Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerability Affects All Browsers

Posted by samzenpus on from the everything-equal dept.

Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"

5 of 945 comments (clear)

  1. Re:I don't get it by trythil · · Score: 0, Offtopic

    Who the fuck modded this informative? Didn't you read my refutation of my own post?

  2. Re:Not all browsers by LnxAddct · · Score: 0, Offtopic

    This "vulnerability" is not able to be reproduced under firefox on Fedora Core 3. Looks to me like they just want some publicity.
    Regards,
    Steve

  3. Sad state of affairs by WebCowboy · · Score: 0, Offtopic

    Anything -- even an exploit -- working in all browsers would be unprecedented!

    The fact that something working in all browsers amazes people is quite sad...wasn't that the point of STANDARD protocols and languages (TCP/IP, HTTP, HTML, etc)? It just proves how much damage Microsoft has done by extending everything it embraces with polluted, proprietary technology meant to create a captive audience. Only when EVERYTHING--including exploits--works on all browsers/platforms will we have "won the battle".

    Anyways, it is alarming, but it doesn't look like an actual bug--it looks like a flaw in the design of Javascript (or the generally accepted behaviour). One more reason ot minimise or eliminate Javascript from your websites. At any rate, it appears aboutr as serious as any phishing scam (via email or web). Users already have to pay attention to the content of emails (asking for sensitive information, odd email headers, etc). Now they just have to do the same with web pages. I noticed right away that the status bar at the bottom of the spoofed pop-up window did not say citibank ("contacting secunia.com" or some such thing). Plus, right-clicking the window and viewing document properties showed the URL plain as day (on Firefox 1.0 anyways). At least I know now to look carefully for an odd URL (numerical address, citibank spelled c1t1bank, NOT https, etc).

    The fact that the 'net is so risky for non-savvy users is also a testimony to the failures in design we must overcome.

  4. Re:It doesn't affect Safari by narratorDan · · Score: 0, Offtopic

    IT"S A FREAKING REPLY! That is what the "Re:" part means, and yes, it also means "regarding" but not in this case. You, want, some, commas,?, maybe, some, bad, punctuation!, PErhaps-some-hyphens-to-drive-you-nut,s? Ar e you insane; yet? How about misuse of: colons? I, think, youl'd like that better; then the difference between: Effect & Affect

    Narrator:Dan

    --
    "If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
  5. Re:This sounds scary by RidiculousPie · · Score: 0, Offtopic

    I'm sorry but what?

    You expect the wine team to fix IE for you?

    How exactly do you expect them to do this?

    The vulnerability (shock horror I actually read it) affects browsers when a window name is known, and thus can be targeted.

    Should Wine magically detect what website opens and thus owns IE windows, and then do what?

    I think you should not be allowed to use WINE sir, if that is your attitude towards the developers. It's not like they replicated a WINSOCK vulnerability or something. This vulnerability exists within the web browser.

    --
    ah, mod points ... now where is my crack?