Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Browsers Have JS Pop-Up Flaw

Posted by Zonk on from the security-flaws-build-character dept.

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

19 of 397 comments (clear)

  1. Lets see.... by wo1verin3 · · Score: 4, Interesting

    Opera 8.01 was released June 18th.... (only a few days ago)

    It is the only browser not affected....

    And now this leaked out where reports can only say that one browser does not suffer from this issue. //tin-foil hat engaged

    1. Re:Lets see.... by JimDabell · · Score: 4, Insightful

      Actually, Konqueror 3.4.1 isn't affected either (it displays the hostname in the popup title bar).

      These kinds of security holes are far harder to find than simple buffer overflows, because the real flaw is that the user misunderstands information that is presented in a particular context. There's no real technical error, it's purely a user interface issue. You have to think about how a user would perceive any particular information under all kinds of different contexts.

      This also means that open-source doesn't confer all of the security advantages that it does when applies to mistakes in the code, as everybody can see the UI even in a closed-source browser like Internet Explorer.

  2. It's not a flaw according to MS... by bc90021 · · Score: 5, Interesting

    ...and they're not going to release a patch for it.

    And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw. ;)

    --
    libertarianswag.com
  3. Ahh I love Javascript dialogs, I really do by British · · Score: 4, Insightful

    Ever get rooked into going to a website with perpetual Javascript pompts? I love those.

    The only way out of them is to kill your browser process outright.

    This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.

    It seems to have been forgotten, or deferred.

    1. Re:Ahh I love Javascript dialogs, I really do by Ewan · · Score: 4, Informative

      Check out noscript, firefox extension for whitelisting javascript

      Ewan

  4. Phishing it for all it's worth by null+etc. · · Score: 4, Interesting
    Isn't this just a rehash of every other bug they've announce this year, in a slightly different permutation? Next month, I expect they'll announce that frames within a DSHTML portion of a popup window can be loaded from non-trusted domains.

    It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

  5. Re:Whew, I'm safe... by Cylix · · Score: 4, Funny

    Thank god I don't browse the web!

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  6. Re:old news by Anonymous Coward · · Score: 5, Interesting

    It's not even a bug.

    It's advertising and FUD from those Opera guys. They are really getting boring.

    - Opera adds a feature that shows the name of the site in the title bar in their last build ;
    - Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera ;
    - Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.

    That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks.

  7. Not really the popups by luvirini · · Score: 4, Insightful
    It is not really the pop-ups that are the security propble. It is the fact that the user interface is written in a way that does not make the different things clearly separated.

    It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".

    Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.

  8. Front door... by Shotgun · · Score: 5, Funny

    My front door has a major flaw, in that con artist can walk up to it and claim they are from and officially federal agency and have an urgent need for me to help them.

    Doors from major outlets, including those of Lowe's and Home Depot, are affected by this flaw. Our investigations have determined that this flaw has been known for years, yet the major distributors have not plans to release an update to correct the problem.

    US Senator, C. Ritter has introduce legislation under the title "Omnibus Weak Nutz United", the OWN-U bill, that seeks to station a security agent to watch over every door in the case the occupants cannot determine that they are being conned.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  9. Re:Oh I know by CdBee · · Score: 5, Informative

    Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  10. Re:stop developing with JavaScript by AKAImBatman · · Score: 5, Interesting

    People should stop developing with JavaScript. It's nothing but trouble.

    Poppycock. This is nothing more than a typical knee-jerk reaction to a minor security flaw. Should we all stop using email because phisers can craft ones that look like someone elses?

    Lots of sites use JavaScript very effectively. So many in fact, that it's rather difficult to make such a wild statement as "JAvascript is nothing but trouble." Google is a perfect example of a highly useful site with JS. For example, Maps and GMail both rely heavily on JS. In fact, most webmail sites contain JS. And without JS, you couldn't have neat stuff like this. (Login is test, test)

    --
    Javascript + Nintendo DSi = DSiCade
  11. Re:Whew, I'm safe... by HoneyBunchesOfGoats · · Score: 4, Funny

    Thank god I don't own a computer!

  12. Re:stop developing with JavaScript by Christianfreak · · Score: 4, Insightful

    Javascript is very useful to creating rich web applications that don't have to reload the pages. Seen Google maps or Gmail? How do you think they did that?

    I agree that Javascript should not nessicarily be required to view content on a general website but properly used it gives a whole new dimension to web apps.

    People give the guns and P2P analogy all the time here: they both have proper uses and improper uses and banning them, or not using them because they have improper uses makes no sense. How is Javascript any different?

    --
    The Anti-Blog
  13. Re:old news by n0-0p · · Score: 4, Insightful

    I know the Mozilla devs were talking about this a few weeks back on one of the lists. They said they didn't consider it a severe security issue yet, but were working on the engine so that popups would be tab and window modal. They've also added pieces to the plugin interface so that plugin developers (Flash and Java for instance) can honor Mozilla's popup blocking.

    Currently, if you're popup blocking for all but trusted sites you should be relatively safe from this. It really is hard to prevent phishing attacks though. They attack the users judgement, which unfortunately tends to be the weakest link.

  14. Stop Firefox or Mozilla from hiding location by greed · · Score: 5, Informative
    Firefox and Mozilla, and probably any other Gecko-based browsers, have a way of disabling the disabling of various UI elements when JavaScript opens a window. I found this in another Slashdot thread last year, but forgot which one.

    Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.

    Key in dom.disable_window_open_feature as a filter.

    Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)

    Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.

    Now the location will be visible in any pop-up window.

    So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.

  15. Re:Whew, I'm safe... by rainman_bc · · Score: 4, Funny

    Thank god I telnet to port 80 and parse it in my head

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  16. Re:Safari by arkanes · · Score: 4, Interesting
    a) There *is* garbage collection in ObjC (via refcounting), and GC has little to nothing to do with the relative security of C and Java (theres some obscure security flaws related to misuse of buggy versions of malloc(), on the other hand there's obscure flaws related to abusing the GC scheme to bypass Javas typesafety. And neither are common or practical.)

    b) You can certainly use unsafe C contructs in ObjC, but ObjC provides (and encourages) safe, non-C constructs that address the vast majority of C problems. Unsafe pointer and buffer operations are rare in ObjC, because the language provides better alternatives.
    c) "Many cases slower than Java" is the sort of unsupportable bullshit that people make when they're trolling. Yes, message passing is slower than virtual function calls (and Javas are [much,much] slower than C++s vcalls).

  17. Re:old news by hkmwbz · · Score: 5, Informative
    "It's advertising and FUD from those Opera guys. They are really getting boring."
    Better put on your tinfoil hat!
    "Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera"
    Wow. I didn't know that "Jakob Balle, Secunia Research" worked for Opera? I thought he worked for Secunia, seeing as he, well, works there and everything?
    "Slashdot runs one more article about the genious of this stupid paid-for, closed source browser."
    You mean Opera? Opera Software, the company that employs and pays several members of the W3C? Which pays real money to people to work on open standards?

    Ah, the evil Opera! I get it.

    "That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks."
    Asa? Is that you? Why are you posting as an AC?!
    --
    Clever signature text goes here.