====================================================================== 

                     Secunia Research 20/10/2004

        - Multiple Browsers Tabbed Browsing Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039

Prior versions of all above software may also be vulnerable.

====================================================================== 
2) Severity 

Rating: Less/Moderately critical 
Impact: Spoofing
Where:  From remote

====================================================================== 
3) Description of Vulnerabilities 


Vulnerability "A":
It is possible for a inactive tab to spawn dialog boxes e.g. the
JavaScript "Prompt" box or the "Download dialog" box, even if the user
is browsing/viewing a completely different web site in another tab.

The problem is that the browsers does not indicate, which tab launched
the dialog boxes, which therefore could lead the user into disclosing
information to a malicious web site or to download and run a program,
which the user thought came from another trusted web site e.g. their
bank.

Demonstration:
http://secunia.com/multiple_browsers_dialog_box_spoofing_test/

Vulnerability "A" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039


Vulnerability "B":
It is possible for a inactive tab to always gain focus on a form
field in the inactive tab, even if the user is browsing/viewing a
completely different web site in another tab.

This is escalated a bit by the fact that most people do not look at
the monitor while typing data into a form field, and therefore might
send data to the site in the inactive tab, instead of the
intended/viewed tab.

Demonstration:
http://secunia.com/multiple_browsers_form_field_focus_test/

Vulnerability "B" Affects:
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Netscape 7.2
Avant Browser 9.02 build 101
Avant Browser 10.0 build 029
Maxthon (MyIE2) 1.1.039

======================================================================
4) Solution

Mozilla:
  Vulnerability "A":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.
   
  Vulnerability "B":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Mozilla Firefox:
  Vulnerability "A":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.
   
  Vulnerability "B":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Camino:
  Vulnerability "A":
    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.
   
  Vulnerability "B":
    Not affected by this vulnerability.


Opera:
  Vulnerability "A":
    Will be fixed in Opera 7.60.

    Until Opera 7.60 becomes available, Opera Software will release an
    advisory on this issue, which will be available on the Opera
    website.
   
  Vulnerability "B":
    Not affected by this vulnerability.


Avant Browser:
  Vulnerability "A":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Konqueror:
  Vulnerability "A":
    The Vendor reports that KDE version 3.3.1 fixes this
    vulnerability.
   
  Vulnerability "B":
    Not affected by this vulnerability.


Netscape:
  Vulnerability "A":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.

  Vulnerability "B":
    Vulnerable. However, vendor never responded to inquiries.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


Maxthon:
  Vulnerability "A":
    Will be fixed in an upcoming version.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.
   
  Vulnerability "B":
    Will be fixed in next version.

    Disable JavaScript or do not visit untrusted and trusted websites
    at the same time.


======================================================================
5) Time Table 

04/10/2004 - Vulnerabilities reported to Netscape, Mozilla, Opera and
             Avant Browser.
05/10/2004 - Vulnerabilities reported to KDE (Konqueror) and Maxthon.
08/10/2004 - Netscape and Avant contacted again as they have not
             responded.
20/10/2004 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Jakob Balle, Secunia Research.

====================================================================== 
7) References

Secunia Advisories:
http://secunia.com/SA12706
http://secunia.com/SA12712
http://secunia.com/SA12713
http://secunia.com/SA12714
http://secunia.com/SA12717
http://secunia.com/SA12731

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia web site: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia web site: 
http://secunia.com/secunia_research/2004-10/

======================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html