New Spoofing Vulnerability in IE

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

Surprisingly, a patch is already out

Get it here [getfirefox.com]

Re:Surprisingly, a patch is already out

If it's the IAS proxy that requires NTML authentication, you can always pipe requests through this [sourceforge.net] python rewriting proxy.

YLFI

Re:Surprisingly, a patch is already out

NTLM authentication works fine in recent versions of Mozilla/Firefox/Gecko, even on non-Windows platforms. Plug in the proxy server settings, and go. Firefox will ask for your proxy authentication on the first page request, and remember it until you close the browser.

Re:Surprisingly, a patch is already out

Firefox doesn't even have to prompt you for NTLM if you are logged into a windows domain. However, for security, Firefox only sends NTLM to servers you give the OK to.

In the URL bar type about:config and then filter for "ntlm". In the network.automatic-ntlm-auth.trusted-uris just put a comma separated list of servers you want Firefox to send your NTLM to. For example, double click network.automatic-ntlm-auth.trusted-uris and put in foo.com,bar.com,slashdot.org

The only thing I wish Firefox did was to allow a wild card domain name like *.mycompany.com. My network.automatic-ntlm-auth.trusted-uris entry has gotten pretty long at work : (

And Firefox is vulnerable to other attacks

I trying Firefox currently. While it passed the test for this new attack, it vulnerable to at least one other attack described by Secunia: http://secunia.com/multiple_browsers_window_inject ion_vulnerability_test/

Anyone know the score? What is Firefox vulnerable to and when will it updated?

Vulnerability Confirmed on Avant Browser

Using the latest version of Avant Browser [avantbrowser.com], on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.

Re:Vulnerability Confirmed on Avant Browser

As suggested in the article, you can block the vulnerability in Avant by disabling ActiveX (Tools | Disable ActiveX). This is how I browse with Avant by default, along with:

- Block Flash
- Block Popups
- Block Ads
- Disable Sounds
- Disable Videos
- Disable Java Applets

Makes pages load very fast, and if I need one of those functions for the page I'm on, I just toggle it on for the session.

Between these security features and still having the compatibility of IE, that's why I love Avant so much. Yes I used Firefox for 2 weeks, and went back to Avant.

Microsoft is so sweet

Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!

Re:Microsoft is so sweet

What OSS has to do is release ads to TELL people how bad IE is

never mention your competitor in advertising
no such thing as bad publicity, people tend to forget the details but "brand reinforcement" still applies, if you have to mention your competitor then it implies your product wont/cant stand up on its own merits = you have LOST

just an anon advertising exec

Re:Microsoft is so sweet

Woah. So that's the reason for the phrase "... than the leading brand." as in "20% more cotton than the leading brand" or whatever. I just assumed that it was to prevent litigation.

Then again, I suppose the phrase could be used for both reasons.

Re:Microsoft is so sweet

There's a philosophy in politics that goes like this: "It doesn't matter what they're saying about you, as long as they're talking about you. When they stop talking about you, you are dead".

Re:Microsoft is so sweet

Comparing your product to a specific competitor in a commercial suggests to the viewer that you are either neck and neck or more frequently that you're in the #2 position. If you are the actual market leader, or you want to be the leader, you *don't* want to send that kind of message.
Negatively advertising about your competitor (talking about why their product is bad, rather then why yours is good) is bad no matter what position in the market you're in. Instead of saying you're the underdog but people should try you out, you're saying your competitor is bad, so you're all that's left. People aren't interested in leftovers and those winning by default. If Firefox wants to successfully advertise, it should be talking about "faster browsing" without actually mentioning what it is being compared to, let alone naming Microsoft or IE.

And that boys and girls is why the basement dwelling me too fanatics who crowd around OSS are doing far more harm to OSS adoption then good. No business is going to suddenly switch to open source as long as "OMG M$ IS TEH SUX0RS!!!!!!!" is the message crowding out any intelligent and level headed promotion of true technical and cost superiority.

