Cross-browser security holes
Slashdot reports a "new" spoofing hole in many browsers, including older versions of Mozilla, discovered by Mark Laurence. The hole is that site A can load its own content into a frame on site B, and the content will appear to be from site B because the frameset is still from site B. This attack only works if site B is a framed site, so some banks are not affected.
A comment I posted on Slashdot:
Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:
- Mozilla (bugzilla.mozilla.org 246448)
- Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17.
- Opera (bugs.opera.com 145283)
- No response.
- Microsoft
- On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.
Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.
To be fair to Microsoft, the fix for the frame-spoofing hole did break a few sites. According to a bug filed today, the Charles Schwab brokerage site is one of the broken sites.
July 2nd, 2004 at 8:51 am
It seems our communication in this department isn’t too good. Opera is aware of the issue and working on it, the initial fix we had was however withdrawn because it breaks functionality. Having an obscure switch in about:config to make a major banking site work properly doesn’t seem to be such a great idea, if you want your browser to be used by non-geeks.
July 2nd, 2004 at 3:14 am
Mozilla most security conscious organization
In three days Firefox was patched and released, in 10 days Microsoft acknowledged the message and gave a workaround, and Opera hasn’t written back yet. Way to go Mozilla!