Generic Gaping Browser Hole Is Very Scary!

General Topics
1

Hi malware fighters,

There is a new very dangerous generic gaping browser hole that affects all browsers (only the lynx browser is secure from it), and makes an attacker can take over the browser completely. It is almost impossible to patch, because it is inherent to the way modern browsers work.
NoScript add-on for Fx works in almost 100% of the cases against this, but Giorgio Maone advises to enable the "Plugins|Forbid IFRAME” option.
It seems like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing. The main content could be a flash game or any sort of incentive to keep a user clicking. All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above in a limited disclosure.

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

ShareThis Info,

polonus

2

This is certainly not good at all. :frowning:

3

Thanks Polonus, I checked what you asked us to check in the NoScript Options. :smiley:

4

Thanks polonus I had it checked
down at the bottom of whitelist are some addresses
http://127.001:1033
1034
1035
1036
1618
4491

any idea what these are?

5

This is why I try to teach folks security set ups, and habits, instead of depending on any browser for security.

6

They aren’t on my whitelist.

Apart from the IP address format is incorrect, should be 127.0.0.1 which is localhost the number after the : colon is the port number. So the string of 4 digit numbers after the first entry look like they were meant to be ports but I wasn’t aware you could whitelist a port number.

So I can see no reason why they are in there and as far as I’m aware the whitelist is user set, either by click of manual addition.

7

Hi malware fighters,

These are the new governmental guidelines against the gaping i-frame vulnerability for almost all browsers:
http://www.us-cert.gov/reading_room/securing_browser/
Read the advice carefully, because there is not patch for it soon…
The only cure here in Fx is disable iFrames with NoScript,

polonus