CVE-2004-1753

Vulnerability

The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on Mac OS X 10.3.5, contains a flaw in how it handles SetWindow(NULL) calls when tabbed browsing is enabled. This causes the plugin to not properly invalidate its drawing area when the tab containing the applet is hidden or switched, resulting in the applet's visual output being painted onto other active tabs [1]. The condition requires Mac OS X 10.3.5, a vulnerable browser version, and tabbed browsing to be enabled.

Exploitation

An attacker needs to embed a Java applet in a webpage that is loaded in one browser tab while the user has another tab active. When tabbed browsing is enabled, the applet's SetWindow(NULL) call (which should stop drawing on the hidden tab) is mishandled. As a result, the applet continues to render its graphical output onto the currently visible tab, potentially overlaying content or imitating UI elements of a legitimate site [1]. No authentication or special network position is required; the victim must simply visit the attacker's page and have tabbed browsing enabled.

Impact

Successful exploitation allows a malicious Java applet to draw content onto arbitrary browser tabs, enabling phishing attacks that spoof tabs. An attacker could overlay a fake login form or other deceptive UI on a trusted website's page, potentially tricking the user into disclosing sensitive information. The impact is limited to visual spoofing and does not include code execution or direct data theft [1].

Mitigation

Mozilla addressed this issue in later versions of Firefox and Mozilla Suite. The bug report [1] indicates the fix involved patching the Mac widget to invalidate plugins on widget hide. Users should upgrade to a non-vulnerable version such as Firefox 0.10 (later renamed Firefox 1.0) or Mozilla 1.7.3 or later. No other workaround is documented in the available references.