Mozilla/Netscape users take note

[Diana]

I don't know yet to what extent this may apply on the Mac platform, but since the exploit seems to be based on basic Internet protocols, it may affect us all no matter what operating system.

Mozilla Browser Cross Domain Violation Vulnerability
BugTraq ID: 7363
Remote: Yes
Date Published: Apr 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7363
Summary:

Mozilla is an open source web browser available for a number of platforms, including Microsoft Windows and Linux.

A problem has been reported in Mozilla that could allow access to information in other browser windows. The vulnerability exists because Mozilla does not properly sanitize links when transferring documents from one domain to another. Specifically, malicious HTML code is not sanitized from the 'onclick' property.

Upon the execution of code through the 'onclick' property, a violation in browser security zone policy would occur that allows the original web site to view the contents of web pages in other browser windows.

This problem would require a user visiting a web page that has been designed to present malicious dialog boxes. This type of attack would most commonly occur through social engineering.

Other browsers based on the Mozilla codebase are vulnerable to this issue.

see ya,
 
 [ 04-22-2003, 09:28 PM: Message edited by: Diana ]

[kps]

Thanks for the info,Diana.

I don't think Safari should be included though. It's based on KHTML and not Gecko...

Interesting article on why Apple chose KHTML:

http://news.com.com/2100-1023-980492.html

[Diana]

oops!  kps, you're right. I had just partially remembered the Safari was based on a browser I have on my Linux system...It just didn't come back to me correctly which one it was. I'll see if I can change the subject title.

thanks...

[Bruce_F]

I have completely stopped using Mozilla, but not due to security issues.

For whatever reason, shortly after updating to OS 10.2.5, it flaked out on me. I'm not going to bother with trying to find a fix for it. For one, Safari v73 is working well enough for my needs. Secondly, the next release of Mozilla is supposed to be quite a bit different. So, I'm going to wait until v1.4 is finished.

Then again, I may just stick with Safari!

[Dreambird]

Thanks Diana for the "heads-up"...    

BugTraq I know from the Windows board in that the folks there keep an eye out for "things" all the time, maybe (I'm supposing) because they're mostly all Windows and M$ IE users which is often riddled with security issues.

Disappoints me to see Mozilla/Netscape becoming as bad since it never was quite so...

I'm wondering, I think I already have the answer, but a confirmation from someone would be cool... if this is a "universal" Mozilla/Netscape problem?

They specify NS 6.x and NS7.x so since NS4.x does not run on the Gecko engine I assume it's not affected... is this right? And is this a problem if one is running OS 10 and not OS9.x?

I'm not in a huge hurry to upgrade to OS 10 and maybe this is part of the reason that for at least until it gives out absolutely and completely I doggedly prefer NS4.76 on my OS9.1...    

I suspect that Opera 5 my other browser should not be a problem since I don't believe it's connected with Gecko either.

I do definately agree with kps in that from what little I've seen in screenshots of Safari and the rave comments I've heard... that when I do go to OS 10... that one would be at the top of my choices of what to use for a browser at the moment...    

One comfort is that once these things are uncovered, they often get remedied "real quick"!    
 
 [ 04-23-2003, 05:11 AM: Message edited by: Dreambird ]

[Dreambird]

I've had a question from a friend... any reason to worry about OS's lower than OS 10?

And IE... is a patch needed if the OS is not OS 10?

Thanks...

[kps]

I'd imagine it affects Mozilla and Netscape on all platforms, DB

IE should not be affected as it does not use the same browser engine as Mozilla/Netscape.

[Dreambird]

OK thanks kps... so I assume then that the main "problem" is the Gecko rendering engine that Mozilla and Netscape 6 and 7 use.

Since I can't find a mention of a patch, I'll bet it'll be fixed in the next version!...  

Where security is concerned seems if it ain't one thing it's another eh...    

Life on the internet!

[Gary S]

Forgive me but.....what does this mean. I use Netscape. What should I be concerned about?

[Diana]

Hi,

My understanding of this exploit is that someone bad could get you to come to their website where they've included some evil code that can read whatever is in other browser windows.

Here is a link to a short writeup by the person who discovered the problem. It's not techy, but neither is it totally clear...at least to me.
 Exploit Discoverer Explanation

Correlating what he says with what SecurityFocus says  confuses me a bit, but ultimately, one should be careful about what web sites one visits. If a stranger tempts you to visit his site and you don't have good reason to view that site, be careful. Don't go from a banking/financial/private site to one you don't know without first closing your browser windows..(all of them...including any mail windows that use the browser). Do your banking/financial/private stuff from fresh brower windows.

see ya,