilson

User avatar
hornakapopolis
AvantGuard
AvantGuard
Posts: 11321
Joined: Thu Jul 31, 2003 2:09 pm
Windows Version: Windows 10 Pro 64
Avant Version: 2015
Default engine: Chrome
IE Version: 11
Skin: Stickers
Location: Ohio, USA
Contact:

Post by hornakapopolis » Thu Oct 21, 2004 1:16 am

Yeah... I was hoping I wasn't the only one that thought these were pretty silly. It is possible, but I'm not too much worried about, either.

Also, Wilson, when you said that before about only listing Avant 9 & 10, I thought you were saying that either they forgot about Version 8 or that using Version 8 would be a good idea. I was worried there for a second. :lol: :lol:

User avatar
robc
AvantGuard
AvantGuard
Posts: 988
Joined: Fri Dec 12, 2003 3:33 pm
Windows Version: Vista Ultimate SP1
Avant Version: 11.6 Build 20
IE Version: 7
Location: Italy

Post by robc » Thu Oct 21, 2004 10:47 am

The "bug" is probably not a problem for users who pay attention to what they're doing (as everybody should always do :wink: ), probably it could also happen the same having several IE windows open: I don't remember what happens in the other browser windows which don't have the focus, but it may be similar.
The REAL problem lies with those users who instantly click "OK" on whatever appears on their screens :( Then again, those people are always at risk with a computer connected to the net, opening attachments, falling prey to false pages asking for their bank account passwords, etc.
Maybe, if it were feasible, giving focus to the page that generated the popup could be a solution; of course, one of the most useful aspects of a tabbed browser is that all tabs load concurrently, so it's possible that n pages will display a popup at the same moment, and that would not be easy to sort out.

Wilson
Fan
Fan
Posts: 116
Joined: Mon Jun 30, 2003 9:32 pm
Windows Version: Windows
Avant Version:
Location: Newfoundland, Canada
Contact:

Post by Wilson » Thu Oct 21, 2004 7:25 pm

Indeed.

About those who blindly stumble about the internet, there should be a free course offered before inexperienced users are allowed to have internet access. Like a driver's liscence for the internet highway :P
I hear of so many of my friends' little brothers and sisters (and sometimes the friends themselves) infecting their computers with six thousand spyware objects and a few dozen viruses in just a few weeks after formatting. This actually is not an exaggeration, I went over to a friend's house and AdAware found >6000 objects, SpyBot S&D about 40, the on-access virus scanner wasn't turned on so I ran a scan and it found about 60 unique viruses. "Is that why my computer was slower than usual?"
The reason I think there should be some training involved is because when it comes to viruses and worms, the majority of the time you will infect other people's computers (or frustrate people who actually use virus scanners) as well as your own.
- Wilson

Sergei
AvantGuard
AvantGuard
Posts: 2488
Joined: Fri Sep 19, 2003 5:09 am
Windows Version: Windows
Avant Version:
Location: Galway, Ireland
Contact:

Post by Sergei » Fri Nov 05, 2004 10:17 pm

This Register article on the subject isn't very good publicity for Avant. (Bolding mine).
In the usual open source tradition of fixing flaws quickly, Konqueror released a version of the browser that was patched against the vulnerabilities, and Firefox promised that it would be secured by the time 1.0 is released, sometime in the new few weeks. On the other hand, Netscape, now owned by AOL, and Avant never bothered to respond to Secunia when it contacted them. Guess I know which browsers to avoid.
I wonder did Secunia try to contact Anderson directly?

While I don't think this bug represents much of a real threat, I agree the suggested precautions are good ideas, especially not allowing tabs without focus to spawn windows, or allow spawned text entry boxes to steal focus.
My Cartoons
:
IE7 ][ Windows XP Tablet PC Edition 2005 ][ Avast! Antivirus ][ Kerio Firewall ][ DSL

User avatar
man_o_peace
Semi-Fan
Semi-Fan
Posts: 65
Joined: Thu Dec 12, 2002 3:04 am
Windows Version: Windows
Avant Version:
Location: Maine

Post by man_o_peace » Fri Nov 05, 2004 10:56 pm

Sergei wrote: I wonder did Secunia try to contact Anderson directly?

While I don't think this bug represents much of a real threat, I agree the suggested precautions are good ideas, especially not allowing tabs without focus to spawn windows, or allow spawned text entry boxes to steal focus.

Yikes!
That is a bad promotional statement...

I know that BloodChen fixed Maxthon's vulnerabilities with version 1.1.0.50 (Version 1.1.0.61 released today)...

Since Avant & Maxthon have only one developer each...

BloodChen (Maxthon)
Anderson (Avant)

it's hard to see why one would fix the vulnerabilities and the other not...

Tis strange...
I'm running:

Win98SE / IE 6 SP1 / Latest Version of Maxthon / Latest Official Version of Avant

Sergei
AvantGuard
AvantGuard
Posts: 2488
Joined: Fri Sep 19, 2003 5:09 am
Windows Version: Windows
Avant Version:
Location: Galway, Ireland
Contact:

Post by Sergei » Sat Nov 06, 2004 10:39 pm

Perhaps Anderson's a bit busy with his wedding...
My Cartoons
:
IE7 ][ Windows XP Tablet PC Edition 2005 ][ Avast! Antivirus ][ Kerio Firewall ][ DSL

Locked