Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security The Internet

New Vulnerability Affects All Browsers 945

Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"
This discussion has been archived. No new comments can be posted.

New Vulnerability Affects All Browsers

Comments Filter:
  • Thank goodness we've found our first vulnerability in Firefox. Now we can move from the myth that free software is impervious to exploits, and into the reality that vulnerabilities are acknowleged and patched faster in most free software projects. Gentlemen, synchronize your watches. Will the Firefox team have a fix out before Microsoft even admits it's a bug?

  • I don't get it (Score:2, Informative)

    by corby ( 56462 ) *
    I am running Firefox 1.0. I tried the link that said 'With Pop-up Blocker', and it displayed a dialog saying that I did not have a pop-up blocker.

    I refreshed the page, and tried the link that said 'Without Pop-up Blocker'. It opened up the Citibank website, but it did not hijack my Citibank popup window.

    Same thing happened to me under IE6 (except I did not get the dialog when I clicked on the 'With Pop-up Blocker' link).

    Maybe it works under certain circumstances, but I couldn't reproduce it.
    • Re:I don't get it (Score:2, Informative)

      by serps ( 517783 )
      The exploit worked for me (FF1.0 win2k). I clicked on the "with popup" link, FF blocked a popup, but a new window spawned with Citibank. I clicked on the link I was told to, and up came the 2nd hijacked popup.
    • Re:I don't get it (Score:5, Informative)

      by Caine ( 784 ) on Wednesday December 08, 2004 @11:06PM (#11038654)
      Did you actually follow the instructions? That is: Did you click on the image on the citibank-page, thereby giving you a third window? It doesn't sound like it from your comment.

      And the exploit worked just 'fine' on my firefox 1.0.
      • Re:I don't get it (Score:5, Informative)

        by Frizzle Fry ( 149026 ) on Wednesday December 08, 2004 @11:13PM (#11038713) Homepage
        The fact that everyone is confused is an indication that their instructions suck. "Step one" is click on a link in the citibank site that you haven't visited yet. "Step two" is actually visiting the citibank site. And then "step three" is a no-op; the space for that step is instead used to discuss whether you are vulnerable. (Presumably, step five is "profit!!!"). Who came up with this and what planet are they from where this is a logical sequence of instructions?
        • Re:I don't get it (Score:5, Informative)

          by Jehlon ( 467577 ) on Wednesday December 08, 2004 @11:31PM (#11038875) Homepage
          No kidding their instructions sucked. Here's a step-by-step:
          0. If you have not tried the test already, skip steps 1-3.
          1. Copy these instructions to Notepad.
          2. Close all browser windows.
          3. Open a new browser window to
          4. Skip down to "Step 2" and click the link appropriate for your system. The vast majority of users will click on the link "Test Now - With Pop-up Blocker - Left Click On This Link".
          5. Click on the "Consumer Alert" image on the right of Citibank's page.
          If the exploit was successful, the pop-up window from Citibank will attempt to open a site from I don't know what that page looks like, only that their webserver didn't respond when I tried going there.

          I hope this helps the vast masses of smart /.'ers who don't care to take 10 minutes to decompile secunia's instructions.
    • Re:I don't get it (Score:4, Informative)

      by linguae ( 763922 ) on Wednesday December 08, 2004 @11:10PM (#11038682)

      The exploit worked for me on Firefox 1.0 on Windows 98 SE with pop-up blocking turned off, but the exploit didn't work for me when pop-up blocking was turned on.

    • by khasim ( 1285 ) <> on Wednesday December 08, 2004 @11:18PM (#11038757)
      FF 1.0 on Win2K.

      Middle-click to open citibank page in new tab YOU WILL NOT BE VULNERABLE.

      Left click and allow citibank page to open in new window YOU WILL BE VULNERABLE.

