Injection Flaw Found in Browsers

Danish security research firm Secunia has reported a vulnerability that occurs
in most browsers that can be exploited by hackers looking to spoof the content
of Web sites. And they say repeated warnings have fallen on deaf ears.

The Window Injection Vulnerability,
listed on the firm’s Web site as “moderately
critical,” allows malicious attackers to “hi-jack” browser windows and change the
content of Web sites, according to Secunia.

The vulnerability was reported in Firefox, Internet Explorer, Opera, Netscape
and Konqueror.

Thomas Kristensen, CTO of Secunia, said his company earlier
reported the flaw to all of the browser players, but with the exception of
Opera, the vendors have ignored the warnings.

“Opera is working on fixing it,” he said. “Hopefully other ones follow suit.”

Kristensen said the flaw, similar to July’s Frame Injection Vulnerability, can
be exploited once a malicious Web site has been opened in one browser and a trusted
site opened in another.

When a pop-up window appears in the reliable site, the
malicious site is able to “hi-jack” that pop-up. Once that has taken place, the
pop-up window that has been opened may then display information from the malicious one.

“The basic problem is that a Web site can inject content into another site’s
window if the target name of the window is known,” Kristensen said.

The flaw can be used to trick users into thinking that the bogus information is
original content from the legitimate Web site, he added.

Before issuing the report on the Secunia Web site, Kristensen said his firm
informed vendors of what he termed inappropriate behavior within their browsers.

“They believe this is the way it [browsers] is supposed to behave,” he said.
“You trust it shouldn’t be able to do that, but they seem to disagree.”

News Around the Web