Yes of course.
Two tiny problems though: 1. your little scriplet doesn't work for me. I get: 'W.frames.2.location' is null or not an object 2. If as you claim this is "standard practice" then there is something wrong with these browsers as it apparently does not work on them: The following browsers are not affected: * Mozilla Firefox 0.9 for Windows * Mozilla Firefox 0.9.1 for Windows * Mozilla 1.7 for Windows * Mozilla 1.7 for Linux http://secunia.com/advisories/11978/ Perhaps someone who really knows will enlighten us all. Thor Larholm <[EMAIL PROTECTED]> said: > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Your subject makes it sound like this is a spoofing vulnerability when > in fact this is expected functionality that has been around since > Netscape 2 and IE3 which does not grant additional privileges of any > kind and requires the user to activate WindowsUpdate from your site. > > > Here's a quick and dirty demo injecting malware.com into > > windowsupdate.microsoft.com :) > > http://www.malware.com/targutted.html > > Your script opens a new window and then uses a timer to change the > location of whatever window object has focus. This does not switch > security zone or even protocol, all it does is to load your site into a > subframe of another site. You can accomplish the exact same without > trying to 'trick' anything by using the following 2 lines: > > W=window.open("http://v4.windowsupdate.microsoft.com";); > W.frames[2].location.href = "http://pivx.com/";; > > This is no different than loading WindowsUpdate in a frame on your own > site. > > It has always been standard practice that you can change, but not read, > the location of any window object to a site from the same protocol and > security zone. A frame is a window object and all window objects are > safely exposed because they by themselves does not reveal any > information about the site inside the frame. You can get a handle of any > window object to any depth because the frames collection is also safely > exposed. This does not give you any kind of access to the document > object inside, which would be necessary for any kind of code injection > or cookie theft. > > > > > > > Regards > > Thor Larholm > Senior Security Researcher > PivX Solutions > 23 Corporate Plaza #280 > Newport Beach, CA 92660 > http://www.pivx.com > [EMAIL PROTECTED] > Stock symbol: (PIVX.OB) > Phone: +1 (949) 231-8496 > PGP: 0x5A276569 > 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 > > PivX defines a new genre in Desktop Security: Proactive Threat > Mitigation. > <http://www.pivx.com/qwikfix> > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 29, 2004 11:41 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security > > > > > Thomas Kessler was kind enough to inform that this is not new, but in > fact on old "issue" with Internet Explorer which by all accounts was > supposed to be "patched" back in 1998[?]: > > Microsoft Security Program: Microsoft Security Bulletin (MS98- > 020) Patch Available for 'Frame Spoof' Vulnerability > > http://www.microsoft.com/technet/security/bulletin/ms98- 020.mspx > > Quite clearly this contraption known as Internet Explorer is just > broken. It's oozing pus from every pore at this stage. > > If indeed the issues are the exact same. > > You'd better wipe hands of it anyway. > > We give up. > > -- > http://www.malware.com > > > -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
