How many failed in your browser?

Hi malware fighters,

Check security issues here: http://lcamtuf.coredump.cx/dom_checker/
(courtesy Michal Zalewski )

flock failed 14

polonus

Opera 10.61 = 62
IE8 = 40
Chrome = 12

Fx 3.6.8>>14 fails

14 fails on Firefox (it is bad?)

CHECK FAILED : (blank).document.open() call is possible!
CHECK FAILED : (blank).document.write(‘hi mom’) call is possible!
CHECK FAILED : (blank).frames.length read [value: 0] is possible!
CHECK FAILED : (blank).history.forward(0) call is possible!
CHECK FAILED : (blank).length read [value: 0] is possible!
CHECK FAILED : (blank).location.replace(‘about:blank’) call is possible!
CHECK FAILED : (blank).window.length read [value: 0] is possible!
CHECK FAILED : (third-party).frames.length read [value: 2] is possible!
CHECK FAILED : (third-party).frames[0] probe [value: [object Window]] is possible!
CHECK FAILED : (third-party).history.forward(0) call is possible!
CHECK FAILED : (third-party).length read [value: 2] is possible!
CHECK FAILED : (third-party).window.length read [value: 2] is possible!
CHECK FAILED : (third-party).window[0] probe [value: [object Window]] is possible!
CHECK FAILED : open() frame name lookup is possible!

But you had NoScript disabled, I guess… :wink:
asyn

Firefox 3.6.6 = 0 failures with NoScript and it can’t run the tests ;D

Allow, pop-ups, noscript and requestpolicy for the site:
Firefox 3.6.6 = 14 failures, but I really have to jump through a lot of hoops allowing lots of XSS, which I would normally never do on a strange site.

Leave requestpolicy in place and no permissions allowed - Failed checks: = 441
Now that shows just how crazy the test it as if the test can’t run XSS then your security is effectively 100%, yet because it can’t run the tests it records a fail on everything ;D

This is where these test fall down.

http://forum.avast.com/index.php?topic=59717.0 :wink:

Hi forum users,

We tend to forget, that is why. The failed security issues aren’t that particular that it should worry me,

polonus

SeaMonkey 2.0.6

Polonus, can you explain to us? Thanks.

Hi all…

Opera 10.61 x64 On Kubuntu Linux 10.04 x64=60 failures.

I didn’t see if it gave the total number of tests. ???

Regards…

Browser : Chrome
Failed checks : 12

14 on Firefox for me also.

RoRo

14 failed tests

+1

Hi Tech,

This is a test for vulnerabilities that can be explored in a browser or with a browser or are design related and it could be very hard to explore these. As the developers of the scan say:

all common browsers fail anywhere from 10 to 30 of less significant tests due to various design decisions (most of which bear some privacy considerations by making it to fingerprint simultaneously open pages).
So 14 as with Flock is a very reasonable number. There always could be some danger when a malcreant can run their own code in a browser or on a browser site. The attack is carried out on the data loaded in the browser’s DOM. For this reason, it is highly advisable to make sure you don’t have more than one window open when using a website of a confidential in nature. Re for such an exploit: http://blog.stevepoland.com/exploit-knowing-the-websites-your-visitors-visit/
Fuzzers can be used to find abusable exploits: http://browserfun.blogspot.com/
Know that as DavidR also said in this thread that the NoScript extensions makes this a non-issue because it fully protects. A general issue for various browsers (patched for Fx and Flock): http://www.g-sec.lu/crash/select.html

polonus

Do you mean it could be dangerous to be running in more than one tab? Or just another IE window?
Confidential is banking here?

Hi Tech,

Just as I tell it, with NoScript installed no sweat. On a banking site yes, only one window open in any browser to execute what you have to do there for optimal safety. In Chrome this could be different because every tab/window open is handled as a separate process. I think eventually all browsers will have that for security reasons,

polonus

Thanks Polonus. I’ll stop using IE while banking. Sometimes I have some issues with Firefox + NoScript.