Re:Microsoft is so sweet

Good start. The main issues are that "1337", and "monopoly" may be confusing to your average consumer (they'll have no idea what "1337" is, and will be confused about why you are comparing your product to a board game)

A fundemental rule of marketing is that your commercials should be understandable by your entire demographic (sometimes ad campaigns will use "inside jokes" if the demographic they are targeting is tight enough, but it's still risky). By using special words or concepts only known or believed by a small number of people will mean you risk (or nearly guarantee) having your commercial coming across to your audiance like The Architect from The Matrix trying to sell them car insurance - ..concordantly the 5% saved through a 2 driver plan inexorably causes a diminution of the overall non-fault accident premiums. Ergo those signing up before January 1st will...

Re:Microsoft is so sweet

While that may be true, your message is posted right smack dap in the middle of Nerdville -- it's central park, so to speak. You're a Republican who's walked into the middle of the Democratic convention and yelled at them to get a grip.

Of course we'll survive. It's just the internet. But, many of us are software professionals. We care so much about this we decided to make a career of this. We care so much about this we're willing to give away our ideas as open source projects, just to share them with the world. Forgive us if we care passionately about this, and think that basic things like browsers should not have security hole after security hole till we wonder if it will ever stop.

And, it's not even too much of a stretch. Enough people get screwed with identity theft, and the trust of the system falls apart and it ceases to be a method that many of us earn a living with. If one of the largest companies in the world can't even fix their browser, with all the resources of an almost monopoly on the market and stock options to hire every CS post graduate student on the planet -- a technology that went through its basic definition years ago -- it puts into question the entire value of software professionals.

Re:Microsoft is so sweet

And of course you are quite correct--it's a matter of proportion, not of fact. I've spent a great deal of time myself ranting about Microsoft and the harm they continue to do to the industry in general. My nickname is not idly chosen; it's the language I first programmed professionally in. But even I, a former "computer professional," have been too lazy to try Firefox yet, and am just bumbling along in IE. (Although security headaches at work are probably going to force the necessary trials on me soon.)

But I can't name any other profession in which it is possible to profitably release product after product while being completely incompetent to produce. [Ignore management; it's not their job to produce.] You don't have to be a good programmer to succeed; you only have to look good. I was taught programming by a college professor who believed--seriously believed--that having five consecutive GOTO statements was a valid result of "structured programming"! I've seen countless examples (as have most people here) of bad programming. I decided years ago that anybody who actually trusts a computer is insane. I rely on computer records; I have no choice unless I want to live in a hovel in the woods and keep all my money in a mason jar. But I don't trust them, and I never will; I've known too doggone many programmers.

Just yesterday I had a lengthy discussion with my boss (the company owner) about why IE (and Windows in general) is so weak. With all the resources of an almost monopoly on the market, you said--that is exactly the problem. Microsoft has little motivation to do more than keep hot-patching the holes in IE and Windows instead of tearing up the whole street and laying a solid foundation. In the 1960's and 1970's, IBM stayed on top of the mainframe market despite having one of the worst OS's around, because they had the most ruthlessly effective body of marketeers anybody'd ever seen; only the virtual disappearance of the mainframe market took IBM from the top. As long as Microsoft's marketeering position stays strong, MS software will stay weak.

Quality is good. Many people will pay for quality when they can find it; people are downright amazed when they can get quality for free. But the majority of available products are going to remain Wal-Mart quality, because the vast majority of people are still going to get whatever is on the shelf at Wal-Mart.

And their world won't end. But its shine may tarnish a lot more easily.

Re:Microsoft is so sweet

Yes, and outside of nerdville, who gives a shit about Firefox?

Just about everyone I install Firefox for (almost all non-geeks)... People who don't give a shit just plain don't know about it. Firefox is faster, it has a nicer interface, and prevents things like popups and bad security practice within the browser environment. The people that start using Firefox by force (by me) usually thank me profusely and rave to me (and their other non-geek friends) about it within 30 minutes of using it.

Plus, just look at the themes!! Who doesn't like themes??

