SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Optimal Desktop Vendors:  Optimal Access Inc.
Optimal Desktop Lets Remote Users Spoof Javascript Dialog Boxes
SecurityTracker Alert ID:  1014298
SecurityTracker URL:  http://securitytracker.com/id?1014298
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 27 2005
Impact:  Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 4.00 Build 154
Description:  Juha-Matti Laurio reported a vulnerability in Optimal Desktop. A remote user can spoof Javascript dialog boxes.

The browser displays Javascript dialog boxes without indicating the origin of the dialog box. As a result, a remote user can create HTML that will display a dialog box that appears to originate from a trusted site.

A demonstration exploit is available at:

http://secunia.com/multiple_browsers_dia log_origin_vulnerability_test/

The vendor was notified on June 24, 2005.

Jakob Balle of Secunia Research originally discovered this type of vulnerability, affecting a variety of browsers.
Impact:  A remote user can spoof Javascript dialog boxes.
Solution:  No solution was available at the time of this entry.

The vendor plans to issue a fix in the next release.
Vendor URL:  www.optimalaccess.com/ (Links to External Site)
Cause:  State error
Underlying OS:  Windows (Any)
Reported By:  Juha-Matti Laurio <juha-matti.laurio@netti.fi>
Message History:   None.

 Source Message Contents
Date:  Fri, 24 Jun 2005 16:20:39 +0300 (EEST)
From:  Juha-Matti Laurio <juha-matti.laurio@netti.fi>
Subject:  New Optimal Desktop Dialog Origin Spoofing Vulnerability

 
 
- Description:
The newest Optimal Desktop version 4.00 Build 154, released in April 
2005, is confirmed as affected to new remote type Multiple Browsers 
Dialog Origin Vulnerability. Tests was done with Secunia test page
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ .
 
Result:
Result was similar when tested with fully patched Microsoft Internet 
Explorer 6.0 (6.0.2800.1106) including cumulative Microsoft June 
security update MS05-025. Issue was tested with Microsoft Windows XP 
Professional US and default browser settings were in use. Internal Popup 
Manager was enabled (default setting).
 
Opened Script Prompt asking 'password' at this test issue doesn't show 
the origin url of the dialog box. This enables spoofing-type attacks. 
Browser status bar shows the following text for 'Test Now - Left Click 
On This Link' link:
http://www.google.com/
 
When selecting the test link at Secunia's Test Case / Demonstration 
page, a JavaScript dialog box (in fact, JScript) was displayed in front 
of the Google.com (or localized Google.fi etc.) web site without
information about its origin URL and/or domain name. Typed text was 
appeared to generated 'You entered:' JScript dialog box later.
 
- Technical details:
A dialog box was opened via test-like PHP script, located at 
http://www.google.com.secunia.com/tests/origin_spoof.php .
Like mentioned earlier, the internal Popup Manager ("Popup Killer") was 
enabled: Tools / Popup Manager... / General. The default setting is 
Popup Killer enabled. Later the menu setting 'Windows Attribute 
Overrides' was set to Always show addressbar. There was no effect to 
Explorer User Prompt, because it is part of IE functionality.
Additionally, a little browser window behind an Explorer User Prompt is 
not accessible. It is not accessible if user select 'Cancel' at Explorer 
User Prompt question or close a dialog box, as well.
 
>From the vendor:
"Save thousands of mouse clicks and keystrokes everyday! Optimal Desktop 
is a very powerful navigation tool. Access the Internet, syndicated news 
(RSS), files and folders in one space and put everything 3 clicks away!"
 
- Solution status:
Unpatched
 
Software:
Optimal Access Optimal Desktop Universal Edition Version 4.x
 
- Affected versions:
The vulnerability has been reported in version 4.0 Build 154, i.e. 
4.0.154. Other versions may also be affected as well. The exact .exe 
file version checked was 4.0.0.154. Fully working Trial Version 4.0 
Build 154 was used at tests. Shareware version 4.0r148 released in 
February 2005 was not tested yet.
 
Vendor:
Optimal Access Inc.
 
Vendor Home Page:
http://www.optimalaccess.com/
 
Product Home Page:
http://www.optimalaccess.com/en/product_overview.htm
 
- Download link for version tested:
http://www.optimalaccess.com/oadownload.php?version=mobile.exe
 
OS: Microsoft Windows
 
CVE reference: N/A
 
- Solution:
Do not browse untrusted web sites when browsing trusted sites.
 
The following workarounds are provided and tested by the researcher:
- Check the URL address of a browser window opening new dialog box 
titled as 'Explorer User Prompt' and containing text like 'Script 
Prompt' etc. Dialog box title is localized in non-English language
Windows OSs, e.g. 'Explorerin käyttäjäkehote''. If the domain contains 
multiple domain suffixes, for example
www.real-address.com.non-real-address.com, use the following workaround 
method:
- When typing sensitive information to a Web site password-type dialog 
boxes, be sure that this site is a legitimate site.
In Optimal Desktop, it is possible to restrict opening popup windows by 
Tools / Popup Manager... / Filter and Blacklist features, when the URL 
address of malicious Web site using popup windows is known. Additional 
tests is done later.
 
NOTE: Using multiple domain suffixes may indicate a spoofing attempt. 
Examining of the dialog box addressess can be done by View / Source 
function etc.
 
Additionally, Microsoft has published a security advisory to help IE (or 
software using IE's engine) users to avoid possible spoofing attemps; 
located at
http://www.microsoft.com/technet/security/advisory/902333.mspx .
 
Vendor was contacted on 24th June, 2005 and workarounds were included to 
the report.
 
Timeline:
22-06-2005 - Workaround information sent to local CERT-FI unit
23-06-2005 - CERT-FI replied, no security advisory about Internet 
Explorer or IE based browsers coming
24-06-2005 - Vulnerability in Optimal Desktop researched
24-06-2005 - Vendor contacted, workarounds offered to the vendor
24-06-2005 - Technical details and workarounds provided sent to 
Microsoft Security Response Center
24-06-2005 - Security companies and several CERT units contacted
 
 
Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC