Major Browsers Have JS Pop-Up Flaw

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

It's a Buggy Life

[Pike]

Boy well, you just pop right up there, doncha!

Re:It's a Buggy Life

[cshark]

And this is new?
How is this a flaw?
Has the person who is describing the flaw even tried a POC?

Even if it were a flaw, do you really think people are going to notice the URL? Half the people I deal with on a regular basis don't even know what a URL is!

Re:It's a Buggy Life

[cecille]

exactly...I was under the impression that this is just the way that java works...it's the java implementation, not the browser. So how is it fair to blame this on the browser design, if their browers are functioning as intended? It might be something to look at in the future, maybe as an improvement, but I'd hardly call this a flaw any more than other phishing tricks can be called a flaw. For example, names or return address on emails can be faked. I could say my name was Bill Gates, and my email client wouldn't call me on it. It's not an email bug, it's the way the standard works. Would we ever see a story that all the standard email clients have flaws because they allow this kind of spoof? No. Well, maybe, but people would call bullsh*t right away. Sounds like just some marketing hype to me, but that's just my opinion.

Re:It's a Buggy Life

[D'Sphitz]

JavaScript is not Java

Re:It's a Buggy Life

[g-san]

For those of you that aren't catching the reference that's a line from A Bug's Life when the lenny and squiggy bugs first come to the ant hill. That's damn funny!

Dupe, or just not fixed yet?

[KlaymenDK]

Isn't this a dupe from half a year ago?

Too bad if it's just a symptom of the problem(s) just not being fixed yet...

Re:Dupe, or just not fixed yet?

[Curtman]

"Isn't this a dupe from half a year ago?"

These things have a way of creeping back up on us.

The frame injection vulnerability seems to have reemerged as well.

Deer Park is vulnerable, as is Firefox & Mozilla. Eeeeeek!

Re:Dupe, or just not fixed yet?

It has been fixed in Firefox. May or may not be a default (can't remember), but when I tried it in Firefox the URL was displayed at the top of the popup window and it was obvious it was malicious popup. Maybe they are trying to say that because the main browser loads up the legitimate page that it can fool the user into thinking the popup came from it? That's a bit of a stretch... Though I'm not a big fan of this JS popup technique which I've seen sites use to popup ads with.

Re:Dupe, or just not fixed yet?

[Curtman]

"It has been fixed in Firefox."

No it hasn't. This is an update of the same vulnerability using MSDN this time (conspiracy theorists get your engines started). If you follow the instructions it will inject into the frame.

Also note:

Exploitation can easily be made "automatic". However, since this example only serves as a test to give users an understanding of how it works, we have chosen not to do so.

Re:Dupe, or just not fixed yet?

[Compholio]

Too bad if it's just a symptom of the problem(s) just not being fixed yet...

elinks fixed issues like this ages ago :)

Re:Dupe, or just not fixed yet?

[Mehtuus]

"It has been fixed in Firefox".

"No it hasn't".

Perhaps, but Firefox users can "fix-it" by using an extension called NoScript [ http://www.noscript.net/ ].

Re:Dupe, or just not fixed yet?

[Curtman]

"Perhaps, but Firefox users can "fix-it" by using an extension called NoScript"

It's actually easier than that. In preferences you'll find an option to 'open new windows from links in', and a sub option for 'new tab'. This corrects the problem, and the injection occurs in a new tab instead of in the MSDN window.

Re:Dupe, or just not fixed yet?

[adjensen]

Exploitation can easily be made "automatic". However, since this example only serves as a test to give users an understanding of how it works, we have chosen not to do so.

Does that mean that the little window that pops up prior to the alert wouldn't be there? That was a dead giveaway, as was the fact that no web site I've ever seen uses a Javascript alert to request anything.

The best example I've seen of this exploit (or something similar) was a phishing bank site that put up a window over the tool/address bar with a "yellow, secure" bank URL jpg. Of course, since I use a Mac, it looked totally stupid, but a Windows user might be tricked.

The Internet is turning evil. Back to using my Passbook and a pencil before too long, I'm starting to think.

Re:Dupe, or just not fixed yet?

[0111+1110]

Perhaps, but Firefox users can "fix-it" by using an extension called NoScript

Thank you. I just installed it. Although I already preferred firefox, I have also been using IE due to its javascript whitelisting functionality that I so much wanted to see in Firefox. I would like to have seen this basic security measure in the main client. But hopefully this will be good enough. Now I truly feel safe running Firefox. Goodbye IE.

Not really

This is only a 'security flaw' in the same way that those banner ads that look like warning dialogs are...

Lets see....

[wo1verin3]

Opera 8.01 was released June 18th.... (only a few days ago)

It is the only browser not affected....

And now this leaked out where reports can only say that one browser does not suffer from this issue. //tin-foil hat engaged

Re:Lets see....

[JimDabell]

Actually, Konqueror 3.4.1 isn't affected either (it displays the hostname in the popup title bar).

These kinds of security holes are far harder to find than simple buffer overflows, because the real flaw is that the user misunderstands information that is presented in a particular context. There's no real technical error, it's purely a user interface issue. You have to think about how a user would perceive any particular information under all kinds of different contexts.

This also means that open-source doesn't confer all of the security advantages that it does when applies to mistakes in the code, as everybody can see the UI even in a closed-source browser like Internet Explorer.

Re:Lets see....

[MyDixieWrecked]

and IE for mac hasn't been updated in at least that many years.

Hell, I haven't used it since Camino came out and was usable (back when it was called Chimera).

Re:Lets see....

[Curtman]

"So they kind of lied, and wouldn't Opera would be vulnerable if the user has Java installed?"

Opera? Lie?. Nah, couldn't be.

Re:Lets see....

[jrumney]

So they kind of lied, and wouldn't Opera would be vulnerable if the user has Java installed?

I haven't been following Opera development lately, but did they remove native Javascript support in 8.01 and rely on some Java implementation? Otherwise what would Java have to do with this bug?

Re:Lets see....

[critter_hunter]

This wasn't so much a lie as a misunderstanding. Firefox was not nominated in the "web browser" but in the "best software" category, so when Opera ASA saw that they were the only winner in the browser category, they made a news story about it. They retracted a few days later.

On topic, the vulnerability seems hardly dangerous. Not entirely sure why it deserved a news story...

Re:Lets see....

[Deagol]

IIRC, Konqueror was out in circulation before Mozilla and Firefox. It's come a long way since its inital release.

Regardless of the actual timetable of events, it is quite a stretch to say Konqueror appeared out of nowhere.

Re:Lets see....

[Curtman]

"I thought Linux Zealots were bad"

Really? I think we are pretty good for the most part.

Re:Lets see....

[Curtman]

I was kidding by the way.. This best browser stuff gets pretty silly sometimes.

Re:Lets see....

[hkmwbz]

Ah, MozillaNews... Written by the guy who attacked an Opera rep and accused him of lying, when it turned out that he himself got it all wrong, but when several people pointed out his errors in his own blog, he got mad and deleted their comments.

Yes, great unbiased source, that.

Re:Lets see....

[hkmwbz]

Java != JavaScript. This is about JavaScript dialogs, and Opera has built-in JavaScript support.

Re:Lets see....

[Curtman]

"Yes, great unbiased source, that."

Unbiased? It's a Mozilla PR page. They are biased.

Re:Lets see....

[hkmwbz]

True. And he made a right fool of himself, the MozillaNews editor.

Re:Lets see....

[whitehatlurker]

This problem was announced several days ago (21st) - though not mentioned on /. until the 22nd and only indirectly. It could have been that Opera (and other browser developers) were informed before Secunia released the warning, and they fixed it during the release of 8.01.

However, since the "fix" is only to indicate the name of the site launching the pop-up, this may have been a preventative measure included independently to prevent problems similar to the previous vulnerability.

Re:Lets see....

[jea6]

Insecure products can be built just as easily in a closed-source as an open-source model. There is nothing in either that inherently creates safe code. The power of open-source code is that when problems such as these do creep up, you may be able to do something about it.

Re:Lets see....

[plenTpak]

Opera 8.01 was officially released June 16 (still only a few days ago).

http://operawatch.blogspot.com/2005/06/opera-801-f inal-released.html:

Opera has released their first update to Opera 8 for Windows and Unix/Linux.

The upgrade, Opera 8.01, contains mainly security and bug fixes. In addition, Opera has also made many improvements to its handling of JavaScript.

Secunia released today 3 security advisories for Opera 8, all of which have security fixes in this new version. Apparently, Secunia delayed these security advisories to give Opera some time to respond.

Opera has also introduced Browser JavaScript, a JavaScript file that automatically fixes incompatible Web pages, out of date scripts, and pages that inadvertently block Opera. The script file is distributed by Opera (the company). Opera checks for updates to Browser JavaScript once every week. The feature is disabled by default, as it's not ready for prime time yet. Some performance issues still need to be worked out before it becomes a standard feature in a future release.

Note to Blogger users, Blogger now works with Opera 8.01.

Re:Lets see....

[AlexMax2742]

How in the world would they do that? Java and Javascript are two entirely different things, and the only relation they have is in a similar name.

Re:Lets see....

[houseofzeus]

Well it's not exactly something getting fixed quickly by ANYONE, given that it is something that has existed since we first got JavaScript. It is also debatable whether it is a problem on the part of the browser or just users being to stupid. In most mail clients after you click yes to open an attachment you can still get a virus from the executable, is this a bug?

Re:Lets see....

[GoldMace]

Well, technically, that's not entirely true, they do share some of the same syntax as programming languages, do they not?

Re:Lets see....

[AlexMax2742]

Lots of programing languages share similar syntax. Does that mean it's relivent?

Re:Lets see....

[GoldMace]

Possible origin of similar name

Whew, I'm safe...

[Faust7]

Thank god I use Contiki!

Re:Whew, I'm safe...

[DenDave]

Thank god I use Links

Re:Whew, I'm safe...

[Cylix]

Thank god I don't browse the web!

Re:Whew, I'm safe...

[HoneyBunchesOfGoats]

Thank god I don't own a computer!

Re:Whew, I'm safe...

[WormholeFiend]

thank god I don't have electricity! /amish

Re:Whew, I'm safe...

[rainman_bc]

Thank god I telnet to port 80 and parse it in my head

Re:Whew, I'm safe...

[timster121]

Guess that means you only browse Slashdot at work.

PS: get back to work

- Your boss

Re:Whew, I'm safe...

[justforaday]

Aaccck! Zombie!!!

Re:Whew, I'm safe...

[packetl0ss]

/me puts on a pair of shades.

Re:Whew, I'm safe...

[Ryan+Monster]

Where's my mod points when I need them? +5 funny!!

Re:Whew, I'm safe...

[j79]

Thank god I pick up the telephone and start making random screeching/static sounds /reee reeeeeee koooooshhhhh koooooossshhh reeeee

Re:Whew, I'm safe...

[Egregius]

Had to think about that one ;)

Re:Whew, I'm safe...