      At least, that's the behaviour I see on this box.
      • Probably because if you open the window in a new tab it's a child of the main window, while the exploit is looking for a top-level window. BUT THAT DOESN'T MEAN YOU'RE SAFE! A better-written version of the exploit could search all open windows and their children until it found a window or tab with the right name.
    • Re:I don't get it (Score:4, Informative)

      by nolife ( 233813 ) on Wednesday December 08, 2004 @11:28PM (#11038845) Homepage Journal
      The spoof worked for me on FF 1.0 on W2K. One more reason to use the Spoofstick [] browser plugin for FF or IE. It clearly showed the popup originated from and not Citibank.
      • Re:I don't get it (Score:5, Informative)

        by megaversal ( 229407 ) on Thursday December 09, 2004 @12:31AM (#11039260)
        My fix is a little easier (in my opinion, only because I hate having another toolbar taking up desktop real estate)...

        under about:config, I have dom.disable_window_open_feature.location set to true. So every window must show the location (and because of it, I immediately could see the webpage I was at was not
    • IT DOES WORK! (Score:5, Informative)

      by liquidpele ( 663430 ) on Wednesday December 08, 2004 @11:30PM (#11038860) Journal

      Ok, here we go for those just playing.

      1) Open the vulnerability test page.
      2) Open the citibank site NOT IN A TAB but in a new window.
      3) Click the picture in citibank opening yet a 3rd window (NOT TABS)
      4) Go back to the window with the secunia page, and click the link "without popup blocker"
      5) See that it does work.

      That is all.
  • A friend of mine tried it with a 1.0 preview build of firefox on his hpux workstation. It opened two windows instead of one -- one window was sized correctly and had the bank's designated content, the second window was the same size as a regular browser window and it had the phishing content in it. I think he said he reported their phishing failure to secunia, but I doubt they'd change their story, it would be a lot less sexy.

    Anyone else have a build of firefox that wasn't really fooled?
  • by Indy Media Watch ( 823624 ) on Wednesday December 08, 2004 @11:04PM (#11038625) Homepage
    Jimmy writes "Secunia is reported about a new vulnerability"

    And in other news, Slashdot is reported all about a new grammatical error in the headlines.

    Reporting anyone?
  • Not quite hijacking (Score:3, Interesting)

    by fembots ( 753724 ) on Wednesday December 08, 2004 @11:04PM (#11038627) Homepage
    I opened Secunia [], Then open another browser window to Citibank [] via Ctrl+N, and click on Citybank's Consumer Alert button, nothing happened.

    But if I used the link from Secunia [] to access Citybank, the Popup is then hijacked.

    So it seems like you need to access (click on a link to) your trusted site via an untrusted site to get hijacked?
    • by sbszine ( 633428 ) on Wednesday December 08, 2004 @11:17PM (#11038752) Homepage Journal
      The links to Citibank from the Secunia site are actually handled by JavaScript. The script sets a timer, then opens citibank. Every second or so, Secunia's script then checks whether you've opened Citibank's pop-up. If you have, it opens a window with the same name (i.e. variable name) as Citibank's window, thus overwriting their content.

      So the attacker doesn't need you to click on anything, they just need you to have their site open -- with the timer going -- in another window. Also, the attacker needs to know in advance what name the victim site's pop-up is referenced by. A dynamically generated name could possibly defeat this attack, though the attacker could always crawl the DOM for a handle to the pop-up.
      • by drew ( 2081 )
        A dynamically generated name could possibly defeat this attack, though the attacker could always crawl the DOM for a handle to the pop-up.

        I doubt it. If any browser allows you to look at the DOM of a page from a different site, that is a far greater security hole than what they are demonstrating.
  • no problem here... (Score:4, Informative)

    by jxyama ( 821091 ) on Wednesday December 08, 2004 @11:04PM (#11038635)
    mac os x 10.3.6... running safari 1.2.4 (the latest build.)
  • I never thought I'd be happy to see a Citibank popup. I'm running Firefox (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) with the TabbedBrowsingExtension [] set to use a single window.

