DescentBB

Introduction

Secunia Research has reported a vulnerability, which affects most browsers. The vulnerability can be exploited by a malicious web site to "hi-jack" a named browser window, regardless of which web site is the true "owner" of the window.

Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable.

The test

Run this test multiple times to be sure. Sometimes it will give false negatives.

No problems with Lynx here.

popup bloacker on my FW pretty much cures that.

IE, does not.

Netscape on Mac, NP
Fus

hahaha

you click the test link and you popup blocker alert sounds like an alarm clock. funny but...

Ghey

maybe you should post this link over at planetdescent they will all get hammered by it...

Heh, they say Firefox is vulnerable, but I tested it five times, and mine didn't show symptoms.

Using IE at work with Google toolbar and I wasn't affected. Did stop about 500 pop ups though.

OH NO!

I am so scared!

My Browser has a hole!

WHO'D HAVE EVER BELIEVED *THAT*????!!111

Shut up you idiot.

just a con to get usa today more veiws

I don't see a "today in pictures" link...

Top Wop - get a sense of humour.

But please, wait until AFTER you boil your head for 20 minutes. A "high simmer" would probably do the trick too.

Plebeian wrote:Heh, they say Firefox is vulnerable, but I tested it five times, and mine didn't show symptoms.

Weird...I'm also using Firefox, and I saw the window.

firefox here. i seem to be safe, it was not able to open the window.

when i clicked the "no popup blocker" link, firefox sure enough STOPPED the popup from opening. (i guess this popup was supposed to grab control of the other window yes?). all clicking the link did was open the usatoday website in a new tab (with a typical firefox notice at the top that firefox had stopped it opening a popup window).

so i clicked the "i have a popup blocker" link, and it told me that i didn't have a popup blocker - and refused to run the test.

so i guess i win

perhaps it's because i use the tabbrowser preferences extention for firefox, NOTHING can open a new window, everything opens in a new TAB instead. i only ever have 1 firefox window open.

I have it configured to open in new tabs as well; I simply assumed that opening the tab was enough, by their definition, to fail the test.

to have failed the test i think it has to open a new SECUNIA window, instead of a USATODAY window. or the USATODAY window turns into a SECUNIA window, or something to that effect.

all i saw was the USATODAY tab, since that's what the link had written on it: i kinda expected that

You fail if the new window opened by the Day In Pictures link ends up as a Secunia window instead of a USA Today window.

ah ok.
*tries*

i am still a winnar.

secunia found an exploit that works this week. IE only.

im wrong. Firefox is vunerable to the first exploit., if, I need to test this, you either uninstall Adaware or TBE.

Its TBE. funny.

roid wrote:perhaps it's because i use the tabbrowser preferences extention for firefox, NOTHING can open a new window, everything opens in a new TAB instead. i only ever have 1 firefox window open.

I'm pretty sure thats what did it, since my Firefox was vulnerable before I installed the tabbrowser extension but now it isnt.

Using firefox here and failed

They also say Opera is vulnerable but it doesn't work right, instead of the site taking over the pop-up window the pop-up window loads on top of the site.

It snagged the pop up that opened in Firefox. It wasn'[t an unintended pop-up, Firefox does open new windows if you *click* a link that is set to open a new window. That in itself is not a vulnerability or a problem.

I dont' see how this will affect any other than the dumbest people. You first have to be on an untrusted site for it to work anyway. Who clicks on the link to their bank account from hackerz.com anyway?

Ace?