[takeya]

Thank God I use Opera 8.01!

Re:Whew, I'm safe...

[Council]

Thank god MU

Re:Whew, I'm safe...

[Cutting_Crew]

looks like i picked the wrong day to quit sniffin glue...

Re:Whew, I'm safe...

[orasio]

Thanks, I don't have a god!

Re:Whew, I'm safe...

[LPetrazickis]

Thank God I am a killer robot from the future.

Re:Whew, I'm safe...

[Mozk]

Thank Allah I don't believe in God!

Re:Whew, I'm safe...

[Enrico+Pulatzo]

Thank God I'm dead!

Re:Whew, I'm safe...

[Kentamanos]

Pfft... You mean you can't do the 443 stuff in your head too? It's just a little rougher :).

Re:Whew, I'm safe...

[julesh]

Yeah, but that way you gotta watch out for them Langford Visual Hacks.

It's not a flaw according to MS...

[bc90021]

...and they're not going to release a patch for it.

And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw. ;)

Re:It's not a flaw according to MS...

[TheMCP]

It's not a bug. You can regard it as a design flaw of the Javascript system as a whole I guess, but this represents functioning-as-designed. If the user is dumb enough to type private information into a popup without taking the time to figure out where the popup came from, that's their problem.

Re:It's not a flaw according to MS...

[badriram]

ya ya, letz make fun of M$....

If you read up on it, you will realize it is not a flaw. There is no patch out there that is going to fix peoples stupidity, or that odd trust they have that everything on the interweb is safe.
People need to learn to be careful, and not give away information. By the Opera 8.01 is not vulnerable because they add a stupid bar that says where the popup came from..... wooo hooo what magical patch.

Re:It's not a flaw according to MS...

[LiquidCoooled]

The REAL banking page is onscreen.

Popup message box says (something like):
"MyBank Security Timeout occured. Please reenter your account details in the following screen".
OK/CANCEL

user clicks ok and mysterious screen pops over looking like their real screen and hey-presto, you've been phished!

Re:It's not a flaw according to MS...

[Waffle+Iron]

By the Opera 8.01 is not vulnerable because they add a stupid bar that says where the popup came from..... wooo hooo what magical patch.

What's wrong with that? It gives people information to help them figure out if they're being phished.

In comparison to Opera's new behavior, IE *is* flawed. I don't see why Microsoft thinks it shouldn't innovate this feature from Opera into IE.

Re:It's not a flaw according to MS...

I don't see why Microsoft thinks it shouldn't innovate this feature from Opera into IE.

You know, I've never heard someone use innovate in a sentence like that, but for some reason it seems completely appropriate. Rather like piracy we should dilute the meaning of this word until it's no longer useful in discussion. Then where would Microsoft be?

Re:It's not a flaw according to MS...

[TheMCP]

Yeah. I understod how it works. I just think that's the user's problem.

Error occurred between user's ears. Insert neurons to continue.

To be blunt, this is how Javascript has been for years, and those of us who understood the technology all along are now shaking our heads and asking "yeah, so?" ... Calling this a flaw now just seems more like a desperate grab for attention than an actual technical problem to be discussed. If you don't like it, take it up with the standards committee and try to get the behavior redesigned for the next revision of the spec, but don't try to blame the browsers, that's just stupid.

Re:It's not a flaw according to MS...

[InvalidError]

Seems like the standards for labeling stuff as "innovation" are sinking to new lows every day.

There is a simple work-around for these phishing exploits: never trust pop-ups - assuming they were not disabled in the first place. When in doubt, proceed through the official front-page.

Re:It's not a flaw according to MS...

[ckaminski]

If we catered to the lowest common denominator, we'd still be using smoke signals, living in caves, and eating our meat raw.

Supporting the infinitely DUMB is a pointless exercise. You have to assume a certain level of sophistication, especially with the web. Now we may have assumed the wrong level, and have to rethink how things are done, but we can't pander to the complete idiot. Those people will always manage to get themselves neck deep into it.

Re:It's not a flaw according to MS...

[Q2Serpent]

Yeah? How do you figure out where it came from? It's not easy by any means. That's the whole point of the security advisory!

Re:It's not a flaw according to MS...

[MPR+At+UW]

It's not a flaw it's a feature.

Re:It's not a flaw according to MS...

[Kainaw]

...and they're not going to release a patch for it.

I read the article. They claimed that Microsoft wasn't going to fix the problem. The article linked to the advisory from Microsoft. I read the advisory from Microsoft. Nowhere in the advisory was there any mention about Microsoft's position on fixing or not fixing the problem. So, I wonder where the news.com article got the scoop that Microsoft isn't going to fix it?

Re:It's not a flaw according to MS...

[julesh]

If you don't like it, take it up with the standards committee and try to get the behavior redesigned for the next revision of the spec, but don't try to blame the browsers, that's just stupid

What spec? Which precise specification requires that web browsers, when requested to by web sites, should open a popup window in which their address bar is hidden? Not ECMAscript, that doesn't standardise the 'window' object.

Re:It's not a flaw according to MS...

[darkpurpleblob]

So, I wonder where the news.com article got the scoop that Microsoft isn't going to fix it?

If you read the Overview section of the advisory you will see it says:

Advisory Status: Advisory Published, No Security Update Planned.

And the Frequently Asked Questions section says:

Will Microsoft issue a security update to address this threat?
No. This is an example of how current standard Web browser functionality could be used in phishing attempts.

Ahh I love Javascript dialogs, I really do

[British]

Ever get rooked into going to a website with perpetual Javascript pompts? I love those.

The only way out of them is to kill your browser process outright.

This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.

It seems to have been forgotten, or deferred.

Re:Ahh I love Javascript dialogs, I really do

[TubeSteak]

No no, there's already a solution. Its right there in the help file

Hold down Alt-F4 till they stop.

I called up tech support and they pointed me right to it.

Re:Ahh I love Javascript dialogs, I really do

[Threni]

> This is a prime opportunity for mozilla developers to do a slight tweak to the
> prompts. a "kill all javscript for the rest of this session" button, etc.

I mentioned this last year, and was told to turn off javascript. I installed PrefBar to make this process easier (F8, click, F8) but then it's turned off until you turn it back on again. I need it on for some sites. What would be better would be an AdBlock style whitelist of sites where you need it enabled, so it can be disabled for the rest. It could even be part of AdBlock, given that JS is often used to stick commercial popups in your face when you're trying to read something!

Re:Ahh I love Javascript dialogs, I really do

[Ewan]

Check out noscript, firefox extension for whitelisting javascript

Ewan

Re:Ahh I love Javascript dialogs, I really do

[Threni]

Thanks, that's great. I'll check it out and maybe install it over the weekend.

Re:Ahh I love Javascript dialogs, I really do

[MoogMan]

Well, prompts being non-modal would be a good start.

Re:Ahh I love Javascript dialogs, I really do

[Bobas]

And in the process kill all other of your windows on your desktop. Nice.

Re:Ahh I love Javascript dialogs, I really do

[Avohir]

If you're serious about killing the damn things, I'd reccomend using a local http proxy. I reccomend proximitron personally (its what I use), but I know there are others. It lets you customize what gets let through on webpages, and its relatively easy to set up. www.proximitron.info

Re:Ahh I love Javascript dialogs, I really do

[NanoGator]

"Ever get rooked into going to a website with perpetual Javascript pompts?"

Not since I switched to P2P for porn!

Re:Ahh I love Javascript dialogs, I really do

[LnxAddct]

With a simple loop, they will never stop.

Re:Ahh I love Javascript dialogs, I really do

[vidarlo]

Noscript allows you to only run javascript at trusted sites, and untrusted sites do not get to run javascript...I can't see any reason for slashdot running 3 javascripts, so therefor I deny them. Gmail use it purposefully, so I allow them. Recomended. Oh, and it is a firefox extension :)

Re:Ahh I love Javascript dialogs, I really do

[m50d]

Use links. It has a very nice thing where any javascript dialog box has an additional button labelled "kill script".

Re:Ahh I love Javascript dialogs, I really do

[taskforce]

Well, I have been duped into going to a few pointless sites, but only by Slashdot ;)

Re:Ahh I love Javascript dialogs, I really do

[a.d.trick]

There a bug on it. It hasn't exactly been forgotten, but I don't know if anything has been done on it yet.

Re:Ahh I love Javascript dialogs, I really do

[whitehatlurker]

Not since I started with Proxomitron, but with Opera, you can turn off javascript by
F12 J

Re:Ahh I love Javascript dialogs, I really do

[lolocaust]

Thank you very much, i've been looking for something like this for a while. I hate it when certain sites prevent me from using the middle-click scroll function, or try and stop me from opening pages in a new tab.

Re:Ahh I love Javascript dialogs, I really do

[Fishstick]

I find pulling the power cord is just as effective. ;-)

Re:Ahh I love Javascript dialogs, I really do

[Fishstick]

You might as well CTL-ALT-DEL to the tasklist and just kill every browser instance.

Re:Ahh I love Javascript dialogs, I really do

[emandres]

links? is that like lynx? and if so, is it still text based???

Re:Ahh I love Javascript dialogs, I really do

[jp10558]

Mmmm, kye-u has a filter for proxomitron to diffuse while - loop browser bombs (which is what I think you're talking about). At least, I don't see such things using Grypen's set that includes that filter.

Re:Ahh I love Javascript dialogs, I really do

[m50d]

Yes, and no. It has text mode but also supports graphical mode, either with the console via svgalib or directfb or in X. No flash or java, but text, images and most javascript work fine.

Oh I know

[TubeSteak]

Lets tell everyone to turn off JavaScript.

That'll solve the problem

Excuse me?

What do you mean Java Scripting is a feature?

Re:Oh I know

[CdBee]

Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

Re:Oh I know

[harley_frog]

If I only had a mod point, I'd give you one gladly.

While turning off JS would prevent things like mousetraps, pop-ups/unders and other nasty things, the truth is that JavaScript is also used for some good interative web features as well and is well entrenched in the web culture. Like a lot of other things in life, it can be used for positive and negative purposes. Extensions like NoScript will help, but I'm not so sure if it's a cure, just treating the symptoms.

Re:Oh I know

[CdBee]

Noscript works with an icon in the status bar - the idea being that to enable javascript the user clicks and allows the site. It's not really a solution for the clueless, as they'll just go back to using IE to get their "features" back.

sure as hell alleviates the symptoms for the semi-tech-minded though !

Re:Oh I know

[John+Nowak]

You explain to my mom then how to know if a page needs javascript and how to setup a whitelist... and why she needs to.

Re:Oh I know

[generic-man]

Good luck using Google for anything other than web searching.

Re:Oh I know

[CdBee]

actually I just replied to the other guy.. but, yes I agree it's an imperfect solution that would risk sending users back to IE. There's a taskbar icon that can in two clicks whitelist the current site, though.

