lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTin_P2jkTBk8NpCLfRVK8Hxd62BcvtvL9nRofkEY@mail.gmail.com>
Date: Tue, 14 Dec 2010 13:19:38 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: bugtraq <bugtraq@...urityfocus.com>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: minor browser UI nitpicking

Hi folks,

Two minor things that do not deserve a lengthy discussion, but are
probably mildly interesting and worth mentioning for the record:

1) Chrome browser is an interesting example of the perils of using
minimalistic window chrome, allowing multiple windows to be spliced
seamlessly to confuse the user as to the origin of the displayed
content. An unconvincing Windows-specific proof-of-concept:
http://lcamtuf.coredump.cx/chsplice/

2) I reported this to the vendor long time ago, and could not get them
to commit to a specific fix: Safari allows windows without the address
bar and other essential chrome, akin to the behavior of other browsers
circa 10 years ago. This essentially makes all other address spoofing
vulnerabilities redundant, as the attacker has the ability to decorate
windows arbitrarily (you can look up ancient proof-of-concept exploits
for Netscape or MSIE here).

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