Language Selection

English French German Italian Portuguese Spanish

IE pop-up spoof won't get patch

Filed under
Microsoft

Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.
Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Source.

More in Tux Machines

Linux 4.18 RC2 Released From China

  • Linux 4.18-rc2
    Another week, another -rc. I'm still traveling - now in China - but at least I'm doing this rc Sunday _evening_ local time rather than _morning_. And next rc I'll be back home and over rmy jetlag (knock wood) so everything should be back to the traditional schedule. Anyway, it's early in the rc series yet, but things look fairly normal. About a third of the patch is drivers (drm and s390 stand out, but here's networking and block updates too, and misc noise all over). We also had some of the core dma files move from drivers/base/dma-* (and lib/dma-*) to kernel/dma/*. We sometimes do code movement (and other "renaming" things) after the merge window simply because it tends to be less disruptive that way. Another 20% is under "tools" - mainly due to some selftest updates for rseq, but there's some turbostat and perf tooling work too. We also had some noticeable filesystem updates, particularly to cifs. I'm going to point those out, because some of them probably shouldn't have been in rc2. They were "fixes" not in the "regressions" sense, but in the "missing features" sense. So please, people, the "fixes" during the rc series really should be things that are _regressions_. If it used to work, and it no longer does, then fixing that is a good and proper fix. Or if something oopses or has a security implication, then the fix for that is a real fix. But if it's something that has never worked, even if it "fixes" some behavior, then it's new development, and that should come in during the merge window. Just because you think it's a "fix" doesn't mean that it really is one, at least in the "during the rc series" sense. Anyway, with that small rant out of the way, the rest is mostly arch updates (x86, powerpc, arm64, mips), and core networking. Go forth and test. Things look fairly sane, it's not really all that scary. Shortlog appended for people who want to scan through what changed. Linus
  • Linux 4.18-rc2 Released With A Normal Week's Worth Of Changes
    Due to traveling in China, Linus Torvalds has released the Linux 4.18-rc2 kernel a half-day ahead of schedule, but overall things are looking good for Linux 4.18.

A GTK+ 3 update

  • A GTK+ 3 update
    When we started development towards GTK+ 4, we laid out a plan that said GTK+ 3.22 would be the final, stable branch of GTK+ 3. And we’ve stuck to this for a while. I has served us reasonably well — GTK+ 3 stopped changing in drastic ways, which was well-received, and we are finally seeing applications moving from GTK+ 2.
  • GTK+ 3.24 To Deliver Some New Features While Waiting For GTK4
    While the GNOME tool-kit developers have been hard at work on GTK4 roughly the past two years and have kept GTK3 frozen at GTK+ 3.22, a GTK+ 3.24 release is now being worked on to deliver some new features until GTK+ 4.0 is ready to be released. While GTK+ 4.0 is shaping up well and GTK+ 3.22 was planned to be the last GTK3 stable release, the developers have had second thoughts due to GTK+ 4 taking time to mature. Some limited new features are being offered up in the GTK+ 3.24 release to debut this September.

Finally: First stable release of KBibTeX for KDE Frameworks 5

After almost exactly two years of being work-in-progress, the first stable release of KBibTeX for KDE Frameworks 5 has been published! You can grab the sources at your local KDE mirror. Some distributions like ArchLinux already ship binary packages. After one beta and one release candidate, now comes the final release. You may wonder why this release gets version number 0.8.1 but not 0.8 as expected. This is simply due to the fact that I noticed a bug in CMakeLists.txt when computing version numbers which did not work if the version number just had two fields, i. e. no ‘patch’ version. As the code and the tag of 0.8 was already pushed, I had no alternative than to fix the problem and increase the version number. Otherwise, the ChangeLog (alternative view) is virtually unchanged compared to the last pre-release. Read more

Today in Techrights