Slashdot Mirror
Major Browsers Have JS Pop-Up Flaw
An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."
Isn't this a dupe from half a year ago?
Too bad if it's just a symptom of the problem(s) just not being fixed yet...
"Good news, everyone!"
Opera 8.01 was released June 18th.... (only a few days ago)
//tin-foil hat engaged
It is the only browser not affected....
And now this leaked out where reports can only say that one browser does not suffer from this issue.
...and they're not going to release a patch for it.
;)
And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw.
libertarianswag.com
Ever get rooked into going to a website with perpetual Javascript pompts? I love those.
The only way out of them is to kill your browser process outright.
This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.
It seems to have been forgotten, or deferred.
Thank god I use Links
-if at first you don't succeed, stay the heck away from paragliding.
That's why I use NoScript with my Firefox.
To solve this problem, javascript multitasking must be disabled, only letting the current active window or tab having keyboard focus to run its javascript. Other tabs' scripts must not be disabled, but instead paused until they in turn receive focus.
It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.
Thank god I don't browse the web!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
It's not even a bug.
; ;
/., stop supporting Opera FUD. Thanks.
It's advertising and FUD from those Opera guys. They are really getting boring.
- Opera adds a feature that shows the name of the site in the title bar in their last build
- Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera
- Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.
That's not the first time it happens, nor the last one.
well i think the idea is, you could be on some trusted site, and some porn site spyware/adware could pop up a javascript browser and for all intents and purposes it would look like it came from the trusted site.
i could live a little longer in this prison
It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".
Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.
That's what happens when one doubts the infallible wisdom of Steve...
What I'm listening to now on Pandora...
My front door has a major flaw, in that con artist can walk up to it and claim they are from and officially federal agency and have an urgent need for me to help them.
Doors from major outlets, including those of Lowe's and Home Depot, are affected by this flaw. Our investigations have determined that this flaw has been known for years, yet the major distributors have not plans to release an update to correct the problem.
US Senator, C. Ritter has introduce legislation under the title "Omnibus Weak Nutz United", the OWN-U bill, that seeks to station a security agent to watch over every door in the case the occupants cannot determine that they are being conned.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
You really think most people end up on malicious sites intentionally?
People should stop developing with JavaScript. It's nothing but trouble.
Poppycock. This is nothing more than a typical knee-jerk reaction to a minor security flaw. Should we all stop using email because phisers can craft ones that look like someone elses?
Lots of sites use JavaScript very effectively. So many in fact, that it's rather difficult to make such a wild statement as "JAvascript is nothing but trouble." Google is a perfect example of a highly useful site with JS. For example, Maps and GMail both rely heavily on JS. In fact, most webmail sites contain JS. And without JS, you couldn't have neat stuff like this. (Login is test, test)
Javascript + Nintendo DSi = DSiCade
Thank god I don't own a computer!
Have you ever used Objective-C? It's the SLOWEST compiled environment ever! And, because there's no garbage collection, etc, it's certainly no more secure than "raw" C (because all of C is legal in Objective-C). In many cases, Objective C is slower than Java becasue of it's "run-time" binding.
Best Buy can have you arrested
You are forgetting that the normal way in which browsers have presented HTTP authentication for years is in a popup window. I'd expect many people to have logged into legitimate sites with what appears to be a popup to them.
What's a "malicious site"? There have been worms and viruses that insert malicious code into whatever HTML they can access. Suddenly, the definition of "malicious site" includes the website of every organisation that is susceptible to worms and viruses.
Javascript is very useful to creating rich web applications that don't have to reload the pages. Seen Google maps or Gmail? How do you think they did that?
I agree that Javascript should not nessicarily be required to view content on a general website but properly used it gives a whole new dimension to web apps.
People give the guns and P2P analogy all the time here: they both have proper uses and improper uses and banning them, or not using them because they have improper uses makes no sense. How is Javascript any different?
The Anti-Blog
I know the Mozilla devs were talking about this a few weeks back on one of the lists. They said they didn't consider it a severe security issue yet, but were working on the engine so that popups would be tab and window modal. They've also added pieces to the plugin interface so that plugin developers (Flash and Java for instance) can honor Mozilla's popup blocking.
Currently, if you're popup blocking for all but trusted sites you should be relatively safe from this. It really is hard to prevent phishing attacks though. They attack the users judgement, which unfortunately tends to be the weakest link.
I agree that this is an issue, but saying this is a vulnerability in the browser seems a little odd. It feels a little like saying that your email program displaying phishing emails is a vulnerability in the email program. I'm not saying that this isn't something that could be addressed by a change to the browsers, but the headline (and TFA) make it sound like the code in the browsers is faulty.
If Secunia is reporting it, why not link directly to Secunia?
n _vulnerability_test
http://secunia.com/multiple_browsers_dialog_origi
I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.
In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.
This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.
Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.
Key in dom.disable_window_open_feature as a filter.
Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)
Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.
Now the location will be visible in any pop-up window.
So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.
Thank god I telnet to port 80 and parse it in my head
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.
I'm sure you are absolutely right. And hopefully he'll keep doing it because you there are crackers, phishers, and criminals out there who delight in spending 16 hours a day trying to twist browsers into doing what they wants. If Secunia is a bit obsessive in their red team activities against computers, then we can hope that they uncover exploits (and motivate patching or disabling of exploitable features) before they appear in the wild.
