A lot of browsers still vulnerable.

[polonus]

Hi forum members,

A lot of browsers are still vulnerable to this:
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

If you have blocked javascript, nothing happens.
There are 87 related browser vulnerabilities.

greets,

polonus

[DavidR]

Strange it says update to firefox 1.0.5 and I have 1.0.7 and this is still vulnerable. Unless I have been tweaking my settings to death again

[XtremeKirby]

Strange it says update to firefox 1.0.5 and I have 1.0.7 and this is still vulnerable. Unless I have been tweaking my settings to death again Grin

You're not alone, DavidR, I had the same thing. I'm using 1.0.7 as well and indeed it is still vulnerable. Hope the new Firefox 1.5 (1.4?) release will fix this. 

If you have blocked javascript, nothing happens.

True. NoScript blocked it head-on! 

Thanks.

[MFB]

Even with the Firefox 1.5 RC1, I'm still vulnerable.   Interesting....

[Lisandro]

If you have blocked javascript, nothing happens.

Polonus, how can we use emoticons and other java stuffs without javascript? 

[DavidR]

This is not as serious as it is made out to be, personally I'm not unduly concerned. The test page is a proof of concept and requires your co-operation.

In real life you first have to arrive at a site with this exploit embedded in the page and you have to be tricked/mislead to click on a link (and a javascript function called) go to another page. So visiting legitimate sites that you initiate the connection, e.g. use either your favourites or type the url rather than use a link in a dodgy email. So common sense should help you here.

I have just reported it is still vulnerable in 1.0.7 at the Secunia site see the View the Secunia advisory regarding your browser: you click on the firefox link there is a means of providing feedback on the advisory.

Yes No Script (personally I'm waiting on it getting a little older) will ask if it should be executed, which is better than disabling javascript as for many site it would make browsing unworkable.

[Lisandro]

David, I couldn't follow your meaning in last post... maybe it's too late for me...
Are you talking to me... I think not, maybe answering to other ones...

[Umath]

I almost always browse while my browser's java turned off so I don't have problems with the site at all.

If you have blocked javascript, nothing happens.

Polonus, how can we use emoticons and other java stuffs without javascript? 

  Tech, why are you still asking this?  Considering the number of your posts, you must be accustomed to BBcode and some emotion icons in Avast boards, I think.

Turn off java and try some codes

Code: [Select]

:P

Code: [Select]

???

Code: [Select]

:)

Code: [Select]

;)

Code: [Select]

:D ...etc

[polonus]

Hello Umath,

I agree with DavidR that the construct of the test looks a bit scary.
But you have to deliberately co-operate to let it work.
It shows however that script (embedded script) is an important way for malicious code into a browser.

- Rule 1. Use your brain all the time;
- Rule 2. Use script only at sites you trust or know to be trusted;
- Rule 3. Pre-scan your hyperlinks (Dr. Web's pre-link scanner plug-in);
- Rule 4. Always have the latest version of browser and related software and all patches;
- Rule 5. Have Avast run inside your browser (see instructions on their home page).

Feel a bit safer already...

greets,

polonus

[Jarmo P]

Great post Polonus!!!

You made me very happy I am a NoScript firefox extension user.
Just as I always suspected !!!

If I allow javascript globally, I do get the popup with FF 1.0.7.
If I use Noscript, of course a trusted site like google.com in my noscript whitelist, no popup

I have ones got a trojan, probably just cause of those popups that still open without NoScript in some sites.

Jarmo

[Lisandro]

  Tech, why are you still asking this?  Considering the number of your posts, you must be accustomed to BBcode and some emotion icons in Avast boards, I think.

I'm used to them, just asking because if I disable Java scripts, from time to time, smiles are not available...
What am I doing wrong?

[Umath]

Polonus, I am occationally puzzled why you don't seem to expect other users to have common sense, which DavidR mentioned, if not special technical knowledge.  Of course, I respect your knowlege, though. 

If I use Noscript, of course a trusted site like google.com in my noscript whitelist, no popup

Does Google site need java?  For I am doing a pragmatist approach where I simply turn on java only when the sites require it and are trustable.  Also, I recommend Firefox users to use Mycroft.

Tech, that's wierd since I browse the fora with only the images on but no java at all.

[Lisandro]

Tech, that's wierd since I browse the fora with only the images on but no java at all.

The problem is that I don't know, in Maxthon, if I disable download of 'Scripts' I think I'll disable javascripts too.
I can only disable 'Java applicatives' but this is not the same.
If I disable scripts, no smiles.

[Jarmo P]

Does Google site need java?  For I am doing a pragmatist approach where I simply turn on java only when the sites require it and are trustable.  Also, I recommend Firefox users to use Mycroft.

It has 2 javascripts according to NoScript.
You mean NoScript and not MyCroft? I did a google search and MyCroft seems to be a search plugin?

Edit: Certainly no java in google. Java is not the same as javascript.

[DavidR]

David, I couldn't follow your meaning in last post... maybe it's too late for me...
Are you talking to me... I think not, maybe answering to other ones...

Sorry Tech, I was just talking generally on the topic that the proof of concept test requires your co-operation. In real life it relies on deception to get you to first visit the site that has the malicious javascript code embedded in the link to another site/page. You also have to be tricked/deceived/persuaded to click the link. So it is not as easy to get caught if you use common sense.