Hey Hey,

This came in about a half hour ago from Bugtraq so I thought I'd post it here for those of you that aren't subscribed to the mailing list..

Hi,

Regarding certain vulnerabilities that are being discovered such as http://secunia.com/multiple_browsers...erability_test

Are these really features, or are they flaws now because of the phishing threat vector. Originally javascript/DHTML/DOM is pretty powerful and can do a lot of nasty stuff if someone were inclined. But phishing has caused us to take a look at the once dubbed features of DHTML, and possibly put responsibility onto the browser vendors for fixing these now dubbed "flaws".

For example, is this a flaw -
https://slam.securescience.com/threats/mixed.html (some mozilla browsers don't like Thawte yet so you will get a warning). This is a standard frame with the URL domain as https://slam.securescience.com, but the body is https://www.bankone.com - take a look at the lock icon - it will only verify the url domain - is that a browser issue, a CA issue, or a feature?

As we all have seen, one can use DHTML to create a popup and replace a mimicked address bar if one were so incline (dirty rendition at http://ip.securescience.net/exploits/ (popup blockers off and it was designed for IE). Feature, or flaw?


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!
It has some good points in it... These "flaws" that are being reported were originally intended as features... So is it really the browser manufactures responsibility to fix these... and are they still features or are they now flaws because of how they're being used.

Anyways, I thought it was an interesting read, with examples provided.

Any thoughts or opinions?

Peace,
HT