A lot of browsers still vulnerable.

Hi forum members,

A lot of browsers are still vulnerable to this:
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

If you have blocked javascript, nothing happens.
There are 87 related browser vulnerabilities.

greets,

polonus

Strange it says update to firefox 1.0.5 and I have 1.0.7 and this is still vulnerable. Unless I have been tweaking my settings to death again ;D

Strange it says update to firefox 1.0.5 and I have 1.0.7 and this is still vulnerable. Unless I have been tweaking my settings to death again Grin

You’re not alone, DavidR, I had the same thing. I’m using 1.0.7 as well and indeed it is still vulnerable. Hope the new Firefox 1.5 (1.4?) release will fix this. :wink:

If you have blocked javascript, nothing happens.
True. NoScript blocked it head-on! ;D

Thanks.

Even with the Firefox 1.5 RC1, I’m still vulnerable. Interesting… :-\

Polonus, how can we use emoticons and other java stuffs without javascript? :stuck_out_tongue:

This is not as serious as it is made out to be, personally I’m not unduly concerned. The test page is a proof of concept and requires your co-operation.

In real life you first have to arrive at a site with this exploit embedded in the page and you have to be tricked/mislead to click on a link (and a javascript function called) go to another page. So visiting legitimate sites that you initiate the connection, e.g. use either your favourites or type the url rather than use a link in a dodgy email. So common sense should help you here.

I have just reported it is still vulnerable in 1.0.7 at the Secunia site see the View the Secunia advisory regarding your browser: you click on the firefox link there is a means of providing feedback on the advisory.

Yes No Script (personally I’m waiting on it getting a little older) will ask if it should be executed, which is better than disabling javascript as for many site it would make browsing unworkable.

David, I couldn’t follow your meaning in last post… maybe it’s too late for me…
Are you talking to me… I think not, maybe answering to other ones…

I almost always browse while my browser’s java turned off so I don’t have problems with the site at all.

??? Tech, why are you still asking this? Considering the number of your posts, you must be accustomed to BBcode and some emotion icons in Avast boards, I think.

Turn off java and try some codes

:P

:stuck_out_tongue:

???

???

:)

:slight_smile:

;)

:wink:

:D

:smiley: …etc

Hello Umath,

I agree with DavidR that the construct of the test looks a bit scary.
But you have to deliberately co-operate to let it work.
It shows however that script (embedded script) is an important way for malicious code into a browser.

  • Rule 1. Use your brain all the time;
  • Rule 2. Use script only at sites you trust or know to be trusted;
  • Rule 3. Pre-scan your hyperlinks (Dr. Web’s pre-link scanner plug-in);
  • Rule 4. Always have the latest version of browser and related software and all patches;
  • Rule 5. Have Avast run inside your browser (see instructions on their home page).

Feel a bit safer already…

greets,

polonus

Great post Polonus!!!

You made me very happy I am a NoScript firefox extension user.
Just as I always suspected !!!

If I allow javascript globally, I do get the popup with FF 1.0.7.
If I use Noscript, of course a trusted site like google.com in my noscript whitelist, no popup :slight_smile:

I have ones got a trojan, probably just cause of those popups that still open without NoScript in some sites.

Jarmo

I’m used to them, just asking because if I disable Java scripts, from time to time, smiles are not available…
What am I doing wrong?

??? Polonus, I am occationally puzzled why you don’t seem to expect other users to have common sense, which DavidR mentioned, if not special technical knowledge. Of course, I respect your knowlege, though. :wink: 8)

Does Google site need java? For I am doing a pragmatist approach where I simply turn on java only when the sites require it and are trustable. Also, I recommend Firefox users to use Mycroft.

Tech, that’s wierd since I browse the fora with only the images on but no java at all.

The problem is that I don’t know, in Maxthon, if I disable download of ‘Scripts’ I think I’ll disable javascripts too.
I can only disable ‘Java applicatives’ but this is not the same.
If I disable scripts, no smiles.

Does Google site need java? For I am doing a pragmatist approach where I simply turn on java only when the sites require it and are trustable. Also, I recommend Firefox users to use Mycroft.

It has 2 javascripts according to NoScript.
You mean NoScript and not MyCroft? I did a google search and MyCroft seems to be a search plugin?

Edit: Certainly no java in google. Java is not the same as javascript.

Sorry Tech, I was just talking generally on the topic that the proof of concept test requires your co-operation. In real life it relies on deception to get you to first visit the site that has the malicious javascript code embedded in the link to another site/page. You also have to be tricked/deceived/persuaded to click the link. So it is not as easy to get caught if you use common sense.

That is strange I just tried it with Maxthon no scripts, no Java Applets and I have smilies (mind you I didn’t expect it to be different.

Hi Umath,

I write all these postings of mine with all users in mind. And I know of course you surf with sense, really I would not expect otherwise. And to you Jarmo P. Yes, this is my friend as you always expected, and that is why we use JS only when it is safe to use, so SELECTIVELY In case of doubt use Dr. Web’s hyperlink scanner plug-in, and you will get a report on what to expect when you later click this link through. Also good when you try to download things, you getthe packers, the code etc. With Avast running inside the browser there is not so much to worry about. But prevention is always better then having to let Avast correct it when it is trying to run.
Then I just updated automatically to the Filterset G and G-Beta-Whitelist 2005-10-31a, to give me just that extra bit of protection. This is the practical approach, make sure you do not run the risk,

greets,

polonus

I meant both java and java script. I have never turned on java/script at Google site but I don’t think I cannot use some functions because of that so I wondered.

Yes, rather than portal search pages, personally I use search plug-ins, which enable quicker access. Also, Mycroft is different from other suspicious parasite plug-ins.

polonus, I see your point.

Hello readers of this thread,

Here is a good link with advice for Secure Browser Configuration for IE type and Firefox type browsers:
consider this: http://cybercoyote.org/security/browsers.shtml

As you read this you can see, why we use NoScript to lift the ban on script only if we trust the site. Well the thing about third party cookies goes for itself. Especially in firefox and Flock you have to pay attention when the url text is YELLOW and you get a pop up window, this could be for a malware download. These browsers can also be affected by malicious installs via Java applet NoScript prevents this or pre-hyperlink scanning with the Dr. Web plug-in.

greets,

polonus

Unless this is some sort of P-of-C test the “Here is a good link with advice for Secure Browser Configuration for IE type and Firefox type browsers:” link is down or a typo.