    Well, that's one alert I'm safe from. Whew.

  • by bigberk ( 547360 ) <> on Wednesday December 08, 2004 @11:05PM (#11038641)
    the demo come up blank. all i see is a window called (Untitled) (and the globe spins then dies)
  • Safari test (Score:5, Informative)

    by sg3000 ( 87992 ) * <> on Wednesday December 08, 2004 @11:05PM (#11038643)
    I tried the test in Safari 1.2.4 under Mac OS X 10.3.6. I had pop-ups blocked, the normal way I set my browser. Doing the test, I saw the Citibank site fine. When I clicked on the "Consumer Alert" button, it looked like the regular Citibank content. No problem there. I refreshed and clicked on the other "try this test" link, and there still was no problem.

    When I turned off the pop-up blocking feature, then when I tried the test, I did see a pop-up from the Secunia site instead of the Citibank text. Now that's a problem.

    Clearly, this is just another reason to block pop-up windows.
    • Re:Safari test (Score:4, Insightful)

      by buckhead_buddy ( 186384 ) on Thursday December 09, 2004 @12:25AM (#11039216)
      I was running Safari 1.2.3 (v125.9) which isn't quite the current version, but pretty close.

      I can confirm this works when the "Block Pop-up Windows" in the Safari menu is disabled, but not when the Blocking option is enabled. Rather than just a "me too", I went through the demonstration in reverse order of the previous poster (and was careful to refresh and follow the appropriate links) so I don't think this behavior is due to caching issues.

      While I do hope there will be a fix for this soon, IMHO, the more appropos fix is that secure sites should not EVER rely on popups.
  • Works for me (Score:3, Informative)

    by HFShadow ( 530449 ) on Wednesday December 08, 2004 @11:07PM (#11038660)
    I reproduced this successfully on Firefox 1.0 under Linux.
  • not irider (Score:3, Informative)

    by FrenZon ( 65408 ) * on Wednesday December 08, 2004 @11:08PM (#11038666) Homepage
    Well, it didn't affect irider [], which is IE-based, presumably because it opens popups in its own (excellent) 'tree-tab' system.
  • by localman ( 111171 ) on Wednesday December 08, 2004 @11:08PM (#11038670) Homepage
    I just don't believe it. Anything -- even an exploit -- working in all browsers would be unprecedented!
  • Nyeh (Score:4, Informative)

    by c0dedude ( 587568 ) on Wednesday December 08, 2004 @11:09PM (#11038674)
    It's a vulnerability, but it's the correct behaviour. Browsers should open the window in the target pop-up window, even if the page opening the page does not own that window, as I recall. As they say, that's no bug...
    • by Chuck Chunder ( 21021 ) on Wednesday December 08, 2004 @11:28PM (#11038842) Homepage Journal
      Target names should only exist within the namespace of the site that created them.

      Site A should be able to create and interact with a window named "popup".
      Site B should be able to create and interact with a window named "popup".
      This should happen without either site interfering, blocking or overwriting the other. They should simply be invisible to each other, existing in completely seperate little worlds.
      • by Anonymous Coward on Wednesday December 08, 2004 @11:31PM (#11038871)
        OF course that seems sensible. But when you say "should" do you mean "should" because you think so, or because some W3C or other standard says so?
        • AFAICT, the 'window' object is defacto (Netscape) standard and was never standardized by the W3C.

          Traditionally, windows weren't private to sites, but this is just a variation of the "cross-frame scripting" bugs that have been patched over time.
          • AFAICT, the 'window' object is defacto (Netscape) standard and was never standardized by the W3C.

            Traditionally, windows weren't private to sites, but this is just a variation of the "cross-frame scripting" bugs that have been patched over time.

            A stupifyingly dumb design decision in the first place. The above poster's namespace comment is dead on, and there is obviously no choice but to implement per-site namespace properly.

