- Description:
The newest NotJustBrowsing (EVP), i.e. Encrypted Picture Viewing, 
version 1.0.4 released on 5th June 2005, is confirmed as affected to new 
remote type Multiple Browsers Dialog Origin Vulnerability. Tests was 
done with Secunia test page
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ .
Some user interaction is needed to vulnerability take affect. However, 
no user interaction at the time of attack scenario is needed.
 
- Result:
Result was similar when tested with fully patched Microsoft Internet 
Explorer 6.0 (6.0.2800.1106) including cumulative Microsoft June 
security update MS05-025. Issue was tested with Microsoft Windows XP 
Professional US and default browser settings were in use.
 
- How to procedure:
If user has selected Allow Popups (Ctrl-D) feature to allow popup 
windows (Tools / Allow Popups or keyboard shortcut Ctrl-D), a remote 
user can spoof JavaScript (JScript) dialog boxes. A browser has no 
blacklist or whitelist feature for Web sites to block or allow popup 
windows. When user has allowed popup windows all popup windows are 
accepted.
 
Opened Script Prompt asking 'password' at this test issue doesn't show 
the origin url of the dialog box. This enables spoofing-type attacks.
 
Another problem is that there is no status bar in browser at all. User 
has no information to what Web site he/she is entering. A suggestion to 
add a common status bar to NotJustBrowsing (EPV) future version 1.0.5 
was done by the researcher. In several other browsers the status bar 
shows the following text for 'Test Now - Left Click On This Link' link:
http://www.google.com/ when visiting Secunia test page.
 
When selecting the test link at Secunia's Test Case / Demonstration 
page, a JavaScript dialog box (in fact, JScript) was displayed in front 
of the Google.com (or localized Google.fi etc.) web site without 
information about its origin URL and/or domain name. Typed text was 
appeared to generated 'You entered:' JScript dialog box later.
 
- Technical details:
A dialog box was opened via test-like PHP script, located at 
http://www.google.com.secunia.com/tests/origin_spoof.php . This 
malicious test-type address was not shown to user, however.
 
>From the vendor:
"NotJustBrowsing - The Only Third Generation Web Browser - 
NotJustBrowsing(c) is a software application designed specifically for 
two main purposes. 1. To enhance the usability of the contents available 
on the world wide web (www). 2. To improve the way in which these
contents are accessed, organized and viewed. These contents can be from 
world wide web, from local storage space or from corporate networks."
 
- Solution status:
No solution was available at the time of reporting.
 
- Software:
NetLeaf Limited NotJustBrowsing (EPV) 1.x
(freeware)
 
- Affected versions:
The vulnerability has been reported in version 1.0.4. Other versions may 
also be affected as well.
 
- Vendor:
NetLeaf Limited, Abdul Karim
 
Vendor Home Page:
http://notjustbrowsing.com/
 
Product Home Page:
http://notjustbrowsing.com/
 
Download link for version tested:
http://notjustbrowsing.com/dnld_windows.htm
 
OS: Microsoft Windows
NOTE: Microsoft .NET Framework 1.1.x package is needed to install 
NotJustBrowsing (EPV). When tested, the latest Microsoft .NET Framework 
v1.1.4322 Redistributable Package and Service Pack 1 was used.
 
CVE reference: N/A
 
- Solution:
Do not browse untrusted web sites when browsing trusted sites.
 
The following workarounds are provided and tested by the researcher:
- Check the URL address of a browser window opening new dialog box 
titled as 'Explorer User Prompt' and containing text like 'Script 
Prompt' etc. in some way. Dialog box title is localized in non-English 
language Windows OSs, e.g. 'Explorerin käyttäjäkehote''. If the domain 
contains multiple domain suffixes, for example
www.real-address.com.non-real-address.com, use the following workaround 
method:
- When typing sensitive information to a Web site password-type dialog 
boxes, be sure that this site is a legitimate site.
 
NOTE: Using multiple domain suffixes may indicate a spoofing attempt. 
Examining of the dialog box addressess can be done by View / Source 
function etc. Only the right mouse-click feature for View Source feature 
is available in NotJustBrowsing.
 
Additionally, Microsoft has published a security advisory to help IE (or 
software using IE's engine) users to avoid possible spoofing attemps; 
located at
http://www.microsoft.com/technet/security/advisory/902333.mspx .
 
Vendor was contacted on 25th June, 2005. Workarounds and a suggestion to 
add status bar to NotJustBrowsing (EPV) were included to the report.
 
Timeline:
22-06-2005 - Workaround information sent to local CERT-FI unit
23-06-2005 - CERT-FI replied, no security advisory about Internet 
Explorer or IE based browsers coming
24-06-2005 - Technical details and workarounds provided sent to 
Microsoft Security Response Center
25-06-2005 - Vulnerability in NotJustBrowsing researched
25-06-2005 - Vendor contacted, workarounds and status bar suggestion 
offered to the vendor
25-06-2005 - Security companies and several CERT units contacted
 
 
Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi