Re: Netscape Communicator window spoofing bug

[offerrob () HOTMAIL COM (Robert Thomas)]

> My exploit is completely different from the secureexperts.com 'frame
> spoof bug'. If you examine the source, you will see they have nothing
in
> common. AFAIK 'frame spoofing' needs a frame to spoof, I did not need a
> frame.
>
> Even Netscape has acknowledged 'Window spoofing bug' is a new bug.
  I DID look at your code (and I didn't mean that your code was junk,
mearly that I had deleted stuff BTW).

  If netscape ack'ed that this is a new bug then it is because you got
someone new to review it or someone who didn't realize that they are the
same problem.  Now I wonder if they are looking into this.

  Anyone who looked at how Secureexperts did their attack could easily
move it onto an attack against a regular page (as I did 2 months ago,
and you did more recently I presume).  Both exploit the same fundamental
feature (..not a bug, it is a feature), of being able to direct java to
open up a new site inside of another window or frame (Based on a timer
or some such trigger).


  I very much believe it is the same problem.  We have been unable to
figure out a good blanket procedure to fix it though.   You can do neat
things with timers, should they be taken out of Java in the name of
security?  Perhaps we should suggest to the browser developers that they
change the window's appearence of any window/frame that is not the same
as the URL displayed in the Location box in some manner.  While this
would fix new browsers, we still have a LOT of people using old browsers
out there (and would still be susceptable).  I had a man call me up 2
weeks ago wondering why his Netscape 1.0 browser wouldn't do something
(Didn't quite have me on the floor laughing).

-Robert

> > for IE (that didn't work for all cases BTW).  The solution to this was
>
> Regards,
> Georgi Guninski


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com