Re:Oh I know

[harley_frog]

I agree with you that this a good start, but, as you said, this is not a solution for the clueless, and there in lies my point; until something like this, or the aforementioned Opera feature, is implemented into all browsers, the clueless will still be victimized.

And I would also like to extend my thanks to you. I first saw this extension last night on my computer at home and was meaning to install it on my computer at work. It is very interesting to see how many sites use JavaScript. Eleven out of thirteen of my bookmarked tabs use JS. (Okay, one of my tabs is for my POPFile interface, so it really should be 11 out of 12.)

Re:Oh I know

[argent]

Wrong fix. It still leaves you open to injection attacks. Best solution is to get rid of all the hooks web pages (whether through Javascript or not) have to open windows without decoration.

Re:Oh I know

[CdBee]

Pleasure to help.
I'm finding most of the javascript in tech sites at least is advertising scripts - copying banner ads, flash layovers, text ads and popups from other domains.

I already run AdBlock so I don't see them, but actually NoScript is doing most of the work AdBlock does anyway.... it makes a pretty good adblocking client as well.

Re:Oh I know

[arth1]

Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

The problem is that the above will only be useful for users who's clued enough that they wouldn't be suckered by the phishing attempt anyhow.
The average clueless user will click "allow" any time he's asked whether to allow or deny something. They do so in Norton Internet Security, they do so with ActiveX, and this would be no different.
You can't protect people from themselves by giving them a choice where they actually have to think, no matter how simple the thought process seems to you and me. They'll invariably err on the side of convenience, not caution.

--
*Art

If someone is foolish enough to log in via pop-ups

[schestowitz]

...then perhaps the flaw is in the user.

Very few sites, if any, will use JavaScript/child windows to request details. While I agree that some people are unaware of that, they probably ought to stay away from malicious sites to begin with.

Ooh

[AccUser]

Ooh - isn't Opera one of those web browser thingies? :-)

NoScript

[erykjj]

That's why I use NoScript with my Firefox.

Re:NoScript

[TubeSteak]

I can't be the only one who though the ***s were curses

Developer Comments:
This is not a support forum! If you need support,
you're welcome at http://www.noscript.net/
where you can ***read the FAQ*** or use the forum.

Re:NoScript

[loggia]

Way too many reviews saying this extension causes frequent crashes.

I can't wait until this is worked out so I can use this extension...

Re:NoScript

[erykjj]

I've only noticed the crashes after forbidding/blocking a site from using JS. Normally, I just allow it the few trusted sites that I use and don't worry 'bout the rest. Works very nicely.

people have to be really stupid

[sumday]

to type inportant information into a popup they got whilst browsing some porn site or something.

Re:people have to be really stupid

[pezpunk]

well i think the idea is, you could be on some trusted site, and some porn site spyware/adware could pop up a javascript browser and for all intents and purposes it would look like it came from the trusted site.

Re:people have to be really stupid

[sumday]

yeah that makes sense. d'oh.

Re:people have to be really stupid

[Flinx_ca]

So I'm surfing for some porn when suddenly the new window that pops up is not an ad for another porn site but for my bank, and then a JS login pops up in front of that and I type in my username and password?! Some people drive around the barriers at (train) level crossings... It's called evolution people, the stupid ones loose all of their money and die (hopefully without reproducing first).

disable javascript multitasking

[alexfromspace]

To solve this problem, javascript multitasking must be disabled, only letting the current active window or tab having keyboard focus to run its javascript. Other tabs' scripts must not be disabled, but instead paused until they in turn receive focus.

Re:disable javascript multitasking

[m50d]

I load up my last.fm recommendations in another browser tab. It's a very long list, so I like to look at other pages while the script queries the database, works out which album cover pictures I need, and downloads them all. I'm sure there are other things like this that would be messed up by your idea.

Re:disable javascript multitasking

[alexfromspace]

The thought that an idea can mess things up is indeed intriguing. Thank you. Nevertheless, taking things into perspective one might see that DISABLING SCRIPT MULTITASKING BY DEFAULT is the best solution to this problem. There is no reason why there can not be an option in your browser to turn such a feature on, off, or set it selectively. And it is definitely better than turning scripts off completely, or keeping them all on and running a risk.

Phishing it for all it's worth

[null+etc.]

Isn't this just a rehash of every other bug they've announce this year, in a slightly different permutation? Next month, I expect they'll announce that frames within a DSHTML portion of a popup window can be loaded from non-trusted domains.

It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

Re:Phishing it for all it's worth

they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants.

Do you know if they need another such programmer? I'm unemployed right now...

Re:Phishing it for all it's worth

[aftermath09]

Mod parent up. This is definitely a rehash of another "security flaw".

not to mention: "To take advantage of the flaw, ...would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site."

how ridiculous is that? I click on a link for viagra, and then a bank that I may or may not have affiliation with pops up asking for my details. I am then dumb enough to enter said details even though I have no idea why my banking site is on the screen?!? that's like saying someone paints a picture of an atm in their window, and I blindly pass them my bank card as well as tell them my pin. why was i there in the first place? no idea, but these popup windows are pretty!

Re:old news

It's not even a bug.

It's advertising and FUD from those Opera guys. They are really getting boring.

- Opera adds a feature that shows the name of the site in the title bar in their last build ;
- Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera ;
- Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.

That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks.

Not really the popups

[luvirini]

It is not really the pop-ups that are the security propble. It is the fact that the user interface is written in a way that does not make the different things clearly separated.

It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".

Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.

Re:Not really the popups

[Thu25245]

Know what the sad thing is?

Under OS X, dialogs (like the "Do you want to save?" dialog) should be locally-modal "sheets" that are attached to the parent window. Sheets are designed to remove this sort of visual confusion as to the origin of a message.

Safari really should display these popups as sheets, but it doesn't.

Re:Not really the popups

[Juanvaldes]

A property of a sheet is it "freezes" the contents of the window ie you can not interact with the primary window only the sheet itself. Not sure if js spec specifies on this one way or the other but it could be the reason.

Re:Safari

[Otter]

It's because of the C++ code from KHTML -- if the whole thing had been done from the start in Objective C, there wouldn't be any problem.

That's what happens when one doubts the infallible wisdom of Steve...

Re:Let's see...

[wallykeyster]

How long takes to fix the free browsers...

Firefox has been working on it and Opera fixed it. Microsoft says they aren't going to fix it since it is a "feature". Even better, Microsoft's answer is for users to install XP SP2 and make sure the firewall is enabled. Beautiful...

Re:Is Konqueror affected?

[grahamm]

Konqueror 3.2.1 here is affected.

Front door...

[Shotgun]

My front door has a major flaw, in that con artist can walk up to it and claim they are from and officially federal agency and have an urgent need for me to help them.

Doors from major outlets, including those of Lowe's and Home Depot, are affected by this flaw. Our investigations have determined that this flaw has been known for years, yet the major distributors have not plans to release an update to correct the problem.

US Senator, C. Ritter has introduce legislation under the title "Omnibus Weak Nutz United", the OWN-U bill, that seeks to station a security agent to watch over every door in the case the occupants cannot determine that they are being conned.

Re:Front door...

[Matje]

your analogy is flawed. any official agency will issue some sort of official ID card. You can verify the ID by contacting the agency (of course, make sure you independently obtain the correct telephone number, etc). This way, you are able to establish the authenticity of the person at the door.

the whole point of this JS flaw is that you can't establish the origin (identity in the analogy) of the popup.

Re:Front door...

[John+Nowak]

... You can't just turn the URL field back on?

Re:Front door...

[julesh]

Funny analogy, but a more accurate one would be to say that doors have a flaw because you can't see who's on the other side of them before you open them.

There's a simple solution, you can install a spy hole that lets you see through to the other side first.

Re:Is Konqueror affected?

[alewar]

Yes, it is. (a leat version 3.4.0)

Re:Safari

[CyricZ]

I know you're trying to be funny, but in most cases Mac OS X and Objective-C while using the Cocoa framework provide for a very secure environment. Mac OS X's Mach ancestory, which derives directly from BSD UNIX and from true UNIX itself, proves to be a very stable and secure base to build upon. Objective-C and Cocoa combines the security of Java with the speed of C. Together they form a very strong programmery layer that is nearly impenetrable.

Indeed, considering this problem affects so many different browsers, across so many different platforms, across so many different codebases, it is more appropriate to say that it is an error within the JavaScript specification and design.

Re:If someone is foolish enough to log in via pop-

[ctr2sprt]

Hack a commercial website. Find an interesting page, then replace it with your own. The replacement page includes JavaScript to (a) display the "login" popup; and (b) redirect to the real page. Information from the login popup is redirected to a collection or harvesting site and perhaps even forwarded back to the legitimate site (so you don't have to login twice, which would make some people suspicious).

You really think most people end up on malicious sites intentionally?

Re:stop developing with JavaScript

[pezpunk]

why stop there? why not keep your computer turned off and locked in the corner? it's just asking for trouble by running scripts and executables all over the place.

when is microsoft going to patch their OS so it no longer runs any code?

Re:Is Konqueror affected?

[bamb8s]

Is Konqueror affected? If Safari is, then it may be. But if not, then it proves yet again that Konqueror is quickly rising to be one of the Big Boys in the browser world.

Yes, Konqueror is affected by this problem. To fix it they'll have to make the JavaScript dialogues display the address of the page they originated from. Uses the title wouldn't be good enough as it can be spoofed too. It's funny though that it's a called a spoofing bug since I can't remember using a browser that ever actually provided an identity in a dialogue to spoof.

Re:If someone is foolish enough to log in via pop-

[beavioso]

"While I agree that some people are unaware of that, they probably ought to stay away from malicious sites to begin with." Because we all know the users can tell the difference between the real thing and the malicious site, unless of course your method of staying away has them disconnecting their internet connection.

Re:stop developing with JavaScript

[AKAImBatman]

People should stop developing with JavaScript. It's nothing but trouble.

Poppycock. This is nothing more than a typical knee-jerk reaction to a minor security flaw. Should we all stop using email because phisers can craft ones that look like someone elses?

Lots of sites use JavaScript very effectively. So many in fact, that it's rather difficult to make such a wild statement as "JAvascript is nothing but trouble." Google is a perfect example of a highly useful site with JS. For example, Maps and GMail both rely heavily on JS. In fact, most webmail sites contain JS. And without JS, you couldn't have neat stuff like this. (Login is test, test)

Re:Safari

[callipygian-showsyst]

Have you ever used Objective-C? It's the SLOWEST compiled environment ever! And, because there's no garbage collection, etc, it's certainly no more secure than "raw" C (because all of C is legal in Objective-C). In many cases, Objective C is slower than Java becasue of it's "run-time" binding.

Re:If someone is foolish enough to log in via pop-

[JimDabell]

You are forgetting that the normal way in which browsers have presented HTTP authentication for years is in a popup window. I'd expect many people to have logged into legitimate sites with what appears to be a popup to them.

they probably ought to stay away from malicious sites to begin with.