Re:Microsoft is so sweet

What OSS has to do is release ads to TELL people how bad IE is, not how good Mozilla is alongside. SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE.

Or maybe a simple 5 color-coded chart!

RED - Browsing with IE
ORANGE - something witty
YELLOW - something wittier
GREEN - Browsing with Firefox
BLUE - Unplugging your network cable

Firefox(tm). The next safest thing to unplugging your network connection.

Re:Microsoft is so sweet

RED - Browsing with IE
ORANGE - Giving your cat a bath
YELLOW - Cooking bacon in the nude
GREEN - Browsing with Firefox
BLUE - Unplugging your network cable

No browser bug will ever affect me

I use wget and read the raw html in a text editor.

GNU WGet Multiple Remote Vulnerabilities

No, you're not safe. Check this [securityfocus.com] out. It is recent too, released on Dec 10, 2004.

Safari

Just tried it with Safari. Clicking the demo link does absolutely nothing. Turning off pop-up blocking and clicking the link does ... absolutely nothing.

Next.

infinite popups

On my computer, the exploit demo seemed to be trying to launch popups, which Google toolbar stopped, which apparently made the demo site want to throw up another popup, which Google toolbar stopped, etc. It looped up to 110 popup attempts before I managed to shut down that IE window.

Not the advertised exploit, but pretty damn annoying in its own right.

Geez...

To me, whenever I see a vulnerability article for IE on Slashdot, I say to myself "Man...why does that seem like it's such a trivial programming error to fix?" as opposed to when there's a vulneraibility to Firefox/all browsers, when it's something like "Wow, someone really took some time to craft that one out"...just a thought.

No way... a bug in IE?

Next, we'll be reading about studies showing that two hydrogen atoms and one oxygen atom form a clear, wet substance.

IE without activeX

I run IE at work (not my choice) but have all ActiveX set to prompt. When clicking the link, if I select "No" this has no effect. I've never clicked "Yes" to that prompt yet and haven't noticed any important features I'm missing out on.

Yes the prompt on 90% of web pages is annoying. Yes I love firefox.

Spoofstick and Qwik-Fix don't detect/block this

I have the latest version of Spoofstick (1.02 released 8/18/2004) and PivX Qwik-Fix Pro (v1.4) and the vulnerability tests positive in my up-to-date IE: a new window appears with both IE and Spoofstick reporting the site as citibank.com

FireFox

Use FireFox!! There is even an extension called Spoof Stick.

How long until...

...people start banging on Firefox hard enough to expose vulnerabilities?

Or, is Mozilla just that good at plugging leaks before they happen?

Re:How long until...

Somehow the poster of the parent has been modded down for Trolling, regardless of the fact that it is a valid point, within the context of the article, and definitely not a troll.

I frequently wonder what will happen as people start to shift more focus onto the software we so highly regard. Hands down Firefox is a more usable browser but I don't think it yet has the sort of attention that Internet Explorer does. Until such a time we will never truly know just how resilient Firefox is.

Wine Help

I really want to try this but I have such problems getting stuff to run in wine.

Vulnerability? BS! Try crash.

This so called vuln is not quite one.... Perhaps just to the XP crowd (awwww). On the up-to-date patched Win2k system I use, (IE 5.00.3700.100), all the script does is to cause cascading script errors. Similar annoyance is compared to those kiddiot hacker sites that crash the browser.

What exactly was this supposed to do again? BTW, the "exploit" isnt one in Mozilla, firebird, Lynx, Links, Konqueror..

IE for the mac is safe

With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.

So I disable javascript ...

OK. I use Mozilla anyway, so I shouldn't care about this particular bug. But the last couple mentioned here on /. that affected Mozilla, used Javascript to transfer data entered from one window to another. There's been a few of these, so I disabled Javascript and turn it on only when needed. Is this such a hard workaround? If you like IE, and you need ActiveX, can you just leave it off until a webpage needs it? There's going to be hundreds of these exploits popping up -- no one can fix them all.

what!?

You mean people STILL use IE, once they've been to Slashdot? Doesn't seem to really relate to us any more..

