Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Red Hat News

Samsung Z4 gets WiFi Certified with Tizen 3.0 onboard, Launching soon

Today, the next Tizen smartphone, which should be the named the Samsung Z4, has received its WiFi certification (certification ID: WFA70348) – Model number SM-Z400F/DS with firmware Z400F.001 on the 2.4Ghz band. WiFi certification is usually one of the last steps before a mobile device gets released and means a launch is coming real soon as we have already seen the Z4 make its debut appearance at the FCC. For the previous model, the Samsung Z2, we saw it get WIFi certified on 7 July and then launched on 23 August, a mere 6 weeks. Read more

Linux 4.10.6

I'm announcing the release of the 4.10.6 kernel. All users of the 4.10 kernel series must upgrade. The updated 4.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.10.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more Also: Linux 4.9.18 Linux 4.4.57

Kernel Space: Linux, Graphics

  • Mux Controller Subsystem Proposed For Linux 4.12
    A new subsystem has been proposed for staging in the Linux 4.12 kernel. Peter Rosin has requested Greg KH pull in the mux controller subsystem for the Linux 4.12 kernel. He explained of this new subsystem, "This adds a new mux controller subsystem with an interface for accessing mux controllers, along with two drivers providing the interface (gpio and adg792) and two consumers (iio and i2c). This is done in such a way that several consumers can independently access the same mux controller if one controller controls several multiplexers, thus allowing sharing."
  • Marek Looking To Tackle Large RadeonSI Performance Bottleneck
    Prolific Mesa developer Marek Olšák is looking to tackle what he thinks is the "biggest performance bottleneck at the moment" for the RadeonSI Gallium3D driver.
  • Shader Variants Support For Etnaviv Gallium3D