Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Leftovers: OSS

  • Anonymous Open Source Projects
    He made it clear he is not advocating for this view, just a thought experiment. I had, well, a few thoughts on this. I tend to think of open source projects in three broad buckets. Firstly, we have the overall workflow in which the community works together to build things. This is your code review processes, issue management, translations workflow, event strategy, governance, and other pieces. Secondly, there are the individual contributions. This is how we assess what we want to build, what quality looks like, how we build modularity, and other elements. Thirdly, there is identity which covers the identity of the project and the individuals who contribute to it. Solomon taps into this third component.
  • Ostatic and Archphile Are Dead
    I’ve been meaning to write about the demise of Ostatic for a month or so now, but it’s not easy to put together an article when you have absolutely no facts. I first noticed the site was gone a month or so back, when an attempt to reach it turned up one of those “this site can’t be reached” error messages. With a little checking, I was able to verify that the site has indeed gone dark, with writers for the site evidently losing access to their content without notice. Other than that, I’ve been able to find out nothing. Even the site’s ownership is shrouded in mystery. The domain name is registered to OStatic Inc, but with absolutely no information about who’s behind the corporation, which has a listed address of 500 Beale Street in San Francisco. I made an attempt to reach someone using the telephone number included in the results of a “whois” search, but have never received a reply from the voicemail message I left. Back in the days when FOSS Force was first getting cranked up, Ostatic was something of a goto site for news and commentary on Linux and open source. This hasn’t been so true lately, although Susan Linton — the original publisher of Tux Machines — continued to post her informative and entertaining news roundup column on the site until early February — presumably until the end. I’ve reached out to Ms. Linton, hoping to find out more about the demise of Ostatic, but haven’t received a reply. Her column will certainly be missed.
  • This Week In Creative Commons History
    Since I'm here at the Creative Commons 2017 Global Summit this weekend, I want to take a break from our usual Techdirt history posts and highlight the new State Of The Commons report that has been released. These annual reports are a key part of the CC community — here at Techdirt, most of our readers already understand the importance of the free culture licensing options that CC provides to creators, but it's important to step back and look at just how much content is being created and shared thanks to this system. It also provides some good insight into exactly how people are using CC licenses, through both data and (moreso than in previous years) close-up case studies. In the coming week we'll be taking a deeper dive into some of the specifics of the report and this year's summit, but for now I want to highlight a few key points — and encourage you to check out the full report for yourself.
  • ASU’s open-source 'library of the stars' to be enhanced by NSF grant
  • ASU wins record 14 NSF career awards
    Arizona State University has earned 14 National Science Foundation early career faculty awards, ranking second among all university recipients for 2017 and setting an ASU record. The awards total $7 million in funding for the ASU researchers over five years.

R1Soft's Backup Backport, TrustZone CryptoCell in Linux

  • CloudLinux 6 Gets New Beta Kernel to Backport a Fix for R1Soft's Backup Solution
    After announcing earlier this week the availability of a new Beta kernel for CloudLinux 7 and CloudLinux 6 Hybrid users, CloudLinux's Mykola Naugolnyi is now informing us about the release of a Beta kernel for CloudLinux 6 users. The updated CloudLinux 6 Beta kernel is tagged as build 2.6.32-673.26.1.lve1.4.26 and it's here to replace kernel 2.6.32-673.26.1.lve1.4.25. It is available right now for download from CloudLinux's updates-testing repository and backports a fix (CKSIX-109) for R1Soft's backup solution from CloudLinux 7's kernel.
  • Linux 4.12 To Begin Supporting TrustZone CryptoCell
    The upcoming Linux 4.12 kernel cycle plans to introduce support for CryptoCell hardware within ARM's TrustZone.

Lakka 2.0 stable release!

After 6 months of community testing, we are proud to announce Lakka 2.0! This new version of Lakka is based on LibreELEC instead of OpenELEC. Almost every package has been updated! We are now using RetroArch 1.5.0, which includes so many changes that listing everything in a single blogpost is rather difficult. Read more Also: LibreELEC-Based Lakka 2.0 Officially Released with Raspberry Pi Zero W Support

Leftovers: Gaming