Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Librem 15 Is a Beast of a Linux Laptop with a Gorgeous Finish

Librem 15 aims to be the only laptop coming with completely free software and its makers are looking to get some funding through a crowdfunding campaign. You might think that if a laptop ships with any Linux distribution, then it would stand to reason that it would be loaded with free and open source software, but the truth is that it's not that simple or even intuitive. For example, it's true that the Linux kernel is an open source project and that it's freely distributable, but there are some people in the community that say it's not enough. Read more

Google and Facebook feel the wrath of German open source advocate

Open-Xchange CEO Rafael Laguna has hit out at the closed nature of services offered by Silicon Valley giants like Google and Facebook. Speaking in Paris earlier this month, Laguna said many of Silicon Valley's largest companies, and others like them, need to open up their proprietary systems to comply with laws around the world and uphold many of the citizen’s rights that people have fought for over the last several hundred years. Read more

Best of open hardware in 2014

Open hardware is the physical foundation of the open movement. It is through understanding, designing, manufacturing, commercializing, and adopting open hardware, that we built the basis for a healthy and self-reliant community of open. And the year of 2014 had plenty of activities in the open hardware front. Read more

Open Source Online Game Gets Students Excited About Linux

When Razvan Rughinis began teaching the introductory operating systems course at University Politehnica of Bucharest in Romania 10 years ago, he was challenged to get students interested in Linux and keep them interested for the entire three-month course. Many first-year computer science students have no experience with Linux, and they have no interest in learning it, said Rughinis a professor in the Computer Science and Engineering Department. And those students who do know Linux are regarded as unusual and treated as social outcasts, he said. “They wouldn't pay attention to the first experience to see what Linux has to offer; not just the desktop, but how the services work and the depth of the system,” he said. “It's a steep learning curve for students coming from high school. Their first encounter was too difficult.” Read more