Title: Netscape and K-Meleon HTTP Authentication Prompt Spoofing Vulnerability
Criticality: Medium
Affected software: Netscape 7 and K-Meleon 0.9 Web Browser
Non-affected: Netscape Browser 8.0 and newer (since 19th May, 2005)
Platforms tested: Windows XP Professional US
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 9th May, 2005
Advisory ID: N/A (#4)
Location URL: http://www.networksecurity.fi/advisories/netscape-auth.html (HTML)
CVE reference: CAN-2005-0584 assigned for Mozilla Suite and Mozilla Firefox,
check http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584 for an updated version
Overview:
A new remote type vulnerability has been reported in Netscape and K-Meleon, which can be exploited by malicious people to conduct spoofing and phishing attacks.
Details:
Netscape 7 and K-Meleon browser doesn't change the focus to the tab that generated the HTTP Authentication dialog box.
This is a spoofing type and possible exposure of sensitive information vulnerability.
Mozilla Firefox before 1.0.1 and Mozilla Suite before 1.7.6 were confirmed as affected earlier.
Result:
Tab containing the sample site chosen (typed) by the researcher was focused all the time during the test, when a dialog box 'Prompt' was opened.
This was tested with the PoC test link.
NOTE: Exploitation of this vulnerability requires that a trusted Web site is opened simultaneously at another browser tab.
Netscape version 6 is immune because of missing tabbed browsing feature.
K-Meleon browser is affected too due to codebase similarity.
K-Meleon developer team has confirmed the vulnerability. It is possible to update a recent K-Meleon's Gecko engine using an "up-to-date" Mozilla Suite 1.7.7 nightly version. Mozilla versions 1.7.6 and later are immune to this issue. This is not tested by the researcher, however.
Download link:
http://rapidshare.de/files/1388299/K-Meleon0.9-GRE-1.7.7-modified-2.zip.html
K-Meleon Roadmap has planned to publish version 0.9.5 based to Mozilla 1.8 codebase later
Tested software versions:
* Netscape 7.2
Exact user-agent in use:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
* K-Meleon 0.9
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041220 K-Meleon/0.9
Solution:
Don't visit trusted web sites while visiting untrusted web sites.
When typing sensitive information to a Web site login dialog boxes, be sure that this site is a legitimate site.
This solution is tested by the researcher.
Updated: Update to version Netscape Browser 8.0.1:
browser.netscape.com/ns8/download/default.jsp
References:
secunia.com/advisories/15267/
www.mozilla.org/security/announce/mfsa2005-24.html
bugzilla.mozilla.org/show_bug.cgi?id=277574
Timeline:
09-05-2005 Vulnerability discovered
10-05-2005 Vendor (Netscape Communications) contacted
10-05-2005 Security companies and several CERT units informed
10-05-2005 Advisory published
10-05-2005 K-Meleon browser tested and confirmed as affected
10-05-2005 Vendor (K-Meleon developer team) contacted
11-05-2005 Security companies and CERT units informed K-Meleon 0.9 being affected as well
19-05-2005 Vendor issues fix.
20-05-2005 New tests done with Netscape 8.0.1. Security companies and CERT-FI informed about Netscape 8.0.1 release.
Revision history:
10-05-2005 1.0: Researcher's advisory published
10-05-2005 1.1: Updated advisory
11-05-2005 1.2: Updated advisory to contain information about K-Meleon
12-05-2005 1.3: Added information about upcoming K-Meleon 0.9.5
20-05-2005 1.4: Netscape 8.0.1 released. Updated advisory
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005
To the Main Page
Best regards,
Juha-Matti Laurio
IT security researcher
Finland
www.networksecurity.fi