Injection Flaw Found in Browsers
The big ones are vulnerable but the warnings are going unnoticed.
Danish security research firm Secunia has reported a vulnerability that occurs in most browsers that can be exploited by hackers looking to spoof the content of Web sites. And they say repeated warnings have fallen on deaf ears.
The Window Injection Vulnerability, listed on the firm's Web site as "moderately critical," allows malicious attackers to "hi-jack" browser windows and change the content of Web sites, according to Secunia.
The vulnerability was reported in Firefox, Internet Explorer, Opera, Netscape and Konqueror.
Thomas Kristensen, CTO of Secunia, said his company earlier reported the flaw to all of the browser players, but with the exception of Opera, the vendors have ignored the warnings.
"Opera is working on fixing it," he said. "Hopefully other ones follow suit."
Kristensen said the flaw, similar to July's Frame Injection Vulnerability, can be exploited once a malicious Web site has been opened in one browser and a trusted site opened in another.
When a pop-up window appears in the reliable site, the malicious site is able to "hi-jack" that pop-up. Once that has taken place, the pop-up window that has been opened may then display information from the malicious one.
"The basic problem is that a Web site can inject content into another site's window if the target name of the window is known," Kristensen said.
The flaw can be used to trick users into thinking that the bogus information is original content from the legitimate Web site, he added.
Before issuing the report on the Secunia Web site, Kristensen said his firm informed vendors of what he termed inappropriate behavior within their browsers.
"They believe this is the way it [browsers] is supposed to behave," he said. "You trust it shouldn't be able to do that, but they seem to disagree."