IE7 and Firefox 2.0 Share Vulnerabilities

Internet Explorer 7 and Firefox 2.0 share a common vulnerability that exposes users to phishing attacks. The Internet Explorer 7 Window Injection Vulnerability actually affects multiple browsers, and Firefox 2.0 is one of them. This is the third vulnerability reported by Secunia since the launching of Internet Explorer 7 and as it was the case with the Internet Explorer 7 Popup Address Bar Spoofing Weakness, the second flaw identified by Secunia, Microsoft is downplaying the IE7 Window Injection Vulnerability. The first Internet Explorer 7 "mhtml:" Redirection Information Disclosure vulnerability disclosed by Secunia was geared by the Redmond Company toward Outlook Express and away from IE7.

"A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites. The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website," announced Secunia.



As was the case with Internet Explorer 7, Firefox was also targeted by vulnerability reports. Adopting a similar position with Microsoft, Mozilla too has fended off the flaws reported in Firefox 2.0. Rebutting the two vulnerability cases, Mozilla confirmed only the existence of a DoS issue that caused the browser to crash. As for Secunia's recent Window Injection Vulnerability, Mozilla has failed to issue any official comments as yet.

Microsoft however is out there in the trenches claiming that the spoofing vulnerability reported by Secunia is not a security issue at all and that it has been in existence since 2004, refuting Secunia's claims of discovering the problem.

"This report highlighted that IE and other browsers are designed to allow sites to load pages in browser windows from other sites. This is actually an important design consideration for many websites, especially line-of-business sites, that re-use windows to provide a consistent customer experience. However, an example of how this could be used to mislead users would be for an untrusted site to pop-up a browser window over a trusted site. To make this compelling, the pop-up window would be created without an address-bar. The combination of these events could then be used to add untrusted content to legitimate-looking pop-up windows in a phishing or spoofing attack," stated Christopher Budd Security Program Manager Microsoft Security Response Center Team.



Budd added that the issue was dealt with back in 2004 and that Microsoft had done all that it could do. In this context, the Redmond Company is placing the responsibility firmly in the hands of the users. To aid a responsible choice, Microsoft did provide some assistance.

"We decided that one thing we could do was to add a feature to IE 7 where it always shows the actual URL of the web page, even in pop-up windows. So we added a pop-up window address bar, enabling users to more accurately make a trust decision. In fact, there is a test page as part of this claim and if you look at the page using IE7 you can see the actual URL of the page in the pop-up window," concluded Budd.