Language Selection

English French German Italian Portuguese Spanish

IE pop-up spoof won't get patch

Filed under
Microsoft

Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.
Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Source.

More in Tux Machines

today's howtos

GNOME: Mutter, gresg, and GTK

  • Mutter 3.25.2 Has Bug Fixes, Some Performance Work
    Florian Müllner has pushed out an updated Mutter 3.25.2 window manager / compositor release in time for the GNOME 3.25.2 milestone in the road to this September's GNOME 3.26 release. Mutter 3.25.2 has a number of fixes ranging from fixing frame updates in certain scenarios, accessible screen coordinates on X11, some build issues, and more.
  • gresg – an XML resources generator
    For me, create GTK+ custom widgets is a very common task. Using templates for them, too.
  • Free Ideas for UI Frameworks, or How To Achieve Polished UI
    Ever since the original iPhone came out, I’ve had several ideas about how they managed to achieve such fluidity with relatively mediocre hardware. I mean, it was good at the time, but Android still struggles on hardware that makes that look like a 486… It’s absolutely my fault that none of these have been implemented in any open-source framework I’m aware of, so instead of sitting on these ideas and trotting them out at the pub every few months as we reminisce over what could have been, I’m writing about them here. I’m hoping that either someone takes them and runs with them, or that they get thoroughly debunked and I’m made to look like an idiot. The third option is of course that they’re ignored, which I think would be a shame, but given I’ve not managed to get the opportunity to implement them over the last decade, that would hardly be surprising. I feel I should clarify that these aren’t all my ideas, but include a mix of observation of and conjecture about contemporary software. This somewhat follows on from the post I made 6 years ago(!) So let’s begin.

Distro News: Alpine, Devuan, and openSUSE

OSS Leftovers