Tuesday, October 31, 2006 8:35 AM cmosby

Internet Explorer 7 Window Injection Vulnerability - Advisories - Secunia

Internet Explorer 7 Window Injection Vulnerability

Secunia Advisory: SA22628
Release Date: 2006-10-30

Critical: Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched

Software: Microsoft Internet Explorer 7.x
CVE reference: CVE-2004-1155 (Secunia mirror)

Description:
A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

This is related to:
SA13251

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2.

Solution:
Do not browse untrusted sites while browsing trusted sites.

Provided and/or discovered by:
Originally discovered by:
Secunia Research

Reported in Internet Explorer 7 by:
Per Gravgaard

Other References:
SA13251:
http://secunia.com/advisories/13251/


Internet Explorer 7 Window Injection Vulnerability - Advisories - Secunia.

Filed under: , , ,

Comments

No Comments