            This design bug, however, is the fault of _all_ of us, for not reviewing the des
        • by JamieF ( 16832 )
          I looked at the DOM spec (levels 1 and 2) and there's no Window object; ECMAScript mentions that the Window object may exist but not what it does (since it's part of the runtime environment rather than the base language).

          I did find this:
          Referring to windows and frames [] from the Netscape JavaScript handbook. It says nothing about window names being private.

          So, pin this one on Netscape, and the lack of any formal open standard for what happens in a browser outside of the document.
  • by Bagels ( 676159 ) on Wednesday December 08, 2004 @11:11PM (#11038687)
    This only worked for me when I left-clicked, like they said. I'm so used to FireFox now that it was second nature for me to open the Citibank site in a new tab, and the exploit failed to work then.
  • Using Opera 7.54 (Score:3, Informative)

    by MrP- ( 45616 ) <jessica AT supjessica DOT com> on Wednesday December 08, 2004 @11:11PM (#11038689)
    Using Opera 7.54, the one for pop-up blockers enabled doesnt work.. as soon as i click the citibank link, the fake popup opens without me clicking anything, and when i do click the image they say to click, it changes the popup page to the actual citibank page you're supposed to see

    the link for disabled popup blockers doesnt open a popup when i have my popup blocker enabled (actually its just Proxomitron with custom filters)

    When I disable proxomitrion, it does what it says (opens the Secunia site instead of the citibank site)

    And with proxomitron disabled, the first method (for people running popup blockers) still does the same as it did the first time.
    • Opera 7.11 on WIN2000 (older version, it's what i have at work) opens the CTI site and the spoof in separate windows, with or without popup disabler. I have to check it with newer versions though, i will when i get home.
  • jack pot (Score:4, Funny)

    by loid_void ( 740416 ) * on Wednesday December 08, 2004 @11:11PM (#11038694) Journal
    i did it using safari, got citibank, i have no account but was able to transfer $100 million into an offshore account. That was some test
    • got citibank, i have no account but was able to transfer $100 million into an offshore account.

      Wow, did you get an email from Yassir Arafat's widow too? I'm still waiting for my cash transfer.
  • by wowbagger ( 69688 ) on Wednesday December 08, 2004 @11:21PM (#11038779) Homepage Journal
    This all boils down to a Javascript vulnerability.

    If web masters would stop NEEDLESSLY using Javascript to do things like open new windows, and would use it ONLY when there is no way using HTML to accomplish the same goal, then people would not need to have Javascript active all the time, and the impact of exploits like this would be greatly reduced.

    If, instead of using <a href="#" onclick="foo"> or <a href="javascript(foo)"> type constructs, web designers would use <a target="_blank" href="something.html" onclick="javascript(stuff)"> type constructs, then if the user HAS Javascript active, then the web master can micromanage the newly created window. If not, then the user STILL gets a new window, just not one that the web master can remove all the chrome from.

    Seriously - when was the last time you heard of an exploit that used straight HTML? All of the recent exploits in ALL browsers, IE included, have been in either Javascript or Active-X, not in the core HTML rendering.

    There is a REASON for that.
    • by dghcasp ( 459766 ) on Wednesday December 08, 2004 @11:48PM (#11039000)
      And this is part of a larger user interface principle, "Don't try to control your user's behaviour if you don't need to."

      Example: Sites that pop up their "main" window from their "entry tunnel." Exactly what justification do you have for thinking I still need to view your entry tunnel?

      Example: (as mentioned,) sites that use Javascript to open windows. Granted, this practice came around before Opera/Mozilla introduced us to the wonders of tabbed browsing, but what's the point of pulling up a "diversionary" window and forcing the user to close it? Afraid they might not understand the concept of the "back" button?

      Example: using flash/java/shockwave/etc to perform functions that could be handled in HTML, especially now that we have DHTML. I have trouble with understanding the argument "we will be more successful if we deny access to some percentage of the population."

      etc etc etc.IMHO, this is a symptom of the problem where people assume "everyone else thinks / acts / behaves in the same way I do."

