The opinions expressed herein are entirely my own and do not represent the opinions of any other entity with which I am affiliated. Opinions expressed in comments and trackbacks are those of their respective authors and do not necessarily reflect my own point of view.
All works are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
© Copyright 2006-2009 MalwareTeks
In what’s being termed a Reverse Cross-Site Request (RCSR) vulnerability by Chapin Information Services (CIS), brought to light after a phishing scam on MySpace, multiple browsers across multiple platforms are vulnerable.
There’s been a lot of hype over the vulnerability in Firefox, mostly from the fanboi’s of a competing browser. This has been called a flaw, a security hole and has even been labeled “Critical” by some. This is not the case. This vulnerability has been classified as “less critical’ by Secunia and “low risk” by FrSIRT. Well, guess what? Firefox is not the only browser vulnerable to this type of attack, Internet Explorer 7, Netscape and Safari are vulnerable as well.
This vulnerability could affect anyone, using FireFox, IE7, Netscape and Safari, visiting a website that allows user-contributed HTML code.
The browser is not directly fooled, by the RCSR exploit. Instead the user is presented with a fake login page that fool’s the browser into providing the UserID and Log-In information. None of these browsers were designed to check the form data before submission.
The risk to the average user is negligible, diligence on the part of the user and this type of exploit is not successful. However, this type of attack can be particularly effective, as the user is presented with a Log-In page very similar to the one they are used to seeing on a website they trust.
The Firefox developers are actively pursuing a fix that will be forth coming in either version 2.0.0.1 or 2.0.0.2. The fix is a bit more problematic than most as it will require changes in the “User Interface”. The fix may not make it into 2.0.0.1 because of this. Earlier versions of Firefox are also affected, it is not clear if a fix is forthcoming for those versions.
Firefox developer discussion at Bugzilla Bug 360493 Cross-Site Forms + Password Manager = Security Failure
Microsoft has acknowledged the vulnerability, but inquires by Chapin Information Services (CIS) have been met with this response from Microsoft.
“We are aware of the issue you reported.” And, “As a matter of policy, we cannot comment on ongoing investigations.”
It may be months before a fix is available for Internet Explorer 7
I have located no official documentation or statements by Apple regarding this vulnerability in Safari.
How to Protect Yourself
- Firefox: Disable the Password Manager.
1.Click on Edit -> Preferences
2.In the Firefox Preferences window, select Security.
3.Make sure the following are unchecked under Passwords:
- Internet Explorer 7: Disable ActiveX
- Netscape: Disable the “Automatically Fill Passcard” or “Automatically Log In” option in the preferences of Passcard Manager and always check the URL before invoking it.
- Safari: Disable AutoFill
1. Click on Edit -> Preferences
2. Under AutoFill, make sure the following are unchecked :
UPDATED: (30 November 2006)
ADDED: Netscape, as a vulnerable browser
ADDED: Secunia Advisory 23066
ADDED: Secunia Advisory 23108
References:
Phishing potentiality affects Safari, Firefox password storage
CIS Finds Flaws in Firefox v2 Password Manager
Bugzilla Bug 360493 Cross-Site Forms + Password Manager = Security Failure
Firefox, IE Vulnerable to Password Theft
Firefox Password Manager information Disclosure
Internet Explorer 7 “mhtml:” Redirection Information Disclosure
Mozilla Firefox Password Manager Arbitrary Credentials Disclosure Vulnerability
Netscape Passcard Manager Information Disclosure
Safari AutoFill Information Disclosure
Comment Meta:
XHTML:
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous: 
Next: 
Last 50 Posts 
Back