I’m sure you’ve heard by now, about the latest security advisory issued by Secunia
Supposedly, it affects most web browsers out there, here’s the link to Secunia’s page on the flaw.
Now…you see down at the bottom of the page where it lists Safari as an affected browser? Going to the Safari specific page for this flaw provides this informaton:
Secunia Research has reported a vulnerability in Safari, which can be exploited by malicious people to spoof the content of websites.
The problem is that a website can inject content into another site’s window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.
This is related to:
SA11978
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
The vulnerability has been confirmed in Safari version 1.2.4. Other versions may also be affected.
Which is all well and good… except for the fact that apparently, the folks over at Secunia didn’t actually bother to test to see if the flaw actually affected Safari.
Since I heard about the flaw, I’ve followed Secunia’s instructions with several different versions of Safari, and have yet to have it show up as ‘affected’
I’ve tried Safari 2.0 (part of the Tiger Developer Preview), Safari 1.0 (on a fresh installation of 10.3) and Safari 1.2.4 (notice..this is the version Secunia claims is ‘confirmed’ as affected). None of them displayed Secunia’s pop-up window instead of the Citi-Bank window that was supposed to be displayed. I don’t have any extra software that would affect my web browser security, and I tried it both with and without my firewall enabled… never once saw their window.
But it did make me think…. I wonder how Citibank feels about Secunia using their website to take advantage of a possible flaw in people’s browsers?