AT&T Tech Support 360
- Related Stories
-
Microsoft offers patch for IE security hole
November 18, 1998 -
IE bug could compromise security
October 20, 1998 -
Microsoft issues Cuartango patch
October 16, 1998 -
O'Reilly addresses crypto laws
October 13, 1998 -
IE bug opens users' hard drives
October 13, 1998 -
Buffer-overflow bug in IE
August 19, 1998
Netscape Communications today acknowledged that its Communicator Web browsing software was vulnerable to a frame-spoofing exploit. Vulnerable browsers let one Web site insert its own frames into a third-party site in the window of a surfer who visits both sites.
The trick poses risks to unsuspecting users who might forfeit credit card or other private information when visiting a trusted Web site. The exploit also can be implemented through email.
Microsoft last week posted a patch for its Internet Explorer browser to protect IE users from the exploit.
Browser maker Opera Software said it had long protected users against frame-spoofing. But today the company acknowledged minor problems with its frame implementation, and said it would be fixed in the next minor-point release of the browser, version 3.52, expected later this month.
The vulnerability was discovered and demonstrated by Canadian security site SecureXpert, a division of Canadian firm FSC Internet.
The problem with the Microsoft and Netscape browsers is that they allow the manipulation of frames across domains. With the new patch, IE restricts the writing of frames to a single domain. Opera's browser is even stricter, and for the past year has restricted frame-writing to pages originating from the same Web server.
Netscape said it had verified that Communicator was susceptible to the exploit, and that it was beginning to work on a solution.
While Opera Software has restricted frames since its year-old 3.21 version, the company recently noticed a JavaScript glitch that causes the browser to try to open up the bogus frame--but with the wrong address. That result thwarts the SecureXpert exploit, but Opera plans to fix the glitch so that the browser won't try to open the bogus frame at all.
