SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Optimal Desktop Vendors:   Optimal Access Inc.
Optimal Desktop Lets Remote Users Spoof Javascript Dialog Boxes
SecurityTracker Alert ID:  1014298
SecurityTracker URL:  http://securitytracker.com/id/1014298
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 27 2005
Impact:   Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 4.00 Build 154
Description:   Juha-Matti Laurio reported a vulnerability in Optimal Desktop. A remote user can spoof Javascript dialog boxes.

The browser displays Javascript dialog boxes without indicating the origin of the dialog box. As a result, a remote user can create HTML that will display a dialog box that appears to originate from a trusted site.

A demonstration exploit is available at:

http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

The vendor was notified on June 24, 2005.

Jakob Balle of Secunia Research originally discovered this type of vulnerability, affecting a variety of browsers.

Impact:   A remote user can spoof Javascript dialog boxes.
Solution:   No solution was available at the time of this entry.

The vendor plans to issue a fix in the next release.

Vendor URL:  www.optimalaccess.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  New Optimal Desktop Dialog Origin Spoofing Vulnerability


- Description:
The newest Optimal Desktop version 4.00 Build 154, released in April 
2005, is confirmed as affected to new remote type Multiple Browsers 
Dialog Origin Vulnerability. Tests was done with Secunia test page
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ .

Result:
Result was similar when tested with fully patched Microsoft Internet 
Explorer 6.0 (6.0.2800.1106) including cumulative Microsoft June 
security update MS05-025. Issue was tested with Microsoft Windows XP 
Professional US and default browser settings were in use. Internal Popup 
Manager was enabled (default setting).

Opened Script Prompt asking 'password' at this test issue doesn't show 
the origin url of the dialog box. This enables spoofing-type attacks. 
Browser status bar shows the following text for 'Test Now - Left Click 
On This Link' link:
http://www.google.com/

When selecting the test link at Secunia's Test Case / Demonstration 
page, a JavaScript dialog box (in fact, JScript) was displayed in front 
of the Google.com (or localized Google.fi etc.) web site without
information about its origin URL and/or domain name. Typed text was 
appeared to generated 'You entered:' JScript dialog box later.

- Technical details:
A dialog box was opened via test-like PHP script, located at 
http://www.google.com.secunia.com/tests/origin_spoof.php .
Like mentioned earlier, the internal Popup Manager ("Popup Killer") was 
enabled: Tools / Popup Manager... / General. The default setting is 
Popup Killer enabled. Later the menu setting 'Windows Attribute 
Overrides' was set to Always show addressbar. There was no effect to 
Explorer User Prompt, because it is part of IE functionality.
Additionally, a little browser window behind an Explorer User Prompt is 
not accessible. It is not accessible if user select 'Cancel' at Explorer 
User Prompt question or close a dialog box, as well.

>From the vendor:
"Save thousands of mouse clicks and keystrokes everyday! Optimal Desktop 
is a very powerful navigation tool. Access the Internet, syndicated news 
(RSS), files and folders in one space and put everything 3 clicks away!"

- Solution status:
Unpatched

Software:
Optimal Access Optimal Desktop Universal Edition Version 4.x

- Affected versions:
The vulnerability has been reported in version 4.0 Build 154, i.e. 
4.0.154. Other versions may also be affected as well. The exact .exe 
file version checked was 4.0.0.154. Fully working Trial Version 4.0 
Build 154 was used at tests. Shareware version 4.0r148 released in 
February 2005 was not tested yet.

Vendor:
Optimal Access Inc.

Vendor Home Page:
http://www.optimalaccess.com/

Product Home Page:
http://www.optimalaccess.com/en/product_overview.htm

- Download link for version tested:
http://www.optimalaccess.com/oadownload.php?version=mobile.exe

OS: Microsoft Windows

CVE reference: N/A

- Solution:
Do not browse untrusted web sites when browsing trusted sites.

The following workarounds are provided and tested by the researcher:
- Check the URL address of a browser window opening new dialog box 
titled as 'Explorer User Prompt' and containing text like 'Script 
Prompt' etc. Dialog box title is localized in non-English language
multiple domain suffixes, for example
www.real-address.com.non-real-address.com, use the following workaround 
method:
- When typing sensitive information to a Web site password-type dialog 
boxes, be sure that this site is a legitimate site.
In Optimal Desktop, it is possible to restrict opening popup windows by 
Tools / Popup Manager... / Filter and Blacklist features, when the URL 
address of malicious Web site using popup windows is known. Additional 
tests is done later.

NOTE: Using multiple domain suffixes may indicate a spoofing attempt. 
Examining of the dialog box addressess can be done by View / Source 
function etc.

Additionally, Microsoft has published a security advisory to help IE (or 
software using IE's engine) users to avoid possible spoofing attemps; 
located at
http://www.microsoft.com/technet/security/advisory/902333.mspx .

Vendor was contacted on 24th June, 2005 and workarounds were included to 
the report.

Timeline:
22-06-2005 - Workaround information sent to local CERT-FI unit
23-06-2005 - CERT-FI replied, no security advisory about Internet 
Explorer or IE based browsers coming
24-06-2005 - Vulnerability in Optimal Desktop researched
24-06-2005 - Vendor contacted, workarounds offered to the vendor
24-06-2005 - Technical details and workarounds provided sent to 
Microsoft Security Response Center
24-06-2005 - Security companies and several CERT units contacted


Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC