Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Why and how I became a software engineer

Throughout my experiences, the fascinating weeks I'd spent writing out DOS commands remained a prominent influence, bleeding into little side projects and occupying valuable study time. As soon as Geocities became available to all Yahoo! Users, I created a website where I published blurry pictures that I'd taken on a tiny digital camera. I created websites for free, helped friends and family fix issues they had with their computers, and created a library database for a church. This meant that I was always researching and trying to find more information about how things could be made better. The Internet gods blessed me and open source fell into my lap. Suddenly, 30-day trials and restrictive licenses became a ghost of computing past. I could continue to create using GIMP, Inkscape, and OpenOffice. Read more

Linux Kernel 3.18.32 LTS Released with Btrfs, EXT4, ARM, x86, and PA-RISC Fixes

Immediately after announcing today the release of Linux kernel 4.1.23 LTS, and after informing us yesterday about the availability of Linux kernel 3.12.59 LTS, kernel developer Sasha Levin now published details about Linux kernel 3.18.32 LTS. Read more

Linux greybeards release beta of systemd-free Debian fork

The effort to create a systemd-free Debian fork has borne fruit, with a beta of “Devuan Jessie” appearing in the wild. Devuan came into being after a rebellion by a self-described “Veteran Unix Admin collective” argued that Debian had betrayed its roots and was becoming too desktop-oriented. The item to which they objected most vigorously was the inclusion of the systemd bootloader. The rebels therefore decided to fork Debian and “preserve Init freedom”. The group renamed itself and its distribution “Devuan” and got work, promising a fork that looked, felt, and quacked like Debian in all regards other than imposing systemd as the default Init option. Read more

GNOME Builder 3.20.2 Arrives with LLVM 3.8, FreeBSD and OpenBSD Support

The developers behind the GNOME Builder IDE (Integrated Development Environment) pushed earlier to updates of the software to the stable and devel channels, GNOME Build 3.20.2 and 3.21.1. Read more