Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed
    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”
  • Joomla patches eight-year-old critical CMS bug
    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains. This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin. Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS. Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.
  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

OpenSUSE fonts – The sleeping beauty guide

Pandora’s box of fonts is one of the many ailments of the distro world. As long as we do not have standards, and some rather strict ones at that, we will continue to suffer from bad fonts, bad contrast, bad ergonomics, and in general, settings that are not designed for sustained, prolonged use. It’s a shame, because humans actually use computers to interface with information, to READ text and interpret knowledge using the power of language. It’s the most critical element of the whole thing. OpenSUSE under-delivers on two fonts – anti-aliasing and hinting options that are less than ideal, and then it lacks the necessary font libraries to make a relevant, modern and pleasing desktop for general use. All of this can be easily solved if there’s more attention, love and passion for the end product. After all, don’t you want people to be spending a lot of time interacting, using and enjoying the distro? Hopefully, one day, all this will be ancient history. We will be able to choose any which system and never worry or wonder how our experience is going to be impacted by the choice of drivers, monitors, software frameworks, or even where we live. For the time being, if you intend on using openSUSE, this little guide should help you achieve a better, smoother, higher-quality rendering of fonts on the screen, allowing you to enjoy the truly neat Plasma desktop to the fullest. Oh, in the openSUSE review, I promised we would handle this, and handle it we did! Take care. Read more

Today in Techrights

Direct Rendering Manager and VR HMDs Under Linux

  • Intel Prepping Support For Huge GTT Pages
    Intel OTC developers are working on support for huge GTT pages for their Direct Rendering Manager driver.
  • Keith Packard's Work On Better Supporting VR HMDs Under Linux With X.Org/DRM
    Earlier this year Keith Packard started a contract gig for Valve working to improve Linux's support for virtual reality head-mounted displays (VR HMDs). In particular, working on Direct Rendering Manager (DRM) and X.Org changes needed so VR HMDs will work well under Linux with the non-NVIDIA drivers. A big part of this work is the concept of DRM leases, a new Vulkan extension, and other changes to the stack.