    • Well since the target attribute of the anchor link is not part of the XHTML 1.1 Strict standard, web developers who *are* actually concerned about standards are required to use Javascript to perform the pop-up behavior. By using standards-based design and manipulating the DOM via Javascript, we can accomplish anything. No need for clunky the "onclick" or even the outdated "target" attributes.
    • by shirai ( 42309 ) on Thursday December 09, 2004 @12:13AM (#11039137) Homepage
      That's why I use iFrame popup instead of window popups. With popup blockers already appearing built into browsers, I'm assuming that they will be standard everywhere soon.

      With scripting, you can make iFrames draggable, closeable and behave and look just like regular windows but they are, in essence, windows within a window and are tied closely to the current browser.

      There are reasons to have popups like, for example, color or date pickers (with a calendar). It is actually much easier to build a draggable DIV than a draggable iFrame but the draggable DIV doesn't show up on top of certain HTML elements and hence becomes useless (even with an infinitely high z-index).

      By the way, you can get draggable iFrames to work in both MSIE and Mozilla. I just bought my iMac for testing but I'm pretty sure I can get it to work in the mac versions too as they all have the necessary language and DHTML components. All I can say though is that JavaScript and DHTML are definitely vendor dependant, and I don't care if you are mozilla or Apple or Microsoft, they ALL have quirks and bugs that go outside of the specifications. In many ways, my high speed photoshop-style image scripting program (for use on web servers) was easier to write in C# than trying to figure out how to make things work across every browser out there!

      Anyways, programmer alert. I wouldn't depend on popups working in the future if your app depends on it. Make sure to use iFrames or have a non popup dependant way of doing the same thing!
    • This all boils down to a Javascript vulnerability.

      Yup. It further demonstrates why any financial institution that requires you to enable javascript in order to use their website should be deemed incompetent.

      If web masters would stop NEEDLESSLY using Javascript to do things like open new windows, and would use it ONLY when there is no way using HTML to accomplish the same goal, then people would not need to have Javascript active all the time, and the impact of exploits like this would be greatly

      • Let's see you build something as responsive, usable and practical as GMail without using Javascript.

        OK, let's try something easier. I've got a table with many rows where each row contains two sets of radio buttons. When one of the radio buttons in the first set is selected, you shouldn't select an answer in the second set. Thus, I use Javascript to disable the second set of radio buttons when that particular option is chosen. Care to tell me how to do that using regular HTML?
      • "I assert that no essential behavior on a web-page requires Javascript -- it's ALL needless."

        There you go. You've just shown your ignorance. For simple web pages I would agree, but this vulnerablility is for, and demonstrated in, a web application.

        As other posters have pointed out, you cannot get some features of an application without using Javascript.

        So, until the world starts using something like Webstart and downloadable, secure thick clients via the web, the browser is all that we have. Perhaps th
      • by Politburo ( 640618 ) on Thursday December 09, 2004 @10:25AM (#11041675)
        Client-side verification This includes validating that all the fields in a form are filled in, as well as checking that the user entered the correct password. Naturally, this is the silliest reason to require Javascript, as the validation step still has to be done on the server side anyway, making the client-side validation a redundant convenience at best, and an addle-brained sign of utter incompetence at worst.

        Just what I want.. a user posting 300 times before realizing that, yes, they must fill out the form. Think about something like Yahoo mail. I can go into a new message and if I forget to put in a To:, it will still post to the server and come back and say that I'm a moron. With JS verification, I would know instantly.

