IE7 Window Injection Vulnerability, Again

Okay, this is the third time I have written about this vulnerability, twice today, so I can probably say for sure, this will be the last time, until next time, hehe.

It must be important to Secunia, because they opened up a blog today, just for this I assume, since it is the only post.

On Monday 30th October, Secunia published an advisory describing a vulnerability in IE7, which appears to be a legacy from IE6 – and which back in 2004 turned out to affect virtually every single browser on the market.

The vulnerability allows a malicious site to change the content of arbitrary pop up windows.

In 2004 the organizations behind Firefox, Netscape, Opera, Konqueror, OmniWeb, and Safari all confirmed the “Windows Injection” issue to be a vulnerability and subsequently issued fixes for this issue.

IE6 users had to change the “Navigate sub-frames across different domains” setting to protect themselves.

Today, in IE7 this setting has been disabled by default – that is a good thing – but it doesn’t work – that is a bad thing!

That in itself qualifies for at least a “security bug”. Source: Secunia “Security Watchdog” Blog

Microsoft said in their blog entry this wasn’t a vulnerability then and it isn’t one now, even so, they added the address bar so you could actually see the url, in case someone did try to hijack your browser, and in 2004, users could change the “Navigate sub-frames across different domains” setting to protect themselves. This is disabled in IE7 by default, yet the browser is still vulnerable to the window injection.

We believe that Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks – isn’t this what Microsoft advertises that IE7 does better than it’s predecessors?

Yes they should. But, this can’t be to serious of a problem for people, Secunia’s solution says,
“Do not browse untrusted sites while browsing trusted sites.”
Umm, can I be the first to say, duh huh. If you don’t trust a site, why are you there to start with?

Anyway, will be interesting to see what Microsoft says, etc, etc. Welcome to the blogosphere Secunia. ;)