If at first you don't succeed; call it version 1.0
Saturday, 16 June 2007

The phishing hole in Internet Explorer 7 that I've disclosed 3 months ago was fixed by Microsoft's June security update.

The following was the vulnerable code in ieframe.dll resource file:

The patch changed the refresh javascript URL to call to a new clickRefresh() function, as follows:

The clickRefresh() function then validates that the address after the # sign is considered safe for navigation, before it replaces the location with this address.

Although this change closes the XSS vulnerability, I still don't understand why Microsoft consider local file access URLs (file://) as safe for navigation.. I hope this doesn't open another hole.

In other news, a new phishing hole in Safari for Windows was disclosed by Robert Swiecki in a Full Disclosure post. He also included a proof of concept which works on the new patched version (v3.0.1) of Safari.

My suggestion remains to wait for the final release before you consider using this "secured from day one" browser.

 


Saturday, 16 June 2007 22:05:50 UTC | Comments [0] | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.