Re: Why so much emotion about IWB 2.0.5? was re: other stuff and re: IBM Web Browser v2.0.5 is here)

David Forrester wrote:



Way up this thread someone posted a link to a list of vulnerabilities in Mozilla. From this I got to <http://www.mozilla.org/projects/security/known-vulnerabilities.html#M
ozilla>. And I started testing. It looks like IBM has fixed some of the problems reported as fixed in Mozilla 1.7.5. As David Johnson stated, the IDN spoofing bug has been fixed. And the other most serious ones are either fixed, or there is no way to test in OS/2 (the
"cross-platform" testcases are coded for Windows, Mac and Linux). But, MFSA 2005-13 "Window Injection Spoofing" is still there.

No, they seem to have at least partly fixed that, also. If you have 'block popups selected, the spoofed window will not open, even if you use the Secunia test case for the 'blocked popups.' If you don't have popups blocked, the spoofed window does open, but it opens as a popup window so it doesn't seem very serious since popup windows can display just about anything their creator wants, anyway. To be used maliciously, you would have to be looking at a malicious website which would have a link on it to something useful and trusted such as...say...ebay. Then you click on the phony link to the trusted site and enter your personal data in the phony popup window or something. You could be a victim in this way but it looks unlikely since there would first have to be the malicious website with the bad link and then you would have to be pretty 'unwise' to enter any significant data into a non-https popup window.


Its details are on <http://www.mozilla.org/security/announce/mfsa2005-13.html> and <http://secunia.com/advisories/13129/> which has a simple testcase.

So it appears that IBM has been selective about what the fixes they pulled in from later Mozilla versions. It's a pity they didn't tell us what they did. 


--
Posted with OS/2 Warp 4.52
and IBM Web Browser v2.0.5
.

Relevant Pages

  • Re: PHP Session in new window
    ... In the form that submits to the popup window, ... Create a hidden field in my form with the session ID ... >> Problem is on return (successful transaction etc) I cannot access the ...
    (alt.php)
  • Problem Stopping mplayer
    ... I start mplayer from mozilla and listen to a radio station not available locally - works perfectly. ... Before the recent dist-upgrades of testing I used Realplayer which opened a small window on top of the mozilla navigator window. ...
    (Debian-User)
  • Re: LinuxWorld irony: The LinuxWorld Website does not work properly on Linux!
    ... behavior of my window manager interferes with Mozilla ... Jeffrey D. Silverman | jeffrey AT jhu DOT edu ...
    (alt.os.linux.redhat)
  • Re: Suggestion for the VMS X-windows server
    ... With Mozilla, I see the X server's process raise its Working set to wsextent, and raise its virtual pages to very near pgfilquota. ... Menus do not appear, however, looking at the mozilla process, I see some tiny action when the mouse moves over a clickable area such as the menu mar that should be just under the MWM window title. ... There are errors logged to decw$server_0_error.log about insufficient resources. ...
    (comp.os.vms)
  • Re: Frontpage query
    ... You need to select a target other than the default target which is probably ... To open your flash in a popup window while keeping your viewers on the ...
    (microsoft.public.frontpage)