Disable ActiveX

Disable ActiveX and this wont work. This exploit depends on ActiveX to run.

Doesnt work for me at all

I'm in SP1 and opened the link in IE, doesnt do anything, just shows the javascript error icon.

At least the announcment was timed well. [slashdot.org]

Master Plan

I see what's going on here. Microsoft put so many exploits into IE that eventually the black hats will be overwhelmed with possibilities, to the point of quitting. It's like the vulnerability-options DDoS.

Changing from IE

Here we have one that broke up with IE. Fun story ;)
http://reviews.cnet.com/4520-3513_7-5570803-1.html ?tag=nl.e497/ [cnet.com]

NYT Ad

In the NYT ad, they should've added every IE bug that's been discovered since Firefox was released. I mean they are probably the biggest contributors to FF's popularity.

Maturity

I realize IE is probably a huge codebase and a big development team, but it is simply amazing that these problems keep popping up. A company with the size and resources of MS should have a much better handle on these things.

Where I work, we have code reviews, automated code scrubbers, and extensize QA, and we're a relatively small shop compared to them.

I know they're trying, otherwise it would be a lot worse, and SP2 did a good bit to improve things, so I can't be that hard on them.

Jerry
http://www.syslog.org/ [syslog.org]

Microsoft bashing

Microsoft bashing is always fun, but I really just want to be able to use any browser, on any OS. This why I hope Firefox takes off

SLASHDOT SPOOFED

did you open this link thinking it was to a new news story? didn't we go over this last week sometime?

Sound familiar?

http://it.slashdot.org/article.pl?sid=04/10/30/155 5251&tid=113&tid=128&tid=172&tid=1 [slashdot.org]

Outlook / Outlook Express?

I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.

Nelson Says:

(with pointed finger) Ha-Ha

And now to the best house of cards on the planet

Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.

Even more amazing perhaps are the facts that:

• 90% of the planet still uses it
• It is still the only way to get critical updates for about 50% of windows users out there
• Other than (duh!) security bugs, it pretty much still works without a hitch

Most certainly the best built house of cards on the planet!

Maybe it would be easier...

...if they just posted news announcing days when vulerabilities aren't found in IE.

--AC

misunderstood vulnerability

This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.

This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.

Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.

All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.

I am not afraid of this IE bug

After all, I have the mighty Microsoft-written XP SP2 Firewall to protect me.

My best sig is this one

bastonade

Once again I catch myself viewing this in terms of medieval military actions, like MS sitting sieged in their huge fortress, supplies are plenty but the cannons keep shooting and every other week one of the towers goes down.
No problem, there are lots of towers and even more teams they can order to repair and rebuild the citadell. Only, as times go it starts to paralize them. Fixing, fixing the fixes and adapting to the fixed environment creeps into everything they do, eroding their energy to act.

idea

Here's an idea - can we patent this exploit then sue Microsoft's ass next month when we find it in IE again?

Just to know

well, technically it doesn't do much. If you click the link again, it goes to citibank.

An error has occurred in the script on this page.

That is all I get. Maybe it has something to do with running IE on CxOffice on Linux...

Office 2000 install message

When I go the the site in IE I get a message about office 2000 installing!!

Very odd. Just a pop-up I'm guessing....

Mark

Couldn't get it to work

Seems it needs to screw with your registry to do it - after I denied the change it wanted just an empty windows came up (no content, no controls).

Curious behavior with Google toolbar and spoofing

I received email today phishing for logon info for Washington Mutual Bank. Curiously, with the Google toolbar installed and active the link lead to a page with the vulnerabilty where the spoofed address was pushed down into Google toolbar real estate, leaving the actual address visible in the address bar above.

Now, any savy Internet user is aware of phishing scams and I clicked on the link with nothing more than idle curiousity, but I have to wonder if any number of spyware toolbars would cause the same behaviour as the Google toolbar.

???

Two Denial Of Service Vulnerabilities

That reminds me of two Denial of Service Vulnerabilities which I published in October. Microsoft has yet to do anything about either of them, though they were notified.

