Avast WEBforum
Other => General Topics => Topic started by: polonus on August 28, 2010, 11:19:00 PM
-
Hi malware fighters,
Check security issues here: http://lcamtuf.coredump.cx/dom_checker/
(courtesy Michal Zalewski )
flock failed 14
polonus
-
Opera 10.61 = 62
IE8 = 40
Chrome = 12
-
Fx 3.6.8>>14 fails
-
14 fails on Firefox (it is bad?)
CHECK FAILED : (blank).document.open() call is possible!
CHECK FAILED : (blank).document.write('hi mom') call is possible!
CHECK FAILED : (blank).frames.length read [value: 0] is possible!
CHECK FAILED : (blank).history.forward(0) call is possible!
CHECK FAILED : (blank).length read [value: 0] is possible!
CHECK FAILED : (blank).location.replace('about:blank') call is possible!
CHECK FAILED : (blank).window.length read [value: 0] is possible!
CHECK FAILED : (third-party).frames.length read [value: 2] is possible!
CHECK FAILED : (third-party).frames[0] probe [value: [object Window]] is possible!
CHECK FAILED : (third-party).history.forward(0) call is possible!
CHECK FAILED : (third-party).length read [value: 2] is possible!
CHECK FAILED : (third-party).window.length read [value: 2] is possible!
CHECK FAILED : (third-party).window[0] probe [value: [object Window]] is possible!
CHECK FAILED : open() frame name lookup is possible!
-
Hi malware fighters,
Check security issues here: http://lcamtuf.coredump.cx/dom_checker/
(courtesy Michal Zalewski )
flock failed 14
polonus
But you had NoScript disabled, I guess.. ;)
asyn
-
Firefox 3.6.6 = 0 failures with NoScript and it can't run the tests ;D
Allow, pop-ups, noscript and requestpolicy for the site:
Firefox 3.6.6 = 14 failures, but I really have to jump through a lot of hoops allowing lots of XSS, which I would normally never do on a strange site.
Leave requestpolicy in place and no permissions allowed - Failed checks: = 441
Now that shows just how crazy the test it as if the test can't run XSS then your security is effectively 100%, yet because it can't run the tests it records a fail on everything ;D
This is where these test fall down.
-
http://forum.avast.com/index.php?topic=59717.0 ;)
-
Hi forum users,
We tend to forget, that is why. The failed security issues aren't that particular that it should worry me,
polonus
-
SeaMonkey 2.0.6
-
14 fails on Firefox (it is bad?)
Polonus, can you explain to us? Thanks.
-
Hi all...
Opera 10.61 x64 On Kubuntu Linux 10.04 x64=60 failures.
I didn't see if it gave the total number of tests. ???
Regards...
-
Browser : Chrome
Failed checks : 12
-
14 on Firefox for me also.
RoRo
-
14 failed tests
-
Fx 3.6.8>>14 fails
+1
-
Polonus, can you explain to us? Thanks.
-
Hi Tech,
This is a test for vulnerabilities that can be explored in a browser or with a browser or are design related and it could be very hard to explore these. As the developers of the scan say: all common browsers fail anywhere from 10 to 30 of less significant tests due to various design decisions (most of which bear some privacy considerations by making it to fingerprint simultaneously open pages).
So 14 as with Flock is a very reasonable number. There always could be some danger when a malcreant can run their own code in a browser or on a browser site. The attack is carried out on the data loaded in the browser's DOM. For this reason, it is highly advisable to make sure you don't have more than one window open when using a website of a confidential in nature. Re for such an exploit: http://blog.stevepoland.com/exploit-knowing-the-websites-your-visitors-visit/
Fuzzers can be used to find abusable exploits: http://browserfun.blogspot.com/
Know that as DavidR also said in this thread that the NoScript extensions makes this a non-issue because it fully protects. A general issue for various browsers (patched for Fx and Flock): http://www.g-sec.lu/crash/select.html
polonus
-
The attack is carried out on the data loaded in the browser's DOM. For this reason, it is highly advisable to make sure you don't have more than one window open when using a website of a confidential in nature.
Do you mean it could be dangerous to be running in more than one tab? Or just another IE window?
Confidential is banking here?
-
Hi Tech,
Just as I tell it, with NoScript installed no sweat. On a banking site yes, only one window open in any browser to execute what you have to do there for optimal safety. In Chrome this could be different because every tab/window open is handled as a separate process. I think eventually all browsers will have that for security reasons,
polonus
-
Thanks Polonus. I'll stop using IE while banking. Sometimes I have some issues with Firefox + NoScript.
-
Hi Tech,
Join us at the one and only NoScript forum run by the extension's developer, Giorgio Maone, and we certainly can help to solve these issues: http://noscript.net/forum
My nick there is "luntrus",
Damian
-
There is soooo much that we must know that it's getting scary. ::)
-
Hi Tech,
Join us at the one and only NoScript forum run by the extension's developer, Giorgio Maone, and we certainly can help to solve these issues: http://noscript.net/forum
My nick there is "luntrus",
Damian
Thanks for the offer. I need to consider other forum... When I enter one I do not leave ;D
-
Hi Tech,
Just as I tell it, with NoScript installed no sweat. On a banking site yes, only one window open in any browser to execute what you have to do there for optimal safety. In Chrome this could be different because every tab/window open is handled as a separate process. I think eventually all browsers will have that for security reasons,
polonus
IE8 opens every tab in a new process.
Enhanced tabbed browsing
http://www.microsoft.com/windows/internet-explorer/features/easier.aspx