Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

OPNsense 16.7

  • OPNsense 16.7 released
  • pfSense/m0n0wall-Forked OPNsense 16.7 Released
    The latest major release is out of OPNsense, a BSD open-source firewall OS project derived from pfSense and m0n0wall. OPNsense 16.7 brings NetFlow-based reporting and export, trafic shaping support, two-factor authentication, HTTPS and ICAP support in the proxy server, and UEFI boot and installation modes.

New Blackmagic and Wine

Linux Foundation and Linux

  • Google, Samsung, Radisys join CORD project
    The Open Networking Lab (ON.Lab) and The Linux Foundation have spun off the Central Office Re-architected as a Data Center (CORD) initiative into its own, new open source project, and Google, Samsung Electronics and Radisys are joining the CORD and ONOS Projects as new partners. Google plans to host the first CORD Summit on July 29 at Google Sunnyvale Tech Corner Campus in California, where industry leaders, network architects and administrators, developers and engineers will convene.
  • CORD Project Aims to Bring Cloud Agility to Service Providers
    The CORD Project recently became an independent project hosted by The Linux Foundation. CORD (TM) (Central Office Re-architected as a Datacenter), which began as a use case of ONOS®, brings NFV, SDN, and commodity clouds to the telco central office and aims to give telco service providers the same level of agility that cloud providers have to rapidly create new services. Major service providers like AT&T, SK Telecom, Verizon, China Unicom, and NTT Communications, as well as companies like Google and Samsung, are already supporting CORD.
  • Linux Kernel 4.4.16 LTS Released with Over 150 Changes, It's Already in Solus
  • Linux Kernel 4.6.5 Has Numerous Nouveau Improvements, ARM and ARM64 Fixes
  • Linux Kernel 4.6.5 and Kernel 4.4.16 released
    Just after a couple of weeks,Linux Kernel 4.6.4 and 4.6.15 release was announced,here comes the next release in both series of Linux kernel 4.6 and 4.4. Both the releases are to bring fixes and improvements in performance.There are some workarounds made in GPU drivers,Wireless,USB,Sound and others can be checked in the change log,Of Course. In the Kernel 4.6.5 there are 220 files changed,1754 files inserted newly and 998 deletations are made.On the other hand,Linux kernel 4.4.16 has 156 files are changed,1475 insetations and 845 deletations are notified as per the announcement.
  • Linux 4.7 now out with enhanced security and advanced graphics support

BSD Leftovers

  • FreeBSD Q2'2016: EFI Improvements, Prepping For FreeBSD 11.0, Package Updates
    For FreeBSD fans not closely following its development on a daily basis, the FreeBSD project has released their Q2'2016 quarterly status report that covers various activities going on around this BSD operating system project.
  • EuroBSDCon 2016 schedule has been released
    The EuroBSDCon 2016 talks and schedule have been released, and oh are we in for a treat! All three major BSD's have a "how we made the network go fast" talk, nearly every single timeslot has a networking related talk, and most of the non-networking talks look fantastic as well.