What's a "malicious site"? There have been worms and viruses that insert malicious code into whatever HTML they can access. Suddenly, the definition of "malicious site" includes the website of every organisation that is susceptible to worms and viruses.

lynx

[bathmatt]

man, thank god i am still using lynx.... I was worried when they said major.

Re:stop developing with JavaScript

[Christianfreak]

Javascript is very useful to creating rich web applications that don't have to reload the pages. Seen Google maps or Gmail? How do you think they did that?

I agree that Javascript should not nessicarily be required to view content on a general website but properly used it gives a whole new dimension to web apps.

People give the guns and P2P analogy all the time here: they both have proper uses and improper uses and banning them, or not using them because they have improper uses makes no sense. How is Javascript any different?

Re:old news

[n0-0p]

I know the Mozilla devs were talking about this a few weeks back on one of the lists. They said they didn't consider it a severe security issue yet, but were working on the engine so that popups would be tab and window modal. They've also added pieces to the plugin interface so that plugin developers (Flash and Java for instance) can honor Mozilla's popup blocking.

Currently, if you're popup blocking for all but trusted sites you should be relatively safe from this. It really is hard to prevent phishing attacks though. They attack the users judgement, which unfortunately tends to be the weakest link.

Not on Mac Firefox

Actually, this attack doensn't work "well" with Firefox on Mac, which uses sheets to display JavaScript dialog (alert, promt, confirm). By tying the dialog to the window, it becomes visually obvious which window the pop-up belongs to.

Now why doesn't Safari use this? Seems strange Apple wouldn't use their own UI convention.

Re:Not on Mac Firefox

[Will2k_is_here]

But if it comes to tabs, does it still work?

Re:Not on Mac Firefox

[Sigma+7]

Actually, this attack doensn't work "well" with Firefox on Mac, which uses sheets [utah.edu] to display JavaScript dialog (alert, promt, confirm)

There's no reason that it should "work" on Windows either. Standard Mozilla dialogues for failed page loads are already tied to a window, and appear only if that given window has focus.

Of course, there's still some dialogues that transend window focus, such as Mozilla being unable to verify an SSL certificate.

Re:Let's see...

[0x461FAB0BD7D2]

The only non-free browser, Opera, already has a fix for it.

What's your point?

Is this really a vulnerability?

[propagandize]

I agree that this is an issue, but saying this is a vulnerability in the browser seems a little odd. It feels a little like saying that your email program displaying phishing emails is a vulnerability in the email program. I'm not saying that this isn't something that could be addressed by a change to the browsers, but the headline (and TFA) make it sound like the code in the browsers is faulty.

Re:Is this really a vulnerability?

[m50d]

I'd say it is. A site in one tab or window should only be able to control things in that tab or window. Allowing one window to display a dialog in a different window is a flaw to my eyes.

Re:iCab?!?!

[JimDabell]

iCab recently passed the second Acid test.

Re:stop developing with JavaScript

[Taladar]

The difference is that you can do lots of things on the web without client-side scripting while you can not do anything with an OS that does not run executables.

Odd

[Sheepdot]

If Secunia is reporting it, why not link directly to Secunia?

http://secunia.com/multiple_browsers_dialog_origin _vulnerability_test

I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.

In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.

Re:Odd

[hermank]

Maybe someone want to /. ZDnet instead of Secunia 1st?

Re:Odd

[argent]

In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

Microsoft hasn't fixed the underlying problem, which is that a web browser or a component used by a web browser has no business providing a mechanism by which a web page can even request the execution of a downloaded native-code applet or scripts with local file access. That capability should not even be in the HTML display control.

That way it wouldn't make a difference what "zone" a page is in, there wouldn't be an exploit to take advantage of.

Firefox's XPI installation mechanism and Safari's "open safe files after downloading" are examples of capabilities that are completely unnecessary and have the potential of being used to open similar holes. They're about two or three decimal orders of magnitude less dangerous, but are still things that no browser should implement.

Re:Odd

[JimDabell]

I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page.

As far as the computer is concerned, the Javascript is executing in the context of the malicious page, and whatever security applies to that page applies to the Javascript. The idea you have is a non-issue.

The vulnerability being discussed is that it's not clear to the user that the popup that executes is from the malicious page. You can't use this to escalate privileges on the computer because the computer isn't the one that is being confused. You can use this to escalate privileges granted by the user though, by tricking them into typing passwords, etc.

Re:Odd

[Sheepdot]

While I agree in the Microsoft issue, simply due to the various exploitation methods using Visual Basic Scripting, I think I would disagree with XPI and the "open safe files after downloading".

The real issue is the use of web scripting to hijack user clicks or make running executables something that can be done from malicious javascripts or vbscripts. XP SP2's method of dropping down a bar that requires you right-click on it to install the software is only one order of magnitude of complexity.

Perhaps instead, we should be looking at the sheer power that is given to vbscript and jscript, and instead look at limiting the "new window" capabilities. Unfortunately for security advocates, popups are now used in well over a majority of web applications. I don't see that changing anytime soon, either.

Re:Odd

[argent]

While I agree in the Microsoft issue, simply due to the various exploitation methods using Visual Basic Scripting, I think I would disagree with XPI and the "open safe files after downloading".

Each of these introduces a mechanism whereby a potentially malicious object can be opened outside the sandbox without the explicit request of the user. They are a lot harder to compromise than a mechanism that's designed explicitly to grant local rights to remote objects, but there have been demonstration exploits created for each... and though in each case the response from the publisher (Apple or Mozilla) was swift (Microsoft's response rarely qualifies as that), in neither case was the mechanism itself removed... which leaves open the potential of additional exploits.

Re:Odd

[Sheepdot]

And that's where we disagree I think. I see nothing wrong with Apple or Mozilla's mechanisms, because it's one method and the user gets used to what they would see as suspicious activity, and realize that there's a way to run a potentially harmful application inside another.

With many of MS's exploits, that is not the case. The user has no idea how software gets installed. While XP SP2 has tried to consolidate it to a popup bar at the top of the IE window, it's still not a perfect solution.

Not to mention the ridiculous ease in which someone can compromise a station. For example:
"mshta.exe http://sec.gravito.com/hta3/?test.exe+RUN" can be typed into any command window and will run an HTA html application using VBS to pop open a CD-ROM. If I can do that, who knows what else I could do.

Re:Odd

[argent]

I see nothing wrong with Apple or Mozilla's mechanisms, because it's one method and the user gets used to what they would see as suspicious activity, and realize that there's a way to run a potentially harmful application inside another.

I'm sorry, I can't parse this. I honestly don't understand what this sentence means. Can you try again?


Not to mention the ridiculous ease in which someone can compromise a station.

Um, yes, I already said that the Microsoft HTML control is a much much much more serious violation of the sandbox. But XPI and "open safe files after download" are still holes, however small. There's no good reason for any of them.

Re:stop developing with JavaScript

[Taladar]

You couldn't slashdot your server without JS? I doubt /. would have a problem with that one...

The following two browsers are not affected...

[i_like_spam]

(1) elinks

(2) lynx

Huh...

[robertjw]

And all this time I thought JS Popups were a flaw all by themselves.

Re:stop developing with JavaScript

[I+confirm+I'm+not+a]

People should stop developing with JavaScript. How many of us have it disabled in our browsers? It's nothing but trouble.

I'd change that to: "People should stop creating websites that require JavaScript unnecessarily." Unless your application really relies on JavaScript (eg. GMail, etc) your web-app should degrade gracefully on browsers that either don't support JavaScript or where the users have exercised their right to switch the bloody thing off.

Stop Firefox or Mozilla from hiding location

[greed]

Firefox and Mozilla, and probably any other Gecko-based browsers, have a way of disabling the disabling of various UI elements when JavaScript opens a window. I found this in another Slashdot thread last year, but forgot which one.

Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.

Key in dom.disable_window_open_feature as a filter.

Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)

Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.

Now the location will be visible in any pop-up window.

So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.

Re:Stop Firefox or Mozilla from hiding location

[Flinx_ca]

That menu path does not exist in Firefox 1.0.4

Re:Stop Firefox or Mozilla from hiding location

[n6kuy]

Still not satisfactory.

I'm using Firefox 1.0.4/Linux

Clicking on the test link brings up a blank window (with or without location bar, depending on how you have dom.disable_window_open_feature.location set), then a JS dialog box pops up that's only identified as "Javascript Application", which contains the text enty phishing field. Meanwhile, the main window goes to the legitimate Google site, until you click the button on the dialog box. After clicking, the new blank window goes away, and the main window returns to the Secunia site.

The fact that the JS dialog box doesn't say what URL originated it is a flaw (IMHO) that ought to be dealt with...

Re:Stop Firefox or Mozilla from hiding location

[Q2Serpent]

This is true, but the security flaw is about opening JavaScript dialog boxes, not new browser windows.

For goodness sakes, the referenced article even had a test you could run on your own. You would have seen first-hand that your idea, while correct, doesn't address this problem at all.

Re:Stop Firefox or Mozilla from hiding location

[Ahnteis]

Aren't those the exact same settings that you can access in the javascript options section?

Re:Stop Firefox or Mozilla from hiding location

[julesh]

Aren't those the exact same settings that you can access in the javascript options section?

On my copy of firefox, only "hide the status bar" is in the prefs dialog, although I remember these options having been there in the past. Perhaps its mozilla suite only? Or maybe an extension enables them?

Re:Stop Firefox or Mozilla from hiding location

[julesh]

Cool! Except... this flaw isn't about opening windows. It's about dialog boxes.

OK, so that's the solution to a different flaw. But an equally important one.

Re:old news

[Danuvius]

Bizzarely, this is the most sensible explanation I've read so far. I just can't believe that there is anyone who knows how to report a browser bug that would be so dumb to call this... well, a browser bug.

The value of red teaming

[G4from128k]

It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

I'm sure you are absolutely right. And hopefully he'll keep doing it because you there are crackers, phishers, and criminals out there who delight in spending 16 hours a day trying to twist browsers into doing what they wants. If Secunia is a bit obsessive in their red team activities against computers, then we can hope that they uncover exploits (and motivate patching or disabling of exploitable features) before they appear in the wild.

I, for one, welcome information on what computer software and features can or cannot be trusted.

that's dumb

[__aaitqo8496]

this "vulnerability" is like saying a banking company has a security vulnerability because some peon is pretending to be the CEO

mod +1 next story please

Re:stop developing with JavaScript

[Mr.+Cancelled]

People should stop developing with JavaScript. How many of us have it disabled in our browsers? It's nothing but trouble.

Wow! What a well thought out idea! Let's take it to the next level...

People should also stop using IE. It's proven to be full of security holes. But of course this is largely due to it's integration w/the underlying OS, so people should probablty also stop using Windows.

For that matter, the problems are all found in the same place: On the Intenet, so people should just stop using the Internet too. It's nothing but trouble.

But then again, the Internet's more or less only accessible with computers anyway, so let's chuck the computers while we're at it.

