Major Browsers Have JS Pop-Up Flaw

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

Lets see....

[wo1verin3]

Opera 8.01 was released June 18th.... (only a few days ago)

It is the only browser not affected....

And now this leaked out where reports can only say that one browser does not suffer from this issue. //tin-foil hat engaged

It's not a flaw according to MS...

[bc90021]

...and they're not going to release a patch for it.

And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw. ;)

Phishing it for all it's worth

[null+etc.]

Isn't this just a rehash of every other bug they've announce this year, in a slightly different permutation? Next month, I expect they'll announce that frames within a DSHTML portion of a popup window can be loaded from non-trusted domains.

It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

Re:old news

It's not even a bug.

It's advertising and FUD from those Opera guys. They are really getting boring.

- Opera adds a feature that shows the name of the site in the title bar in their last build ;
- Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera ;
- Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.

That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks.

Re:stop developing with JavaScript

[AKAImBatman]

People should stop developing with JavaScript. It's nothing but trouble.

Poppycock. This is nothing more than a typical knee-jerk reaction to a minor security flaw. Should we all stop using email because phisers can craft ones that look like someone elses?

Lots of sites use JavaScript very effectively. So many in fact, that it's rather difficult to make such a wild statement as "JAvascript is nothing but trouble." Google is a perfect example of a highly useful site with JS. For example, Maps and GMail both rely heavily on JS. In fact, most webmail sites contain JS. And without JS, you couldn't have neat stuff like this. (Login is test, test)

Odd

[Sheepdot]

If Secunia is reporting it, why not link directly to Secunia?

http://secunia.com/multiple_browsers_dialog_origin _vulnerability_test

I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.

In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.

Re:Safari

[arkanes]

a) There *is* garbage collection in ObjC (via refcounting), and GC has little to nothing to do with the relative security of C and Java (theres some obscure security flaws related to misuse of buggy versions of malloc(), on the other hand there's obscure flaws related to abusing the GC scheme to bypass Javas typesafety. And neither are common or practical.)

b) You can certainly use unsafe C contructs in ObjC, but ObjC provides (and encourages) safe, non-C constructs that address the vast majority of C problems. Unsafe pointer and buffer operations are rare in ObjC, because the language provides better alternatives.
c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).

Connect the Dots

[Doc+Ruby]

I want a window manager that draws lines between parent/child windows, parent/child processes. While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position? Yeah, I want to drag windows around, and save their positions with the window manager, then open that state with a single click on a desktop menu. While we're at it, I want the groups to include arbitrary windows from multiple apps. So I can open a "workplace", and immediately begin working in a familiar environment. If this works, how about letting me drag a line from any window to another, piping STDIN/OUT/ERR between processes? If I can minimize the windows into icons, my window manager is now a visual programming environment. Which, to come full circle, could let me as a user tell by looking which info is tainted by which untrusted windows and datapaths, including innocent-looking JS popup windows.