Multiple Browsers Frame Injection Vulnerability
by Arie Slob
Hello Windows users,
Right on the heels of the Internet Explorer configuration change that Microsoft offered its customers last week, security firm Secunia announced the discovery of a 6 year old security vulnerability in multiple browsers that allows malicious people to spoof the content of Web sites.
The vulnerability occurs because browsers don't check if a target frame belongs to a Website containing a malicious link, which therefore doesn't prevent a browser window loading content in a named frame in another window.
This vulnerability has been reported in the following Web browsers:
- Internet Explorer 5.x, 6
- Konqueror 3.x
- Mozilla 0.x, 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6
- Mozilla Firefox 0.x
- Netscape 6.x, 7.x
- Opera 5.x, 6.x, 7.x
- Safari 1.x
According to Secunia, the following browsers are not affected:
- Mozilla Firefox 0.9 and later
- Mozilla 1.7
- Opera 7.52
Secunia has constructed a test, which can be used to check if your browser is affected by this issue: Secunia Test
If you are using Internet Explorer, there's a small change you can make to the security settings that will prevent this vulnerability: Disable the security setting: Navigate sub-frames across different domains.
I know I keep repeating myself, but if you followed my advice I first published in October 2000, you should already be protected against this vulnerability, as I've recommended switching the setting Navigate sub-frames across different domains to Disabled for all but "Trusted" sites.
The Mozilla team have a Web page with more information, and links to their updated browsers.
Windows XP Service Pack 2 Release Candidate 2 Review
Microsoft is putting the final touches on Service Pack 2 (SP2) for Windows XP. Last month it made Release Candidate 2 (RC2) available for general download (see: Microsoft Releases Windows XP Service Pack 2 Release Candidate 2).
I've been running this release on my laptop since last month, and must say that I haven't run into any problems. I've written a review about this release, so if you want to know a bit more about what is coming up soon for Windows XP, head over to the Windows-Help.NET Web site to read the review.
Rose City Software
"I just had to tell you about DU Meter, this great little utility that monitors my new DSL connection 24/7. A quick glance always tells me if a download is finished, stuck, or still in progress, and if my connection is working right. My desktop just wouldn't be the same without it!"
More Info - Download Trial [0.97 MB]
S P O N S O R
Sign Up Today and Get Comcast High Speed Internet for $19.99* a month, $50 cash back* and a Free Motorola Cable Modem*.
Comcast High-Speed Internet, with the Power of 100% Pure Broadband. It's lightning fast, always on, always connected and ready to take you anywhere you want to go on the net. Nothing else comes close.
Recent Support BBS Postings
Poll: Has monthly security updates helped enterprises with patch-management tasks?
How do I change the program load sequence - Windows XP
Opening Outlook archived pst file - Other Internet Software
Want to build a "Horse Power" Machine... Need Advice - Hardware
Partition sizes with XP? - Windows XP
Check out the new Windows XP Game Advisor
Find the right games for you and your family with the all new Windows XP Game Advisor. Updated last June, this Web-based tool will help Windows XP users determine which games will run on their PC, and then select the perfect game for themselves, family and friends.
Windows XP Game Advisor
Recommend This Newsletter!
Do you enjoy reading this Newsletter? Then why not tell your friend(s) about it? We have a handy Web form where you can just enter your name & email address together with your friends name & email address, and we'll send him your recommendation!
Recommend this Newsletter!
TechNet Webcast: Group Policy Power Hour: Old School vs. New School - Level 200
Are you still using the Group Policy interface built into the box? If you're not using the Group Policy Management Console (GPMC) yet, don't panic. You just need a little guidance to get to there from here. And in this first Group Policy Power Hour, we'll explore how to take your old-school skills and bump them up a knotch into the new-school GPMC.
Recommended Audience: IT Professional.
Date: Friday, July 16, 2004
Time: 8:00 AM-9:00 AM Pacific Time (GMT-7, US & Canada)
Register to attend Webcast
FREE Download: Microsoft Virtual Server 2005, Enterprise Edition, Release Candidate
Microsoft is making the time-limited Virtual Server 2005 RC available to download at no charge. This download is available only in English, requires an EULA, and may not be installed in a production environment. The software expires January 1, 2005.
Host Operating System: Windows Server 2003, Windows XP Professional.
Register to Download the Virtual Server 2005 RC
Tell a friend about this Newsletter!
Need Help with Windows? Ask your questions here!
Our Web Sites
Rose City Software