Really... People who make such blanket statements about Javascript, without really understanding what it is, it's pro's, as well as its cons, is really getting old. I'm surprised this wasn't followed up with a paragraph about how evil cookies are, and how they should all be disabled.

Give JavaScript a Break

[anthm]

It may be possible for JavaScript to help evil-doers but it's up to the implementer of the Application using the engine to avoid that, not the language or its core developers. If every invention that could potentially be used for evil was struck down there would be nothing left. JavaScript can do plenty of good and the developers of the open source engines have gone out of their way to make it well documented, embeddable and extensible so you can add it to almost anything that needs a little help with a language parser. In fact, I myself have recently added JavaScript to the Asterisk PBX system to drive IVR and it works quite well without much concern for exploits. RES_JS for Asterisk: http://www.cluecon.com/res_js.html

Re:Give JavaScript a Break

[javaxman]

It may be possible for JavaScript to help evil-doers but it's up to the implementer of the Application using the engine to avoid that, not the language or its core developers.

No, fix JavaScript's security model.

What's that, it doesn't have one ? Why don't you see that as a problem ?

I'm sorry, JavaScript does have it's benefits and uses, but don't pretend it's not a huge, gaping security hole waiting to be exploited. It is, and always has been.

It's all very fine and well to say "let the browser implement security for JavaScript", but how exactly do you do that? How do you do that *and* support all of the features ?

Defend JavaScript for being useful ( it's cheaper than Java applets or having the server do the work, perhaps ). But don't defend it's lack of security by placing the onus on the browser developers. Their job is hard enough without preventing a scripting language which you love because it can do everything from, well... doing everything. If some browser prevented JavaScript dialogs, would you complain when you can't use that feature? Somehow I think you might.

Re:Give JavaScript a Break

[anthm]

but, It is out of the scope of the language to be responsible for how it will be implemented in a browser when a browser is not the only application it is able to be implemented in. The Document and Browser objects in JavaScript are not standard they are addon's used when the language is applied to a document rendering model. Therefore the developers who implement the marraige of JavaScript to a browser are indeed responsible to make sure it does not raise any security concerns. When I added JavaScript to Asterisk I had to implement serurity features that only make sense in a PBX and I would not have expected the language to come standard with a way to handle that situation. See http://www.cluecon.com/res_js.html for reference

Re:Give JavaScript a Break

[javaxman]

t is out of the scope of the language to be responsible for how it will be implemented in a browser when a browser is not the only application it is able to be implemented in.

Oh, come on. That's a cop-out, and you know it. Or at least you should.

Even if it's not a cop-out, how about this : it's a language designed to be used in a networked environment. Is it not? Ok. It is. So it should have *some* sort of security model. The simple fact is that it has *none*.

When Java was designed, how it would be secured in a networked environment was given some serious thought. Say what you want about Java, and it may have had it's own security issues in the past, but at least it *has* a security model. When ECMAScript/LiveScript/JavaScript whatever you want to call it developed, it... well, initially, it didn't have half the abilities it now has ( raising windows? Not even. ) and it *never* had the thought put into it required to handle security problems seriously. It's not like this is the first security-related issue to surface relating to JavaScript. It's a constant source of such issues.

Perhaps the language and it's abilities just need to be restricted? If you don't want some sort of definition of what acceptable inputs/outputs/conditions exist under which certain JavaScript functions can take place, would you want to remove the abilities completely? Or do you want developers to break any sort of standardization that has developed in the language, and have every single browser to implement the language differently ? Oh, wait, that already happens...

In any event, burying your head in the sand over JavaScript's security issues, placing blame on browser vendors, and touting your Asterix plug-in aren't going to help fix JavaScript's serious and ongoing security shortcomings.

Again, I'm not saying it's not useful. But it is not secure, and should be avoided in applications where security is important, unless you want to be spoofed by a similar attack as to what's described here... or a different one that is introduced or uncovered in the future...

Re:Give JavaScript a Break

[anthm]

I'm not sure which of my statements you will quote this time in your alogrytmic attempt to gently flame me in your next reply but I hope it's a good one so that means actually read my whole statement this time as you choose.

The issue of insecurity is obvious but it is rediculous to say that something related to pop-up boxes in a browser has anything to do with JavaScript just because the mechinism was implemented with it. To me that proves you do not understand how it works very well. The JavaScript maintainers in most cases ARE the browser devlopers as well or at least work closely with them. Mozilla, for instance, happens to maintain both in thier CVS tree. Regardles of this, the same guy or 2 different guys developing the engine and the browser the security still is guarded at the place where they meet. So i'm not burying my head anywhere because chances are the same guy is going to fix it from my point of view as is from yours only he will have his Mozilla Browser hat on not his JavaScript one. I'll restate that the componets of JavaScript that even make a pop-up window possible is only found in browser implementations so it's not JavaScript as a whole that needs work only the 'Browser' object module. There is no kop-out only clarification. Enjoy the last word as I have nothing more to say on this matter. Perhaps instead of trying to subtly insult me and my Asterisk module that happens to prove my point perfectly, you should use that last word to post your proposal on what feature you plan to add to one of the open source JavaScript engines and maybe submit some code. Then you can try to convince the closed source implementations to adopt this new uber secure enhancement.

Re:stop developing with JavaScript

[DogDude]

How many of us have it disabled in our browsers?

Only the most paranoid of geeks, buddy. Average Joe has no idea what Javascript is. Hell, I was and currently am a part time web developer, and I'm not afraid of Javascript.

Re:If someone is foolish enough to log in via pop-

[jrumney]

My share broker's site used to use a Javascript popup for login, then resize the Window you'd opened it from to suit their page. It didn't work properly with the default security settings in Firefox, so I persistently complained about it until they provided an alternative login mechanism without any popups or resizing. The old login method is still there in the form of a big Login button on the left side of their front page, though why anyone would use it instead of the Username and Password boxes in the top right, I don't know.

Re:Safari

[CyricZ]

I have done years of development on NeXT systems. You know, before it became the Cocoa that you kids play with today. It was blazingly fast on systems with 8 MB RAM and a 68040 25 MHz CPU. Hell, I'd love to see a fully GUI Java app run on a system like that. It just wouldn't be usable in the least. To claim that Objective-C is slower than Java is foolery of the highest degree!

While Cocoa does not yet use the garbage collection facilities of Objective-C, the GNU runtime does offer them.

But in short, this browser bug is not a result of Objective-C or Cocoa in any way. It is merely a problem with the traditional way of displaying JavaScript popups.

Re:old news

[Slashcrap]

It's advertising and FUD from those Opera guys. They are really getting boring.

- Opera adds a feature that shows the name of the site in the title bar in their last build ;
- Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera ;
- Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.

You left out :

- Flaw is reported to Secunia, the biggest bunch of publicity whores in the security industry.

- Slashdot regurgitates their press release without exhibiting any evidence of critcal thought.

Re:If someone is foolish enough to log in via pop-

[kristjansson]

yeah, nobody uses javascript popups for logins

Re:Nice try, Opera...

[nicomen]

No problem, just download the free version: http://opera.com/download. It has a 34 pixel high banner at the top which shows contextual Google ads. And Google is still considered "good" even by Slashdot readers, no?

Re:stop developing with JavaScript

[pezpunk]

like it or not, the browser has become a vital platform for application development. unfortunately, client-side scripting is far more efficient than hitting the server every time the user interacts with a UI.

Re:Safari

[arkanes]

a) There *is* garbage collection in ObjC (via refcounting), and GC has little to nothing to do with the relative security of C and Java (theres some obscure security flaws related to misuse of buggy versions of malloc(), on the other hand there's obscure flaws related to abusing the GC scheme to bypass Javas typesafety. And neither are common or practical.)

b) You can certainly use unsafe C contructs in ObjC, but ObjC provides (and encourages) safe, non-C constructs that address the vast majority of C problems. Unsafe pointer and buffer operations are rare in ObjC, because the language provides better alternatives.
c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).

Nope, not a problem in my FireFox..

[slashkitty]

Firefox has a nice setting to open new windows in tabs. This trick did not work at all on me, because any new window created has the full url and toolbar. It was very easy to see it was not google.

On another note, when will sites stop relying on freaking popup windows. Besided being blocked by many normal people, they are a real pain and always seem to have bugs associated with them. If you can't design your website to a full browser window, you shouldn't be designing websites!

Re:Nope, not a problem in my FireFox..

[rmm4pi8]

Where is the feature, if you don't mind my asking? This is the thing from Konqy that I miss the most...(moved to Moz for the extensions).

Re:Nope, not a problem in my FireFox..

[oliverthered]

I've had to use popups for cross domain scripting. The popup connected to a different site and then populated data in the original window.
I would have used Iframes, but mozilla prevents all scripting with iframes, even the read-only DOM kind.

Re:Nope, not a problem in my FireFox..

[cdwiegand]

Some of us have huge websites that we'd love to migrate off of popups, but the manager's "if it works don't fix it" credo means that we have to just tell our clueful 10% of users to disable their popup blocker. And the 50% that have loaded some IM program that secretly blocks popups (ie. it doesn't tell the user WHEN IT BLOCKS that it's blocking, even if it does tell them when the install it) get told that they've shot themselves in the foot and we don't support Yahoo!, MSN or whatever popup blocker they installed and now they don't know how to tell it our site is safe. ARGH!!!

Re:Nope, not a problem in my FireFox..

[Hugh+Lilly]

I dunno about Mozilla, but in Firefox it's under Tools > Options > Advanced.

Here's a screenshot:
http://www.mozilla.org/support/firefox/images/opt_ advanced.png

captain obvious

[loconet]

"Major Browsers Have JS Pop-Up Flaw"

They sure do! ..... They implement it! ;)

Re:Nice try, Opera...

[dartboard]

Google is still good but Opera is still bad. Obviously!

Re:Apple Bets Farm on Heterosexual Computing - GNA

[NemosomeN]

I've gotta admit, these GNAA "articles" are actually starting to be funny.

Re:Nice try, Opera...

[kryptx]

So I should download a browser that very few people use which will tempt me with targeted advertisements to spend money I don't have and likely not display things properly, and I should do this because it will allow me to see the URL in javaScript popup windows? Am I missing something here?

If someone is foolish enough...

[exp(pi*sqrt(163))]

Yeah! How could anyone be that stupid? I mean we're all taught from the moment we're born that it's not safe to login to something via a popup window. Even my grandma could tell you that.

Re:If someone is foolish enough...

[dantheman82]

Well, I've come across some important Intranet/Internet sites that still create a popup for login. For example, it's still around at a large financial corporation where I work. Even some banks and other "safe" institutions go that route. Idiotic if you ask me...

Re:Safari

[pohl]

It's not what you have, but how you use it. Slow programs can be made in any programming language. Since Objective C is a superset of C, there's no reason that performance-critical section of code need to suffer any more overhead than a C function call. In many cases, this can be done without even replacing your method with a C function, by way of holding a reference to the method's selector, which allows you to avoid the method-lookup overhead. For sections of your application that are not "hot", there's no need to do this. The performance that you desired was within your reach without changing your language of implementation.