        Obviously client-side verification shouldn't be used for passwords, but checking that a form is at least completely filled out is very helpful, both as a designer and a web user. Client side verification is practically instant and does not burden the server with incomplete requests. Of course, client side verification does not exempt you from having to perform server side verification.
  • Bugzilla #273699 (Score:3, Informative)

    by Trillan ( 597339 ) on Wednesday December 08, 2004 @11:34PM (#11038889) Homepage Journal
    Seems to be in as defect 273699. (Direct link wouldn't work anyway.)
  • by loconet ( 415875 ) on Wednesday December 08, 2004 @11:47PM (#11038994) Homepage
    According to MozillaNews [] the following work around can be applied to Mozilla/Firefox:

    1. Enter about:config in the Location Bar.
    2. Enter dom.disable_window_open_feature.location in the filter field.
    3. Right-click (Ctrl+click on Mac OS) the preference option and choose Toggle (the value should change to true).

    This issue is already being worked on bug 273699 [] (copy link location, paste) filed a few hours ago.

    As a side note, being able to see the bug fixing progress unfold is one of the many reasons why i love open source. I am able to learn so much from just seeing the process take place from start to finish, how it is reported, test cases created, problems that arise, insights into other parts of the system, who the people involved are, reviews, patches, etc.

    • by thomkt ( 59664 ) on Thursday December 09, 2004 @12:12AM (#11039125)
      This doesn't prevent the pop-up hijacking from happening; it forces the address bar to display, so you can see the location of the pop-up.

      From the page:

      "Note that, although the attack site can inject its own content, it cannot change the URL appearing in the Location Bar. Firefox and Mozilla have the ability to deny access to the Location Bar so all pop-up windows always have it."
      • by Fnkmaster ( 89084 ) * on Thursday December 09, 2004 @04:05AM (#11040160)
        All these damned Secunia bugs are basically human error bugs anyway. If you know what's in the popup, it's impossible to be spoofed - if the URL bar shows a site that's not what you expect, close it.

        In general, it's always going to be possible if you are browsing sketchy and secure sites at the same time that the sketchy site might pop up some deceptive window, and if you are confused, and can't see the URL bar, you might think it came from the secure site, with or without this specific injection issue. Which is why this workaround out to be default behavior anyway (I HATE sites that try to hide my location bar and navigation toolbar, those bastards).

        Anyway, the point is, yes the issue should be fixed, but if you applied the workaround, it makes the exploit essentially worthless to an adversary.
  • by crazyphilman ( 609923 ) on Thursday December 09, 2004 @12:26AM (#11039219) Journal
    My system:

    Slackware 10, Konqueror, and Mozilla 1.7.3.

    Results with Konqueror: the popup did NOT point back at Secunia, it pointed at Citibank. Perhaps this is because I have Konqueror configured to open new windows in tabs and have "smart" popup blocking enabled. Would someone try and confirm this? If it is the issue, then we can block the vulnerability in Konqueror, at least.

    In Mozilla, the popup trick worked. Bad Mozilla!

    • OK, I've read through a bunch of Slashdot posts, and I've considered my experience with this thing, and here's my web developer's opinion of this "vulnerability":

      In Javascript, if (and only if) your web page opens a new window, it "owns" that window. In other words, you have access to the whole DOM in that window. You can step through the document object, alter things, and so forth. This is how things are supposed to work; it's what enables us to open new windows and interact with the user. For example, ma
  • Firefox 1.0 (Score:3, Interesting)

    by pugugly ( 152978 ) on Thursday December 09, 2004 @12:28AM (#11039233)
    Just an interesting note - if I left click on secunia's test page, and secunia opens citibank in a new tab, the exploit works.

    If I middleclick on the test page and *force* firefox to open the site in a new tab, the exploit fails.

    I don't know enough to now if this is a limitation in the exploit or in how they've written the exploit, but it's odd and interesting
  • by Pr0xY ( 526811 ) on Thursday December 09, 2004 @01:33AM (#11039559)
    I think there is an easy fix for this. Basically the exploit is based on the fact that you can use javascript to open a window with the target the same as another window and overwrite the other ones content.

    Well, why not make a new rule in javascript that would disallow any javascript code to access any popups that aren't a direct child of the current instance of the browser.

