Full Disclosure mailing list archives
RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security
From: "Thor Larholm" <thor () pivx com>
Date: Thu, 1 Jul 2004 14:30:57 -0700
Both you and I know perfectly well that Windows Update serves a different page for non-IE browsers, and that that page does not contain any frames. You should focus on the facts instead of letting your hatred for Microsoft overwhelm you. Since you have trouble reproducing a very simple example I have instead put this example online: http://www.jscript.dk/2004/7/subframe/ Open the page. Click the first button called "Open window". Click the second button called "Load page". See that the page from geocities.com is now loaded inside the subframe on jscript.dk. As you can see, this is perfectly reproduceable in both IE, Mozilla, Firefox and Opera. This is of course provided that they allow popups in the first place, but as I mentioned in my previous posts you can acomplish the same with inline frames instead of a new browser window. To make doubly sure, I even downloaded fresh copies of Firefox 0.9.1 (worked fine in 'Safe Mode' as well) and Opera 7.51. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: http-equiv () excite com [mailto:1 () malware com] Sent: Thursday, July 01, 2004 1:09 PM To: Thor Larholm; 1 () malware com; bugtraq () securityfocus com Cc: NTBugtraq () listserv ntbugtraq com Subject: RE: SUPER SPOOF DELUXE Re: [Full-disclosure] Microsoft and Security Yes of course. Two tiny problems though: 1. your little scriplet doesn't work for me. I get: 'W.frames.2.location' is null or not an object 2. If as you claim this is "standard practice" then there is something wrong with these browsers as it apparently does not work on them: The following browsers are not affected: * Mozilla Firefox 0.9 for Windows * Mozilla Firefox 0.9.1 for Windows * Mozilla 1.7 for Windows * Mozilla 1.7 for Linux http://secunia.com/advisories/11978/ Perhaps someone who really knows will enlighten us all. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- Re: SUPER SPOOF DELUXE Re: Microsoft and Security Daniel Veditz (Jul 02)
- <Possible follow-ups>
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Pavel Kankovsky (Jul 01)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- Re: SUPER SPOOF DELUXE Re: Microsoft and Security Bob Perriero (Jul 02)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Gregory A. Gilliss (Jul 01)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security John Sage (Jul 02)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Mark Laurence (Jul 02)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Gregory A. Gilliss (Jul 01)