TEST HERE
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/
The story is here
http://www.techweb.com/wire/story/TWB20040702S0007
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/
The story is here
http://www.techweb.com/wire/story/TWB20040702S0007
Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.
On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.
It's not a code vulnerability, said Secunia's Kristensen, but a design flaw.
The problem stems from how browsers handle frames. Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone, said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.
In these times of phishing attacks and other scams, this is a problem, said Kristensen. You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.
Internet Explorer users can stymie such spoofing attacks by disabling the Navigate sub-frames across different domains setting under Tools/Internet Options/Security.
Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.