Konqueror is also affected

[zr-rifle]

I tried it out on Konqueror 3.4.0 and it is also affected. The only minor change is a blank popup window opening together with the javascript query.

Re:Konqueror is also affected

[Gaima]

Same thing in Konqueror 3.3.2 and 3.4.1, except the javascript popup has the hostname of the site it came from in the title bar of both version, so konqueror is in fact not vunerable.

Re:stop developing with JavaScript

[JimDabell]

Unless your application really relies on JavaScript (eg. GMail, etc)

What features of GMail really rely upon Javascript? Labels? No. Search? No. 2GB space? No. I can't think of any reason why GMail should require Javascript. People turn a blind eye because Google are so popular, but Javascript isn't exactly their strong suit. GMail could degrade gracefully, but they didn't bother.

Not a probem with OS X (Aqua)

[crovira]

A dialog box is 'owned' and drops down modally on top of the window that 'owns' it.

A new window is a new window and opens below (if there's room) and to the right (if there's room) of the requesting object window regardless of the amount of gadgetry on it (like title bars, buttons, window styles.)

Its always possible to fool somebody and they'll possibly be fooled into revealing their personal data, but eventually the problem will take care of itself hen these people and bust-ass broke and smothered in spam.

There's only so much people can do with a stateless environment. This would be a problem regardless of the language used (both computing & human), the browser used or the platform used (both hardware & software.)

At some point, people will realize this and stop trying to do the impossible.

Transactions are 'transactions'. That means that they have a 'commit point,' which means that they need a state engine which runs from the beginning of the process to the end of the process.

And yes, it CAN be done over the internet over a secure connection. But the control has to shift to the transaction machine while the transaction is going on. Neither you or anyone else should never be able to spawn a new GUI window while the transaction is happening.

Re:Not a probem with OS X (Aqua)

[mehtajr]

You obviously didn't try the demo in the Secunia advisory. Javascript dialogs in Safari 2.0 appear as popup windows, not sheets. HTTP authentication dialogs *do* appear as sheets in Safari, but those are a different beast.

And even javascript sheets don't save you, since technically that browser window did open the dialog (through a redirection through a malicious site and a pause, before sending you to the real site), even if the dialog appeared as a sheet, it would be attached to the trusted site's browser window-- which is even worse, IMO, since then they'd look like legit authentication requests.

Re:Safari

[Zaiff+Urgulbunger]

I'm going to insist on strong programmery layers in future, particularly the nearly impenetrable ones! :D

Lets see....

[slapout]

...a problem was discovered and Opera got it fixed quickly. So now you're complaining? :-)

Lynx Rocks!

[ehaggis]

These security flaws do not seem to affect Lynx as often. I rarely have a new terminal "pop-up" while browsing with Lynx.

Re:Lynx Rocks!

[zemoo]

Maybe not Lynx, but Links is creepy!
It has JS support, and the other day, I got a popup XTerm!
Of course, since those things usually contain flash ads, the xterm was mostly empty, but still -- advertisers are out to get you

even if they did, it wouldn't help

[cahiha]

he problem is that JavaScript dialog boxes do not display or include their origin,

I can assure you that even if they did contain their origin, it would still not make much of a difference--most users wouldn't bother to look.

Maybe what we need is a secure web standard, something that runs only over https, uses strict XHTML, dispenses with JavaScript, pop-ups, frames, and popups, and is used for banking and similar applications. Preferably, that should be a separate browser.

NoScript

[Captain+Kirk]

Just followed your link - what a superb plugin. I need Javascript for a Web application but hate it on most sites.

Thanks for posting the link!

Re:Nice try, Opera...

[Mindwarp]

No. You should do it because it's feature rich, has very intuitive mouse gesturing built in, has one of the fastest and most accurate rendering engines out there, and is IMHO just plain nice to use.

And you should probably see someone about that whole 'not being able to resist advertising' thing. ;-)

my, what an elegant interface!!

[John+Nowak]

Lordy...

Re:my, what an elegant interface!!

[julesh]

Well, yes, the interface is intended to allow you to change internal settings that are provided only for power users. Somewhat similar to the program, regedit.exe, that comes with Windows. Neither is a brilliant solution; in an ideal world there would be simple preference dialogs to change all of these options, but that would require to much work to maintain and would be difficult to do in a way that's not confusing for the average user.

Re:stop developing with JavaScript

[sqlrob]

Gmail requires Javascript?

No problem logging into gmail from Firefox with JavaScript disabled, just a "For a better Gmail experience, use a fully supported browser" blurb at the top, and fonts were different than usual.

spoofed address bar

[paul185]

I get phishing attacks using techniques similar to this all the time. Being somewhat of a security guy, I always click the link and take a look at the techniques that particular phish is using. Lately, a lot of them have spoofed address bars (using javascript) that try to cover up the real address bar with something like "https://paypal.com/login.html". The interesting thing is that Firefox doesn't display the spoofed bar at all. It usually doesn't look very good in IE, since it uses absolute coordinates to position the spoofed bar, and if you have any extra toolbars, it won't show up in the right spot.

Re:old news

[jcuervo]

They attack the users judgement, which unfortunately tends to be the weakest link.

Users are idiots? The devil, you say!

Re:iCab?!?!

[John+Nowak]

Amazing how a small team (is it even more than one person?) can do this, yet all the people working on Firefox/Mozilla can't.

I use a Mac for a reason... *ducks*

Uhm... this is called a vulnerability in browsers?

[Bane1998]

Now, wait a minute. Isn't this just sensationalism? To me, a vulnerability is an buffer overflow, or something real. This is just generally bad design. Essentially, they are saying a window that doesn't show where it is from is a vulnerability in browser software? In that case, nearly every windowing system (Windows, X, Aqua, etc) have this 'vulnerability'. It's not hard to pop up a window that on the surface appears to be part of another app.

So again, explain to me how this is a vulnerability. I think MS said it right when they said:

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

So, even if this is a vulnerability that merits a software change in browsers... which I don't believe is the case... The only real solution is annoying text/windows/popups telling the user 'This window was popped up by Frame7, beware'. Which, they will ignore anyway. Look at the history. Users just hit OK.

With stories like this, I could call myself a security firm and publish vulnerabilities like this every hour on the hour. Then I too, could write scary papers that put fear into the masses for no reason.

1. Induce fear
2. Sell feel-good 'solution'
3. PROFIT!

Wow, sounds like the United States.

Keith

Re:Is Konqueror affected?

[Dasher42]

And this is a troll because?... Someone got careless with the mod stick, I think.

Re:Nice try, Opera...

[kryptx]

Not to wander too far off topic, but the REASON the ads are there is because they generate a revenue stream. In other words, people spend money on the items that are advertised to them.

If 'not resisting' advertisements was really some sort of affliction, then advertisements would not be an effective method for generating business.

And with regard to opera: being a web developer, I use it about as often as our customers use it -- often enough to make sure the site will work properly. I develop on IE and FF because that's who has the market share. If Opera takes over, rest assured I'll jump right in.

Connect the Dots

[Doc+Ruby]

I want a window manager that draws lines between parent/child windows, parent/child processes. While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position? Yeah, I want to drag windows around, and save their positions with the window manager, then open that state with a single click on a desktop menu. While we're at it, I want the groups to include arbitrary windows from multiple apps. So I can open a "workplace", and immediately begin working in a familiar environment. If this works, how about letting me drag a line from any window to another, piping STDIN/OUT/ERR between processes? If I can minimize the windows into icons, my window manager is now a visual programming environment. Which, to come full circle, could let me as a user tell by looking which info is tainted by which untrusted windows and datapaths, including innocent-looking JS popup windows.

Re:Connect the Dots

[Ryan+Monster]

How about a tabbed browser that lets you rearrange open tabs?

Re:Connect the Dots

[Doc+Ruby]

Sure. Or how about a desktop with an - display with rearrangeable or hotkeyed icons for switchable apps? Or just a desktop that lets me save related open apps, or better yet related open documents, in a bookmark? Even the most rudimentary "Desktop preferences" of workspace state haven't been delivered yet.

Re:Connect the Dots

[hackstraw]

While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position?

There is one. I'm not sure which one it is, but I've used an X11 windowmanager that allowed you to select windows as a group and drag them together maintaining relative position. Maybe it was Windowmaker, I'm not sure. Although it was cool, I rarely if ever used it.

Re:Connect the Dots

[Doc+Ruby]

Can you save the selected groups and their positions? Because I have Enlightenment running under GNOME, and never noticed those features, even the selectable groups. I'm trying to find their Embryo API, not just the Small syntax, to shed some light, but it's (typically of OSS) obscured.

early 90's?

[Exstatica]

Who still uses javascript popups for responses? That reminds me of the old sites that would pop up and say "please enter your name" and then the webpage would show your name... "Welcome fred durst" Now i just cancel those boxes... infact they should delete that function all together in javascript.

Re:stop developing with JavaScript

[hkmwbz]

"Seen Google maps or Gmail?"

Yes, and Gmail breaks my browser's back functionality...

Still more security flaws:

[spleck]

In the latest news, a security flaw has been revealed in all known browsers. The vulnerability is a weakness in the veracity-sensor code. Apparently information provided and displayed to the user does not have to be true. Unfortunately, this means millions of users are being tricked into...

Re:Safari

[CyricZ]

You don't have to insist on them. You can just use Objective-C and Cocoa today. Or even GNUstep, if you don't want to purchase or cannot afford a Macintosh. You'll get all of the programmery layers you wish, and top level security.

No effects in the following:

[hacker]

Mozilla 1.7.8............No
Safari 2.0 (412).........Yes
Opera 8.0 build 1092.....Yes
Konqueror 3.4.0..........Yes
Firefox 1.0.4............Yes

THIS, is precisely why I continue to use Mozilla over an of the other browsers (and contrary to popular "opinion", Mozilla is NOT the same as thing Firefox. Mozilla excels in speed, features, and granular configurability).

Re:No effects in the following:

[vcv]

Uh, try Opera 8.01 for linux. It's been released you know ;)

Re:stop developing with JavaScript

[ecrips]

Well actually GMail does degrade gracefully to a HTML only version now (admittedly when they first released it it didn't). When you try to log in your presented with the following message:

JavaScript must be enabled in order for you to use Gmail in standard view. However, it seems JavaScript is either disabled or not supported by your browser. To use standard view, enable JavaScript by changing your browser options, then try again.

To use Gmail's basic HTML view, which does not require JavaScript, click here.

It's not as good as the Javascript version but it's completely functional.

Doesn't anyone actually read the article?

[93+Escort+Wagon]

I know, I know, I must be new here. But it was a very short article, and right near the bottom it says this (bold text is mine):

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering said.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

So what does this tell us?

- The folks somehow blaming Opera for this announcement obviously didn't read past the first couple of paragraphs of this very short article.

