- Description:
The newest MyInternet Browser version 10.0.0.0, released on 18th May 
2004, is confirmed as affected to new remote type Multiple Browsers 
Dialog Origin Vulnerability. Tests was done with Secunia test page
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ .
 
Result:
Result was similar when tested with fully patched Microsoft Internet 
Explorer 6.0 (6.0.2800.1106) including cumulative Microsoft June 
security update MS05-025. Issue was tested with Windows XP Professional 
US and default browser settings were in use.
Opened Script Prompt asking 'password' at this test issue doesn't show 
the origin url of the dialog box. This enables spoofing-type attacks.
Browser status bar shows the following text for 'Test Now - Left Click 
On This Link' link: http://www.google.com/
 
When selecting the test link at Secunia's Test Case / Demonstration 
page, a JavaScript dialog box (in fact, JScript) was displayed in front 
of the Google.com (or localized Google.fi etc.) web site without 
information about its origin URL and/or domain name.
Typed text was appeared to generated 'You entered:' JScript dialog box later.
 
- Technical details:
A dialog box was opened via test-like PHP script, located at 
http://www.google.com.secunia.com/tests/origin_spoof.php .
 
>From the vendor:
"MyInternet is freeware. No cost to you ever. No limitations. Browse 
multiple web pages simultaneously. All opened pages can be easily 
stopped, refreshed, closed or saved with one click. MyInternet comes
with all Internet Explorer functions, including Cookies, ActiveX 
Controls, Java Script, Real player and Macromedia Flash. IE bookmarks 
are automatically imported into MyInternet."
 
- Solution status:
Unpatched
 
Software:
MyInternet Browser 1.x
(freeware)
 
- Affected versions:
The vulnerability has been reported in version 1.0.0.0.
Other versions may also be affected as well. The exact Private Build 
Description field of the .exe file checked was 2004.04.13.
 
Vendor:
Wang Chunshan
 
Vendor Home Page:
http://www.21-home.net/
 
Product Home Page:
http://www.21-home.net/
 
- Download link for version tested:
http://www.21-home.net/download.html
 
OS: Microsoft Windows
 
CVE reference: N/A
 
- Solution:
Do not browse untrusted web sites when browsing trusted sites.
 
The following workarounds are provided and tested by the researcher:
Check the URL address of a browser window opening new dialog box titled 
as 'Explorer User Prompt' and containing text like 'Script Prompt' etc. 
Dialog box title is localized in non-English language Windows OSs, e.g. 
'Explorerin käyttäjäkehote''. If the domain contains multiple domain 
suffixes, for example
www.real-address.com.non-real-address.com, use the following workaround 
method:
- When typing sensitive information to a Web site password-type dialog 
boxes, be sure that this site is a legitimate site.
 
NOTE: Using multiple domain suffixes may indicate a spoofing attempt. 
Examining of the dialog box addressess can be done by View / Source 
function etc.
 
Additionally, Microsoft has published a security advisory to help IE (or 
software using IE's engine) users to avoid possible spoofing attemps; 
located at
http://www.microsoft.com/technet/security/advisory/902333.mspx .
 
Vendor was contacted on 24th June, 2005 and workarounds were included to 
the report.
 
Timeline:
22-06-2005 - Workaround information sent to local CERT-FI unit
23-06-2005 - CERT-FI replied, no security advisory about Internet 
Explorer or IE based browsers coming
24-06-2005 - Vulnerability in MyInternet Browser researched
24-06-2005 - Vendor contacted, workarounds offered to the vendor
24-06-2005 - Security companies and several CERT units contacted
 
 
Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi