Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Browsers Have JS Pop-Up Flaw

Posted by Zonk on from the security-flaws-build-character dept.

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

7 of 397 comments (clear)

  1. It's not a flaw according to MS... by bc90021 · · Score: 5, Interesting

    ...and they're not going to release a patch for it.

    And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw. ;)

    --
    libertarianswag.com
  2. Re:old news by Anonymous Coward · · Score: 5, Interesting

    It's not even a bug.

    It's advertising and FUD from those Opera guys. They are really getting boring.

    - Opera adds a feature that shows the name of the site in the title bar in their last build ;
    - Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera ;
    - Slashdot runs one more article about the genious of this stupid paid-for, closed source browser.

    That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks.

  3. Front door... by Shotgun · · Score: 5, Funny

    My front door has a major flaw, in that con artist can walk up to it and claim they are from and officially federal agency and have an urgent need for me to help them.

    Doors from major outlets, including those of Lowe's and Home Depot, are affected by this flaw. Our investigations have determined that this flaw has been known for years, yet the major distributors have not plans to release an update to correct the problem.

    US Senator, C. Ritter has introduce legislation under the title "Omnibus Weak Nutz United", the OWN-U bill, that seeks to station a security agent to watch over every door in the case the occupants cannot determine that they are being conned.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  4. Re:Oh I know by CdBee · · Score: 5, Informative

    Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  5. Re:stop developing with JavaScript by AKAImBatman · · Score: 5, Interesting

    People should stop developing with JavaScript. It's nothing but trouble.

    Poppycock. This is nothing more than a typical knee-jerk reaction to a minor security flaw. Should we all stop using email because phisers can craft ones that look like someone elses?

    Lots of sites use JavaScript very effectively. So many in fact, that it's rather difficult to make such a wild statement as "JAvascript is nothing but trouble." Google is a perfect example of a highly useful site with JS. For example, Maps and GMail both rely heavily on JS. In fact, most webmail sites contain JS. And without JS, you couldn't have neat stuff like this. (Login is test, test)

    --
    Javascript + Nintendo DSi = DSiCade
  6. Stop Firefox or Mozilla from hiding location by greed · · Score: 5, Informative
    Firefox and Mozilla, and probably any other Gecko-based browsers, have a way of disabling the disabling of various UI elements when JavaScript opens a window. I found this in another Slashdot thread last year, but forgot which one.

    Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.

    Key in dom.disable_window_open_feature as a filter.

    Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)

    Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.

    Now the location will be visible in any pop-up window.

    So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.

  7. Re:old news by hkmwbz · · Score: 5, Informative
    "It's advertising and FUD from those Opera guys. They are really getting boring."
    Better put on your tinfoil hat!
    "Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera"
    Wow. I didn't know that "Jakob Balle, Secunia Research" worked for Opera? I thought he worked for Secunia, seeing as he, well, works there and everything?
    "Slashdot runs one more article about the genious of this stupid paid-for, closed source browser."
    You mean Opera? Opera Software, the company that employs and pays several members of the W3C? Which pays real money to people to work on open standards?

    Ah, the evil Opera! I get it.

    "That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks."
    Asa? Is that you? Why are you posting as an AC?!
    --
    Clever signature text goes here.