    Basically what i mean is to have each window in it's own namespace and have the child window share said namespace. (I think one would have to not allow grandparents to access it either though).

    so basically if two seperate windows open a window with target="name" then 2 windows are opened one for each instance and they have nothing to do with each other.

  • by Reteo Varala ( 743 ) <> on Thursday December 09, 2004 @02:07AM (#11039701) Homepage
    "Firefox has prevented this site from opening 1632 pop-up windows. Click here for options..."

    And this is a version of Firefox I installed approximately two weeks ago. ...And now 2000... persistent little bugger...
  • by Cervantes ( 612861 ) on Thursday December 09, 2004 @02:47AM (#11039882) Journal
    Seriously, a 'vulnerability' in the 'oh shit!' sense of the phrase is "an opening by which an innocent user could get fscked by no fault of their own".

    This strikes me as about as dangerous as the post-SP2 "Warning! If you copy and paste shit files from the net and click a few boxes, YOU COULD GET SPYWARE!".

    For the record, I just nuked and reinstalled XP-Sp2 + hotfixes a few days ago (for once, not because it was fucked up, but my new raid0 array), so I have cherry IE6 and unextensioned-FireFox 1.

    I tried several variations of the convoluted instructions, and could get no explicitly dangerous behavior. Mozilla didn't bat an eye, and IE once popped up a box saying "The script is trying to close this window, do you want to let it?" If I let it, then it opened the Citibank site in the window again.

    Oooh, scary.

    I'm sure there may be some actual, dangerous vulnerability here somewhere. But I've gotten better instructions from the japanese ASUS site, translated through google.
  • by 0111 1110 ( 518466 ) on Thursday December 09, 2004 @03:53AM (#11040117)
    Javascript is the work of the devil. Leave it off unless you have a damn good reason to turn it on. Why give anyone that much control over your computer just to surf the web?

    For firefox or opera just turn it on when you absolutely need it and never forget to turn it off right away when you are done. For IE make use of the security zones to implement javascript whitelisting. That's what I do because with firefox and opera I often don't remember to turn it off again until I start getting annoying popups or worse.

    Seems like more than half of these vulnerabilities that keep popping up make use of javascript. That last one with the online banking passwords was pretty scary and made me very glad that I browse with javascript off.
  • by Wolfger ( 96957 ) <> on Thursday December 09, 2004 @10:24AM (#11041663) Homepage
    The link for browsers with pop-up blockers does not affect my pop-up blocking Firefox (and a window pops open saying that I have no pop-up blocking), but the other link does indeed spoof the window. I'm not worried about the problem though, because I don't engage in such unsecure behaviour. An easy fix would be for Firefox to allow us to selectively allow java/javascript on a per-site basis (just like pop-ups and ads (with adblock)).
  • Mixed risk (Score:3, Informative)

    by valkraider ( 611225 ) on Thursday December 09, 2004 @10:47AM (#11041877) Journal
    It looks like some people are at risk and some are not. Reading through the comments people swear their browsers are not affected...

    But I ran the tests, and here are my results:

    Mac OSX 10.3.6

    Safari 1.2.4 (v125.12) - Not affected according to test.
    FireFox 1.0 (G4 optimized build) - Affected according to test
    Camino 0.8.2+ - Affected according to test

    All browsers have pop-up blocking enabled, and some sort of ad filtering (Pith Helmet, Ad Block, etc).

    Your mileage WILL vary.
  • So... (Score:3, Funny)

    by dfj225 ( 587560 ) on Thursday December 09, 2004 @11:08AM (#11042067) Homepage Journal
    That email I got about having extra security by making sure was loaded in a separate window while using my bank's website was a lie? Maybe that is why my bank keeps asking me to give them my information again. How many times can they loose my account number and SSN?

Man is an animal that makes bargains: no other animal does this-- no dog exchanges bones with another. -- Adam Smith