Language Selection

English French German Italian Portuguese Spanish

IE pop-up spoof won't get patch

Filed under
Microsoft

Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.
Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Source.

More in Tux Machines

In wake of Anonabox, more crowdsourced Tor router projects make their pitch

Last week, Ars reported on the story of Anonabox, an effort by a California developer to create an affordable privacy-protecting device based on the open source OpenWRT wireless router software and the Tor Project’s eponymous Internet traffic encryption and anonymization software. Anonabox was pulled from Kickstarter after accusations that the project misrepresented its product and failed to meet some basic security concerns—though its developers still plan to release their project for sale through their own website. But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device. Read more

Debian Now Defaults To Xfce On Non-x86 Desktops

Back in September Debian switched back to the GNOME desktop by default in place of Xfce for the upcoming Debian 8.0 "Jessie" release. However, as of today, the non-x86 versions of Debian have flip-flopped once again back to Xfce. Debian switched back to GNOME in September over reasons dealing with accessibility, systemd integration, and other factors when seeing what was the best fit to be the default for Debian 8 Jessie. However, now for platforms aside from x86 and x86_64, Xfce has returned to the default over poor experiences in using the GNOME Shell. Read more

Phoenix Is Trying To Be An Open Version Of Apple's Swift

Apple unveiled the Swift programming language at this year's WWDC event but sadly it's still not clear whether Apple will "open up" the language to let it appear on non-Apple platforms. Swift is built atop LLVM and designed to be Apple's successor to Objective-C in many regards while suppoorting C/Obj-C/Obj-C++ all within a single program. With non-Apple folks being interested in the language, it didn't take long before an open-source project started up around it. Ind.ie has today announced their Phoenix project that aims to be a free and open version of Apple's Swift programming language. The work is being led by Greg Casamento who is also the leader of GNUStep, the common open-source implementation of Apple's Cocoa frameworks. Read more

Google Chromebook quietly takes aim at the enterprise

Google's Chromebook is a cheap alternative to a more expensive Windows or Mac PC or laptop, but up until recently it lacked any specific administrative oversight tools for enterprise IT. While IT might have liked the price tag, they may have worried about the lack of an integrated tool suite for managing a fleet of Chromebooks. That's changed with release of Chromebook for Work, a new program designed to give IT that control they crave for Chromebooks. Read more