The first involves an Improperly Closed Tag [jehiah.com] and will crash the browser.

The second is an Inline List [jehiah.com] which will peg the cpu.

While the phishing attempts are serious threats, these two have capability for more mailicious intent. It would be nice if microsoft would patch these.

MSIE's clock.

Let's put one of these chain emails to good use:

Bill Gates died and went to heaven. As he stood in front of St.Peter at the Pearly Gates, he saw a huge wall of clocks behind him. He asked, "What are all those clocks?"

St. Peter answered, "Those are Software Vulnerability Clocks. Every computer program on Earth has a Software Vulnerability Clock. Every time a program is compromised due to a bug in the code, the hands on that program's clock will move.

"Oh," said Bill, "which clock is that?"

"That's the UNICOS clock. The hands have never moved, indicating that it was never compromised by an attacker."

"Incredible," said Bill. "And which clock is that one?"

St. Peter responded, "That's the OpenBSD clock. The hands have moved twice, telling us that the "Only one remote hole in the default install, in more than 8 years!" was compromised only two times in this operating system's life."

"Where's Internet Explorer's clock?" asked Bill.

"That's in Jesus' office. He's using it to drive the generators, which provide power for our celestial copy of Las Vegas."

Infinite loop?

When I click the link, the page just goes into an infinite loop reloading itself. Just installed a patch from Windows Update too; maybe they fixed it.

But I have noticed the citibank scammers have some little white text box that tries to spoof the address bar. Problem is it gets displayed way out of place.

Server 2003 is immune

Why isn't XP?

It doesn't work for me

Either in Infernal Exploiter 6 (XP SP1) with high security settings (throws a load of cookie warnings that I decline, then IE asks if it can allow subframes to navigate across different domains, which I impolitely decline, then IE commits seppuku, so that's a result!), or in Firebird 0.7 (justs sits there, not spawning a new window or tab, so that's a result too.)

Am I the only one who thinks that we're just seeing the same vulnerability repackaged over and over again?

where is the source of the explot?

I can't find how to reproduce the exploit? (building a page like the secunia with a working exploit).

I don't understand why everybody loves firefox

I don't understand why everybody loves firefox so much,it just don't "feel" as right as mozilla(IMO).Mozilla has my email,my tabs,and every thing else i need at my fingertips.Plus i don't understand why people aren't touting how easy it is to make your moz and firefox your own.I build and repair pc's on the side and have gotten a LOT of people off IE and outlook by showing them how easy it is to change the skins and adding plugins to make perfect FOR THEM."Have the web YOUR way" should be the moz/fox slogan.The average guy don't know squat about security,he just wants it to do what HE wants it to do.Also,if you linux guys would make more stuff for windows,it would be a LOT easier to convert folks.My sis is getting her first linux box next month because i told her that both her opera and foxmail would work in linux and she wouldn't have to deal with all the virii/spyware.Again,it WASN"T the OS that made her switch,It WAS the fact that her programs would work without the virus/spyware hassle.If all the programs were to work on both OS'S then the choice would be which one has the least hassles and that thanks to script kiddies,isn't windoze.

Doesn't work for me.

I tried their test on my Windows 2003 server and IE, and Windows XP SP2 and it didn't work. Paypal website was rendered instead of secunia's page.

Workaround

I always have pretty restrictive internet explorer policies, and it seems that my "navigate sub-frames across domains" is preventing this exploit from actually working. You won't have to go so restrictive as to disable ActiveX to work around this.

Re:That's nothing!

Apparently it's been patched.

Re:Yet another reason...

Now, the impact of the Firefox New York Times ad will be hard to quantify.

Re:Yet another reason...

Hopefully the guys over at the mozilla.org website will take note of the current number of Firefox downloads to see what size surge this generates. I'd love to see a nice graph with key dates on it for that matter - the PR1 release, the 1.0 release, the announcement of the various IE exploits... :)

No way!

This is not a reason to use Firefox - it's useless in Firefox.