I, for one, welcome information on what computer software and features can or cannot be trusted.
Two wrongs don't make a right, but three lefts do.
It may be possible for JavaScript to help evil-doers but it's up to the implementer of the Application using the engine to avoid that, not the language or its core developers. If every invention that could potentially be used for evil was struck down there would be nothing left. JavaScript can do plenty of good and the developers of the open source engines have gone out of their way to make it well documented, embeddable and extensible so you can add it to almost anything that needs a little help with a language parser. In fact, I myself have recently added JavaScript to the Asterisk PBX system to drive IVR and it works quite well without much concern for exploits. RES_JS for Asterisk: http://www.cluecon.com/res_js.html
How many of us have it disabled in our browsers?
Only the most paranoid of geeks, buddy. Average Joe has no idea what Javascript is. Hell, I was and currently am a part time web developer, and I'm not afraid of Javascript.
I don't respond to AC's.
I have done years of development on NeXT systems. You know, before it became the Cocoa that you kids play with today. It was blazingly fast on systems with 8 MB RAM and a 68040 25 MHz CPU. Hell, I'd love to see a fully GUI Java app run on a system like that. It just wouldn't be usable in the least. To claim that Objective-C is slower than Java is foolery of the highest degree!
While Cocoa does not yet use the garbage collection facilities of Objective-C, the GNU runtime does offer them.
But in short, this browser bug is not a result of Objective-C or Cocoa in any way. It is merely a problem with the traditional way of displaying JavaScript popups.
Cyric Zndovzny at your service.
No problem, just download the free version: http://opera.com/download. It has a 34 pixel high banner at the top which shows contextual Google ads. And Google is still considered "good" even by Slashdot readers, no?
Nicolas Mendoza
Prepare for MSIE 7
b) You can certainly use unsafe C contructs in ObjC, but ObjC provides (and encourages) safe, non-C constructs that address the vast majority of C problems. Unsafe pointer and buffer operations are rare in ObjC, because the language provides better alternatives.
c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).
On another note, when will sites stop relying on freaking popup windows. Besided being blocked by many normal people, they are a real pain and always seem to have bugs associated with them. If you can't design your website to a full browser window, you shouldn't be designing websites!
-- these are only opinions and they might not be mine.
/me puts on a pair of shades.
Yeah! How could anyone be that stupid? I mean we're all taught from the moment we're born that it's not safe to login to something via a popup window. Even my grandma could tell you that.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
I tried it out on Konqueror 3.4.0 and it is also affected. The only minor change is a blank popup window opening together with the javascript query.
Hack your mind out of its sandbox.
A dialog box is 'owned' and drops down modally on top of the window that 'owns' it.
A new window is a new window and opens below (if there's room) and to the right (if there's room) of the requesting object window regardless of the amount of gadgetry on it (like title bars, buttons, window styles.)
Its always possible to fool somebody and they'll possibly be fooled into revealing their personal data, but eventually the problem will take care of itself hen these people and bust-ass broke and smothered in spam.
There's only so much people can do with a stateless environment. This would be a problem regardless of the language used (both computing & human), the browser used or the platform used (both hardware & software.)
At some point, people will realize this and stop trying to do the impossible.
Transactions are 'transactions'. That means that they have a 'commit point,' which means that they need a state engine which runs from the beginning of the process to the end of the process.
And yes, it CAN be done over the internet over a secure connection. But the control has to shift to the transaction machine while the transaction is going on. Neither you or anyone else should never be able to spawn a new GUI window while the transaction is happening.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
...a problem was discovered and Opera got it fixed quickly. So now you're complaining? :-)
Coder's Stone: The programming language quick ref for iPad
These security flaws do not seem to affect Lynx as often. I rarely have a new terminal "pop-up" while browsing with Lynx.
One ring to bind them - should probably have more fiber and less rings in their diet.
Assume I was drunk when I posted this.
I want a window manager that draws lines between parent/child windows, parent/child processes. While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position? Yeah, I want to drag windows around, and save their positions with the window manager, then open that state with a single click on a desktop menu. While we're at it, I want the groups to include arbitrary windows from multiple apps. So I can open a "workplace", and immediately begin working in a familiar environment. If this works, how about letting me drag a line from any window to another, piping STDIN/OUT/ERR between processes? If I can minimize the windows into icons, my window manager is now a visual programming environment. Which, to come full circle, could let me as a user tell by looking which info is tainted by which untrusted windows and datapaths, including innocent-looking JS popup windows.
--
make install -not war
JavaScript is not Java
I know, I know, I must be new here. But it was a very short article, and right near the bottom it says this (bold text is mine):
"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering said.
Krogh also pointed out that Secunia had rated the vulnerability as "less critical."
"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.
So what does this tell us?
- The folks somehow blaming Opera for this announcement obviously didn't read past the first couple of paragraphs of this very short article.
- The folks who are saying "JavaScript is bad" obviously didn't read... okay I'm sure they just saw the word "JavaScript" and went off from there anyway. Hey, guys, enjoy your static black text on white background pages - and we'll see you in the unemployment line. Any ideas on how to manipulate the DOM without JavaScript?
- While I agree MS shouldn't blow this off, they're probably still busy patching some of those more critical problems.
- Once again, end user education is probably the answer.
#DeleteChrome
Ah, the evil Opera! I get it.
Asa? Is that you? Why are you posting as an AC?!Clever signature text goes here.