- The folks who are saying "JavaScript is bad" obviously didn't read... okay I'm sure they just saw the word "JavaScript" and went off from there anyway. Hey, guys, enjoy your static black text on white background pages - and we'll see you in the unemployment line. Any ideas on how to manipulate the DOM without JavaScript?

- While I agree MS shouldn't blow this off, they're probably still busy patching some of those more critical problems.

- Once again, end user education is probably the answer.

The only thing that I want to know about Opera...

[JofCoRe]

Is what ever happened to their "one million download challenge", which promised that the CEO would swim from Norway to the USA? There was briefly mention of it on their site, but now... nothing.

Meh... I guess I shouldn't have expected much...

Safari...?

[g0at]

I thought Safari fixed this many months ago, with a change whereby the JS alerts come down in the form of sheets attached to the window/tab to which they correspond? I could swear there was a /. piece on exactly this.

Or maybe I'm clued out and this is something different?

-b

Re:Safari...?

[g0at]

Update: forget about this... I misunderstood the issue. The article and summary say "javascript dialog box" which I took to mean one of those spawned by alert() or prompt() call. Evidently they're just talking about a regular window.

-b

Watch out for crashes

[digidave]

My browser crashes nearly once a day due to that extension. It's buggy, but it's still worth having it installed.

Re:old news

[hkmwbz]

"It's advertising and FUD from those Opera guys. They are really getting boring."

Better put on your tinfoil hat!

"Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera"

Wow. I didn't know that "Jakob Balle, Secunia Research" worked for Opera? I thought he worked for Secunia, seeing as he, well, works there and everything?

"Slashdot runs one more article about the genious of this stupid paid-for, closed source browser."

You mean Opera? Opera Software, the company that employs and pays several members of the W3C? Which pays real money to people to work on open standards?

Ah, the evil Opera! I get it.

"That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks."

Asa? Is that you? Why are you posting as an AC?!

Re:Safari

[0xABADC0DA]

c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).

What is that, fight FUD with FUD? Typically in languages like Java a virtual method is first emitted as calling a handler instead of the actual method, which goes back and re-writes the call site with a C++-style virtual dispatch table. So really only the first invocation with a given type is slower, and also after loading a new class where affected tables are cleared and constructed again at the next call. This trick is also how languages like Smalltalk and Python can acheive respectable performance despite being completely dynamic.

Microbenchmarks will say the C++ virtual method is faster since in these small codes the compiler often will inline several possibilities as branches instead of jumps, so you are not really comparing virtual method performance at all but rather the optimization of eliminating the call entirely. And on this optimization Java typically kicks the crap out of C++ in real programs. For example, if you have calls A->B->C->D->E with a huge for loop at A, Java will optimize the whole thing as one huge block and eliminate 4 method calls per iteration. Getting C++ to do this is very difficult... you usually have to *know* this is the chain of calls to inline and, if the calls are used elsewhere, make separate copies that are inline / not inline or the application size will explode.

Ultimately Java is slower than C++ for two major reasons: mandatory array bounds checks and mandatory garbage collection (where C++ can allocate a million homogeneous objects in one malloc it takes a million new's in Java). Java can also be slower at some really tight codes (like codecs) because it does fewer really costly optimizations and doesn't allow embedded assembly statements. But for virtual call performance and new/delete on heap it simply destroys C++ wrt performance.

and GC has little to nothing to do with the relative security of C and Java (theres some obscure security flaws related to misuse of buggy versions of malloc(), on the other hand there's obscure flaws related to abusing the GC scheme to bypass Javas typesafety.

Uhh, no and no. The Java flaws have been in the bytecode verifier, which has nothing to do with the GC, and in the class loader which allowed access to classes that it shouldn't have (applets allowed to use packate-private classes). All of the known Java security flaws have been fixed, whereas malloc flaws remain because they are a side effect of the functioning of malloc. So you get a buffer overflow or uninitiated pointer in C++, Objective C, or C and you are potentially very screwed. These are impossible in Java, so yes, it is much safer by design. The reality is that most Objective C programs will be relatively safe. C++, C? Not so much, it really depends more on the skill and hard work that went into them to prevent security holes.

Re:If someone is foolish enough to log in via pop-

[skraps]

If you can hack the commercial website and replace their page with yours, why would you need this phishing technique? Just have their server-side script send the username/password to you directly.

Solution to the problem

[SSHGuru]

If you have a visual rather than a list as a search engine then it can stop all Java Pop-Up activity. It can stop anything because it scans each page. Try it out. It's on download.com free. http://www.download.com/ViewFour-com-ViewSmart/300 0-8022_4-10406154.html?tag=lst-0-18 Here is a description... ViewSmart by ViewFour.com is Web-based software that visually displays search results found in Google, MSN, eBay, and other search/e-commerce engines in a multi window environment (2-50). By visually displaying results you get to see your searches rather than having to click back and forth through them. This slick new method of searching the Web also removes the potential dangers of surfing the NET. The software scans each Web page prior to displaying it and stops all hidden and or malicious files from being automatically downloaded without your knowledge. If a page fails the scan, a large red border and stop sign will appear around the window. This means you are protected from contracting viruses, adware, spyware, and other forms of malware while surfing the Web. Version 2.94 improves malware scanning engine.

Re:Nice try, Opera...

[m50d]

You should do it because it's a better browser overall. Obviously it's up to you to decide if you feel it's better by enough to make it worth the adverts, but I do.

... and not on Camino.

[Schlaefer]

Due to sheets you can clearly see the window the JavaScript dialog belongs to.

Re:stop developing with JavaScript

[m50d]

Stuff that. Google maps doesn't work in my browser, so the benefit I see from it is, if anything, negative (because it discourages people from working on good map pages)

Re:WARNING!!! YOUR COMPUTER MAY BE INFECTED!

[ArielMT]

I keep clicking the "OK" in your message, yet no virus scan has started. Do you have an .exe I can run instead?

Sure, just turn on your TV and wait for the stopsign spyware commercial.

Re:stop developing with JavaScript

[I+confirm+I'm+not+a]

What features of GMail really rely upon Javascript?...I can't think of any reason why GMail should require Javascript.

(Disclaimer: I've looked at GMail, but haven't really used it... for reasons that will hopefully become clear)

From our perspective, you're almost certainly correct. Numerous apps have shown that it's possible to create a webmail app using basic HTML and server-side code. But GMail isn't exclusively for "us", it's also for "normal" users, who like/need nice, fast, slick functionality. In fact, I'd go further and say that GMail isn't really for people like me at all: I'm happy with the hand-crafted Fetchmail/Postfix/Courier-IMAP/Evolution system I normally use for email - hugely impractical for my grandmother, but exactly meets myneeds.

Additionally, and this me being slightly sneaky, GMail (by which I sneakily mean email-on-the-web, not email-from-Google) does degrade without JavaScript: it degrades to SquirrelMail or similar! (I apologies, that's a specious argument).

Back on-topic, for the kind of application Google were building with the GMail project, yes, they could have used my preferred approach of building a server-side app and then enhancing it with client-side code. But it's a beast of an application, GMail, and it's understandable, albeit annoying, that Google chose not to. There's no such excuse for smaller applications (eg. form validation) where some moronic developer decides everyone uses javascript and makes it so that (a) the form won't submit until it's been validated on the client-side, and (b) if you manage to be crafty and get the form to submit, the application falls over because there's no server-side validation.

Re:One question:

[Jondaley]

It's not a troll if it's true.
I had to disable webwasher in order to see this "vulnerability".
Oops, I saw a unintentional pop-up, first one on my computer in years.

Re:old news

[hkmwbz]

I guess that, to a Mozilla zealot who ignores the fact that the guy who reported it works for Secunia, this is a sensible explanation.

To everyone else it's more like sour grapes. Boo hoo, Mozilla didn't fix it first, so it must be a conspiracy...

Re:stop developing with JavaScript

[JimDabell]

Numerous apps have shown that it's possible to create a webmail app using basic HTML and server-side code. But GMail isn't exclusively for "us", it's also for "normal" users, who like/need nice, fast, slick functionality.

You seem to be confusing graceful degradation with highest common factor design.

Graceful degradation is when a page offers the "nice, fast, slick functionality" by using Javascript, but still works when Javascript is not available. Developers who know what they are doing can easily write code that works in both situations.

You seem to be arguing against highest common factor design, which is when you don't use a feature like Javascript unless you know it's going to be available to all of your users. I don't think that's necessary and I certainly wouldn't advocate it.

As somebody else pointed out, Google have since added an extra interface to GMail for non-Javascript users, but this isn't graceful degradation any more than having a separate text-only version of a website is graceful degradation.

But it's a beast of an application, GMail, and it's understandable, albeit annoying, that Google chose not to.

Instead they chose to do all the work once, and then do all the work again for a slightly less fancy version. I wouldn't have chosen to waste my time developing two versions instead of one degradable one, but I guess it's Google's prerogative to waste their time how they see fit.

Re:old news

[willutah]

While they are at it, I hope they add the ability to mask password characters in a javascript input popup.

I think Secunia needs something to do.

[slappyjack]

I mean, really, guys. This is like running a story...

SOURCES REVEAL MOST PEOPLE ARE BONE DUMB

Untied Shoelaces Can Kill You!

Earth Constatntly Pelted with Objects from Space! Possible Alien Plot?

"Journalist"

What I highly friggin overused term.

Re:Safari

[Phayte]

c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).

Pot...kettle...

Future Slashdot articles:

[Wolfger]

Next week: Firefox 1.0.5 released, to patch security problem. Next year: Microsoft releases new version of IE to fix multiple vulnerabilities discovered throughout 2005.

Re:Future Slashdot articles:

[Hugh+Lilly]

s/year/decade. ;-P

Camino is safe...

[3)+profit!!!]

The writeup claims that Camino is affected; it is not, since it uses OS X sheets to present javascript dialogs. The dialog is attached to its parent window, which makes it pretty difficult for people to get confused. ;)

Not you again...

[Danuvius]

Thank you, hkmwbz. You really are a regular clown in any vaguely Opera related article's discussion, aren't you?

For the info about who reported the vulnerability--thanks. That does make the conspiracy theory seem less likely.

For totally missing the bigger point--also thanks, I would have expected no less from you based on your past posts.

The behavior described is not a bug. As countless others also pointed out, it is at best a design flaw. So calling it a bug, or a vulnerability, or anything else along those lines is just really really mind-numbingly dumb.

But I guess to an Opera zealot it's all the same so long as Opera "fixed" the "bug" first.

Re:Not you again...

[vcv]

He never said it was a "bug". In fact, he never called it anything. He simply talked about it being reported, whether it's a bug or not. Apparently you're reading what you want to, not what he actually said.

Re:Not you again...

[hkmwbz]

I don't care if it's a but or not. I'm simply pointing out certain facts that escape Firefox zealots who seem to be only too eager to put down Opera.