I just clicked the demo link using Firefox 1.0, and nothing happened at ... all. Oh.

Never mind.

Re:No way!

Customers and potential customers should complain to those banks and bill-pay services about these security problems.

I won't use a bank or financial service that requires IE.

Re:Yet another reason...

Not only the existence of the bug, but Microsoft's attitude towards the last one like this.

From Microsoft Help & Support [microsoft.com]. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

Just defeat the purpose of hyperlinks. Thanks MS!

Re:Yet another reason...

So, to check a Hotmail message, I just need to manually type

http://by2fd.bay2.hotmail.msn.com/cgi-bin/getmsg ?m sg=MSG1103631600.24&start=3248752&len=4735&imgsafe =n&curmbox=F000000001&a=b2cbfd3baddabfc913aacc3f36 f8590f

in my address bar....

Thanks, Microsoft! I needed to brush up on my typing skills.

Re:Yet another reason...

lol, that's the one thing that pisses me off more than anything about using a hotmail account, they convert all links into total gobbeldy gook just so they can stick that hotmail header on wherever you head, makes it totally impossible to verify where you're being directed to

Re:javascript

just as easy they could have done
window.status="http://www.citibank.com"; and then yo u wouldn't see the javascript.

Re:Firefox is immune

How to detect Internet Explorer [ericgiguere.com] and encourage IE users to switch to Firefox...

Eric

Re:javascript

The script on secunia is just a proof of concept. There are several things that can be improved. Masking the address bar would be the one of the very first improvements a hacker needs to make. Another may be fixing the code so that there is no need to refresh the original page before reclicking the link.

Re:Yet another reason...

Yes, it's startling how easy I could be tricked if I went to a strange website, clicked on a link labeled "javascirpt:start()" on the task bar, then waited for my pop-up blocker to start counting upwards frantically for about 5 minutes until a new window opened up with a spoofed adress bar, and I didn't notice that all the other links on that page are hosted off of the site that's in the adress bar. It's the perfect crime if you're a goddamn idiot.

Re:Speaking of Firefox...

It's already been fixed.

Re:Yet another reason...

Consider ...

<HTML>
<HEAD><title>fake citibank.com</title></HEAD>

<frameset rows="*" frameborder=0 border=0 framespacing=0>
<frame src="http://www.citibank.com/" scrolling=yes frameborder=no>
</frameset>

<body leftmargin="0" rightmargin="0" topmargin="0" bottommargin="0">Hello!</body>
</HTML>

Re:Firefox is immune

Using this vulnerability to say that OSS is superior to MS is like saying that my television superior because it is immune to email viruses.

Firefox doesn't support ActiveX, and that's why the vulnerability doesn't work.

Re:javascript

I am also running IE6 SP1. I clicked on the link but nothing happens because my browser doesn't understand javascript commands. That evil "javascript:start()" is useless against any browser with javascript disabled.

Javascript is the work of the devil. IT IS TURNED OFF in my browser. Obviously ActiveX is even worse and it is turned off as well. Now that is what I call secure browsing. Much better than the security through obscurity that a javascript enabled Firefox browser gives you.

Of course you can turn off javascript in Firefox too, but I bet not many of you leave it that way. In IE I can leave it off because I just enable it for a select few "trusted" sites (mostly e-commerce sites like Newegg or Amazon that I have purchased from before).

In God's name WHEN is Firefox going to implement javascript whitelisting or security zones as a standard feature? Whitelisting is available for cookies, so why not for javascript as well?

Re:Dupe

No, not a dupe.

The vulnerability discussed in the article you linked is here:

http://secunia.com/advisories/13251/ [secunia.com]

which, as you can plainly see, is #13251. Secunia calls it the "window injection vulnerability."

The vulnerability discussed in THIS article is

http://secunia.com/advisories/13482/ [secunia.com]

Quite obviously number 13482. Secunia calls this one the "cross-site scripting vulnerability."

So no, they're not the same thing at all, and you're karma-whoring with falsely "informative" posts.

p