Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Google's Upspin Debuts

  • Another option for file sharing
    Existing mechanisms for file sharing are so fragmented that people waste time on multi-step copying and repackaging. With the new project Upspin, we aim to improve the situation by providing a global name space to name all your files. Given an Upspin name, a file can be shared securely, copied efficiently without "download" and "upload", and accessed by anyone with permission from anywhere with a network connection.
  • Google Developing "Upspin" Framework For Naming/Sharing Files
    Google today announced an experimental project called Upspin that's aiming for next-generation file-sharing in a secure manner.
  • Google releases open source file sharing project 'Upspin' on GitHub
    Believe it or not, in 2017, file-sharing between individuals is not a particularly easy affair. Quite frankly, I had a better experience more than a decade ago sending things to friends and family using AOL Instant Messenger. Nowadays, everything is so fragmented, that it can be hard to share. Today, Google unveils yet another way to share files. Called "Upspin," the open source project aims to make sharing easier for home users. With that said, the project does not seem particularly easy to set up or maintain. For example, it uses Unix-like directories and email addresses for permissions. While it may make sense to Google engineers, I am dubious that it will ever be widely used.
  • Google devs try to create new global namespace
    Wouldn't it be nice if there was a universal and consistent way to give names to files stored on the Internet, so they were easy to find? A universal resource locator, if you like? The problem is that URLs have been clunkified, so Upspin, an experimental project from some Google engineers, offers an easier model: identifying files to users and paths, and letting the creator set access privileges.

RPi-friendly home automation kit adds voice recognition support

Following its successful Kickstarter campaign for a standalone Matrix home automation and surveillance hub, and subsequent release of an FPGA-driven Matrix Creator daughter board for use with the Raspberry Pi, Matrix Labs today launched a “Matrix Voice” board on Indiegogo. The baseline board, currently available at early-bird pricing of $45, has an array of 7 microphones surrounding a ring of 18 software-controlled RGBW LEDs. A slightly pricier model includes an MCU-controlled WiFi/Bluetooth ESP32 wireless module. Read more

The Year Of Linux On Everything But The Desktop

The War on Linux goes back to Bill Gates, then CEO of Microsoft, in an “open letter to hobbyists” published in a newsletter in 1976. Even though Linux wouldn’t be born until 1991, Gates’ burgeoning software company – itself years away from releasing its first operating system – already felt the threat of open source software. We know Gates today as a kindly billionaire who’s joining us in the fight against everything from disease to income inequality, but there was a time when Gates was the bad guy of the computing world. Microsoft released its Windows operating system in 1985. At the time, its main competition was Apple and Unix-like systems. BSD was the dominant open source Unix clone then – it marks its 40th birthday this year, in fact – and Microsoft fired barrages of legal challenges to BSD just like it eventually would against Linux. Meanwhile Apple sued Microsoft over its interface, in the infamous “Look and Feel” lawsuit, and Microsoft’s reign would forever be challenged. Eventually Microsoft would be tried in both the US and the UK for antitrust, which is a government regulation against corporate monopolies. Even though it lost both suits, Microsoft simply paid the fine out of its bottomless pockets and kept right at it. Read more

Digital audio and video editing in GNU/Linux

  • Linux Digital Audio Workstation Roundup
    In the world of home studio recording, the digital audio workstation is one of the most important tools of the trade. Digital audio workstations are used to record audio and MIDI data into patterns or tracks. This information is then typically mixed down into songs or albums. In the Linux ecosystem, there is no shortage of Digital audio workstations to chose from. Whether you wish to create minimalist techno or full orchestral pieces, chances are there is an application that has you covered. In this article, we will take a brief look into several of these applications and discuss their strengths and weaknesses. I will try to provide a fair evaluation of the DAWs presented here but at the end of the day, I urge you to try a few of these applications and to form an opinion of your own.
  • Shotcut Video Editor Available As A Snap Package [Quick Update]
    Shotcut is a free, open source Qt5 video editor developed on the MLT Multimedia Framework (it's developed by the same author as MLT), available for Linux, Windows and Mac. Under the hood, Shotcut uses FFmpeg, so it supports many audio, video and image formats, along with screen, webcam and audio capture. The application doesn't require importing files, thanks to its native timeline editing. Other features worth mentioning are multitrack timeline with thumbnails and waveforms, 4k resolution support, video effects, as well as a flexible UI with dockable panels.
  • Simple Screen Recorder Is Now Available as a Snap App
    Simple Screen Recorder, a popular screen recording app for Linux desktops, is now available to install as a Snap app from the Ubuntu Store.