Moderately critical IE7, Firefox, Mozilla, Opera, Safari and Konqueror vulnerabiity at Secunia
Jeez, I tell you, this was one *irritating*, in your face, damned obvious to anybody paying a modicum of attention that something weird is going on, vulnerability to check out ... listed as 'moderately critical'.
The test works - but only once - you have to refresh the page to get it to work multiple times.
Internet Explorer 7 Window Injection Vulnerability
To be fair, the vulnerability affects many Web browsers and operating systems.
Web browsers: Internet Explorer, Mozilla, Firefox, Opera, Safari, Konqueror (it looks like FF2 may be immune)
Operating Systems: Windows, Linux variants, UNIX variants, Mac OS
The vulnerability is that a website can inject content into another site's window if the target name of the window is known. So first of all you have to have the hostile site open, then the hostile site has to convince you to go to a second site, then the hostile site has to know what you are going to click on so that it can inject content.
If the hostile site is closed after the other site is opened, the exploit does not work.
Let's be realistic here. For a vulnerability to be truly successful it has to be able to easily fool the user. The fact of the existence of a vulnerability or weakness does not mean it can realistically be exploited... weird or unusual behaviour is going to grab the user's attention.
Imagine, if you will, that you go to a fake Bank Web site - assuming the page isn't blocked by the phishing filter in the first place - then it has to convince you to click on a link that leads to a legitimate Web site... then the owners of the hostile site have to hope that your computer doesn't goes nuts from the hundreds of popups per minute that are being generated. The constant clicking from the blizzard of 2 to 3 pop-ups per second is a dead giveaway that something is wrong to anybody using IE7 with its default settings.
Auscert says "This is of particular concern for accessing secure sites which routinely open a new window for user logon with no location bar, since the attacker can overwrite the real logon window with a fake logon window." It should be noted that IE7 displays an addressbar on all windows, even user logon windows which normally do not display an addressbar, unless the user chooses to turn that option off via Security settings.
Edit: The Microsoft Security Response Team responds:
So, to summarise... if the user has not turned off the addressbar for popups, or does not see that the address is wrong, if the user does not close the hostile Web site, if the user has turned off the IE sound cue that a pop-up has been blocked or the system does not have a sound card or speakers, if the user has turned off the info-bar, or the user has disabled the pop-up blocker, then the chances of success go up marginally - but the site still has to get around the phishing filter. And it has to get around the problem of convincing users to trust a site if hundreds of pop-ups within a couple of minutes is not normal behaviour for the site being spoofed.