Did you know that the "evil" Opera Software actually pays several people who work on open standards at, among other things, the W3C? That's how evil Opera is.

You Firefox zealots are looking for anything to use in attacks against Opera, but you seem to forget all the stuff Opera makes possible because they actually make money and can invest in open standards and research.

Re:Safari

[Homology]

Java has it's uses, like any other programming language, along with it's disadvantages. C++ is very flexible and powerful (it supports several programming paradigms, appart from object oriented programming, for instance), but this comes at a price. Java seems rigid, very demanding on resources, and controlled to a large degree by Sun (witness the difficulties to get Sun Java running on *BSD). Yeah, there is the GPL version, but it's not up to par yet...

Re:iCab?!?!

[agent+dero]

With a one person team, there are no flamewars, no questioning of decisions, no team meetings, no politics; frankly, no bullshit that's often accompanied with open source contributors having differing opinions.

The fellow behind iCab simply has to sit down, design and code. That's it.

A very streamlined process if you know what you're doing.

Another Vulnerability

[SteveX]

I'm waiting for the vulnerability alerts based on site content.

ALERT: All major browsers are affected by a critical issue whereby a site's claims of having the lowest price may not be true. Affected users may pay higher than market prices for goods.

Re:old news

[joelsanda]

Slashdot runs one more article about the genious of this stupid paid-for, closed source browser

That is so stooooooopid it always seems to be either a step ahead of the competition (this is a perfect example) or releases fewer security updates faster than the competition (fewer because it's already a step ahead).

Re:old news

[vcv]

What exactly are you basing this on?

Opera 8.01 has been out for more than a WEEK.

If anything, Secunia is a whore for Firefox. They have reported 3, 8, 9 vulnerabilities are 1 advisory before. So when someone looks at the graphcs for Mozilla, they'll see something like 2 advisories for a month, which is misleading, instead of 10 vulnerabilities.

If you look at the number of VULNERABILITIES for Firefox 1.x alone, there are 39 vulnerabilities, 6 of which are unpatched.

If you look at Opera 8.x, there are 5 vulnerabilities with 0 unpatched. If you include Opera 7.x, there are (I believe) 41 for 7.x and 5 for 8.x.

Now, 7.x has been out for a lot longer than Firefox 1.x (at least a year and a half longer). Not only that, if you include Firefox 0.x, it's 39 for 1.x and 77 for 0.x

This is fact. Just check www.secunia.com.

Re:The only thing that I want to know about Opera.

[vcv]

Google is your friend: http://www.opera.com/swim/

Re:If someone is foolish enough to log in via pop-

[hackstraw]

so you don't have to login twice, which would make some people suspicious

Nah, just forward the assumed correct information to yourself and forward known incorrect info to the real server. That way the (l)user just assumed they did a typo on their password, and will have no problem reinputting the information.

does this really effect firefox?

[naph]

i'm running firefox 1.0.4 and the secunia test didn't work for me. i noticed that there was a brief flash of the 'firefox has blocked this popup' just after i clicked the link, just before google appeared... so i allowed popups from secunia and then it DID work.

so is this only an issue for sites that you have specifically allowed popups from? ie. sites you probably trust anyway?

Re:stop developing with JavaScript

[hackstraw]

And without JS, you couldn't have neat stuff like this. (Login is test, test)

I didn't look at it too carefully, but that page crashed my browser (Safari).

I'm not sure what the real purpose of that page is, but buyer beware...

Re:stop developing with JavaScript

[AKAImBatman]

I'm not sure if it's compatible with Safari. I know FireFox/Mozilla works. Basically, it's a complete Web Desktop/Remote Management tool. You can download a copy for your own system here. Note that I'm unaffiliated with the product. I'm just happy to finally have a replacement for the long-defunct WebOS.com Desktop. :-)

Re:stop developing with JavaScript

[Christianfreak]

What? Are the popular alternative browsers suddenly too popular to be cool anymore so we have to switch to some other obscure thing?

From the Google maps FAQ:
Google Maps currently supports the following web browsers:

• IE 5.5+
• Firefox 0.8+
• Safari 1.2.4+
• Netscape 7.1+
• Mozilla 1.4+
• Opera 7+

Javascript (ECMAscript) is a W3C standard. I believe Google follows that standards aside from hacks to get it to work in IE of course.

Your complaint would be valid if Google was targeting one browser (IE) or using/creating propriety extensions. They aren't. So if your browser fails to follow a published standard, that's your browser's fault.

Re:The only thing that I want to know about Opera.

[JofCoRe]

So in other words... they filmed a couple of their people splashing around in the water for a bit, punctured the raft, and came up with a "dramatic" story :)

Nice big PR grab.... :P

Idea for a solution for Firefox

[Emetophobe]

I don't know howto write extensions for Firefox, so I can't try this myself, but I am wondering, can't you just disable the javascript popup features? I'm sure you could do this using GreaseMonkey.

Firefox already has a built-in popup blocker anyway, shouldn't it cover all javascript popups?

Firefox users, don't be afraid

[smartdreamer]

Even if firefox is vulnerable, get this excellent extension and solve your problem. Happy browsing!

Re:stop developing with JavaScript

[m50d]

I'm using Konqueror, and frankly don't care how popular it is. It is (mostly, no browser is completely) standards-compliant, and does what I want (lightweight, integrates with my desktop environment)

Google isn't coding to standards. That's shown by the fact that they introduced support for opera and safari separately when they were already supporting mozilla/netscape. They're using various nonstandard extensions, different ones for the different browsers they support.

Re:go write it yourself then

[Doc+Ruby]

I'm pretty busy right now working on something else. So if someone can post something that works the way I'd like, that would be great. And if someone else working on something similar wants to incorporate my suggestions, that's good, too. And if someone just sees my request, and realizes that they're not the only one who wants these things, too, then they might get started. Or someone might point out something that did those things, but sucked. Open source development is a process, with code an artifact, but not the only part that matters.

Re:The only thing that I want to know about Opera.

[vcv]

It was all in good fun. Anyone who takes it seriously needs to take a step back and reevaluate their thought process.

OmniWeb unaffected

[Samurai]

OmniWeb 5.1.1b2 loads "www.google.com" and gives me the pop-up, but the very top line of the pop-up reads "www.google.com.secunia.com". That's a pretty strong hint that the pop-up isn't really from Google.

Unfortunately, I didn't see OmniWeb mentioned in the Secunia advisory; I guess we don't have enough market share. :|

Re:stop developing with JavaScript

[Goaway]

I didn't look at it too carefully, but that page crashed my browser (Safari).

Thing is, Safari is pretty buggy, at least compared to the Mozilla browsers. Sometimes the page works just fine in Safari, sometimes it crashes and burns. I have no idea why, but no Javascript code should ever be able to crash a browser. Thus, Safari bug.

This is old news!

[ukdiveboy]

It just opens a small window that's sufficiently small to be obscured by the dialog box. But this is old news, it's been an issue since Netscape first added target="_blank" and javascript. Though as I recall, they were smart enough in the old days to prevent the newly opened window from being really small. They also prevented it from being moved off-screen. Don't know if that's possible these days or not.

Re:stop developing with JavaScript

[Goaway]

Here's a hint: No current browsers follow the standards perfectly. Simple, standards-compliant code will work across most browsers, but as soon as you do anything more esoteric (which Google most definitely need to do), you run into the limitations of the partial implementations that most browsers use. Mozilla is the best of the bunch at the moment. Safari is catching up, but has some way to go yet. Opera is lagging behind. Konqueror I have no experience with, but it's a fair guess that it's no better than Safari.

IE, of course, is in another race entirely.

Re:stop developing with JavaScript

[m50d]

Other mapping sites manage fine with standard stuff. I don't know if google's doing something more advanced, from my point of view google maps is definitely less advanced because all it shows me is a blank page.

Re:stop developing with JavaScript

[Goaway]

Other mapping sites suck horribly compared to Google Maps, too. That's not the issue I was talking about, though. I was saying that your claim that Google wasn't coding for standards was non-sensical.

Didn't get me.

[Wolfger]

Thanks to QuickTabPrefToggle, I see the actual URL of http://www.google.com.secunia.com/tests/origin_spo of.php
Also, middle-clicking for a new tab (which is how I almost always surf) bypasses the attack altogether.

Re:The only thing that I want to know about Opera.

[wheany]

Was there ever any doubt that it is simply impossible to swim from Norway to USA?

Re:stop developing with JavaScript

[m50d]

They're not coding to the standards, because if they were it would work in my browser (there's no way it would work in all those other browsers they list but not mine if they just coded to standards). They're coding to individual browsers one at a time.

something like this but for Safari

[lixlpixel]

and of course very, very alpha...

but at least it won't crash safari - and the column view is the best display for directory-structures anyway.

http://lixlpixel.org/webfinder/

(actually i think it works only in Safari so far)

Re:stop developing with JavaScript

[Goaway]

OK, I'll spell it out for you: Your browser is not following standards, thus standards-compliant code will not run correctly on it. None of the others follow standrads either. Thus, you HAVE to code for specific browsers to get anything to work. Get it now?

Re:stop developing with JavaScript

[m50d]

No, my browser is following the standards, their site isn't.

Re:old news (workaround in IE)

[lpq]

I have always worked around this in IE by pressing control-N to re-open the window in a normal browser window that shows me the address.

I'm not sure if there is another workaround for the Firefox related browsers, but a control-N only opens a blank window -- I can do that by reclicking on the IE-icon, or typing a web-addr into the "Address-bar" on Windows. It'd be much more useful if it opened a new window with duplicate context. I'm
always using that feature when using Google. I have Google set to open results in a 2nd window. Often, I want to keep one or more result windows open -- and Google re-uses the original 2nd window it popped open. Pressing control-N, gives a dup of the result, freeing the "2nd window for re-use by Google. Another use -- sometimes a site opens a 2nd window of a fixed size. Unfortunately site designers haven't gotten the concept of "DPI". Even though the text is enlarged because the OS recognizes the DPI setting, the sites don't resize windows, widgets, frames, etc. Thus text gets cut off or is unreadable. Easy workaround -- just re-open the window and resize it.

Firefox and related don't seem to have this ability. I consider it a security risk as well as it being usability unfriendly to those using higher DPI screens. Is there a workaround for Firefox and related browsers?

If there isn't a workaround for Firefox/Moz/Safari/Netscape, I'd say that
was a valid security complaint. It's even worse that this security risk
is "old news". So much for fast security fixes w/open source.

-l

Re:stop developing with JavaScript

[Goaway]

Have you ever written any real Javascript code and tried to run it on your browser? If not, shut the fuck up already, because you have no clue what you are talking about.

Re:The only thing that I want to know about Opera.

[JofCoRe]

No, but I was looking forward to watching him try :)

Running NoScript with Firefox 1.0.4

[Oshkoshjohn]

Is it just me, or are other Firefox users experiencing frequent crashes when applying NoScript to Web sites? Is this a bug or a safety feature?