Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bug Internet Explorer Mozilla The Internet IT

Major Browsers Have JS Pop-Up Flaw 397

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."
This discussion has been archived. No new comments can be posted.

Major Browsers Have JS Pop-Up Flaw

Comments Filter:
  • by KlaymenDK ( 713149 ) on Friday June 24, 2005 @09:05AM (#12900181) Journal
    Isn't this a dupe from half a year ago?

    Too bad if it's just a symptom of the problem(s) just not being fixed yet...
  • Lets see.... (Score:4, Interesting)

    by wo1verin3 ( 473094 ) on Friday June 24, 2005 @09:06AM (#12900192) Homepage
    Opera 8.01 was released June 18th.... (only a few days ago)

    It is the only browser not affected....

    And now this leaked out where reports can only say that one browser does not suffer from this issue. //tin-foil hat engaged
    • Re:Lets see.... (Score:5, Insightful)

      by JimDabell ( 42870 ) on Friday June 24, 2005 @09:22AM (#12900374) Homepage

      Actually, Konqueror 3.4.1 isn't affected either (it displays the hostname in the popup title bar).

      These kinds of security holes are far harder to find than simple buffer overflows, because the real flaw is that the user misunderstands information that is presented in a particular context. There's no real technical error, it's purely a user interface issue. You have to think about how a user would perceive any particular information under all kinds of different contexts.

      This also means that open-source doesn't confer all of the security advantages that it does when applies to mistakes in the code, as everybody can see the UI even in a closed-source browser like Internet Explorer.

    • and IE for mac hasn't been updated in at least that many years.

      Hell, I haven't used it since Camino came out and was usable (back when it was called Chimera).
    • Lets see.... (Score:2, Insightful)

      by slapout ( 93640 )
      ...a problem was discovered and Opera got it fixed quickly. So now you're complaining? :-)
  • Thank god I use Contiki [www.sics.se]!
  • by bc90021 ( 43730 ) * <bc90021.bc90021@net> on Friday June 24, 2005 @09:06AM (#12900202) Homepage
    ...and they're not going to release a patch for it [com.com].

    And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw. ;)

    • It's not a bug. You can regard it as a design flaw of the Javascript system as a whole I guess, but this represents functioning-as-designed. If the user is dumb enough to type private information into a popup without taking the time to figure out where the popup came from, that's their problem.
      • The REAL banking page is onscreen.

        Popup message box says (something like):
        "MyBank Security Timeout occured. Please reenter your account details in the following screen".
        OK/CANCEL

        user clicks ok and mysterious screen pops over looking like their real screen and hey-presto, you've been phished!
        • Yeah. I understod how it works. I just think that's the user's problem.

          Error occurred between user's ears. Insert neurons to continue.

          To be blunt, this is how Javascript has been for years, and those of us who understood the technology all along are now shaking our heads and asking "yeah, so?" ... Calling this a flaw now just seems more like a desperate grab for attention than an actual technical problem to be discussed. If you don't like it, take it up with the standards committee and try to get the beha
    • ya ya, letz make fun of M$....

      If you read up on it, you will realize it is not a flaw. There is no patch out there that is going to fix peoples stupidity, or that odd trust they have that everything on the interweb is safe.
      People need to learn to be careful, and not give away information. By the Opera 8.01 is not vulnerable because they add a stupid bar that says where the popup came from..... wooo hooo what magical patch.
      • By the Opera 8.01 is not vulnerable because they add a stupid bar that says where the popup came from..... wooo hooo what magical patch.

        What's wrong with that? It gives people information to help them figure out if they're being phished.

        In comparison to Opera's new behavior, IE *is* flawed. I don't see why Microsoft thinks it shouldn't innovate this feature from Opera into IE.

        • Seems like the standards for labeling stuff as "innovation" are sinking to new lows every day.

          There is a simple work-around for these phishing exploits: never trust pop-ups - assuming they were not disabled in the first place. When in doubt, proceed through the official front-page.
  • Ever get rooked into going to a website with perpetual Javascript pompts? I love those.

    The only way out of them is to kill your browser process outright.

    This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.

    It seems to have been forgotten, or deferred.
  • Lets tell everyone to turn off JavaScript.

    That'll solve the problem

    Excuse me?

    What do you mean Java Scripting is a feature?

    • Re:Oh I know (Score:5, Informative)

      by CdBee ( 742846 ) on Friday June 24, 2005 @09:20AM (#12900355)
      Easier to use an extension like NoScript [noscript.net] - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user
      • Wrong fix. It still leaves you open to injection attacks. Best solution is to get rid of all the hooks web pages (whether through Javascript or not) have to open windows without decoration.
  • by AccUser ( 191555 )
    Ooh - isn't Opera [slashdot.org] one of those web browser thingies? :-)
  • NoScript (Score:2, Informative)

    by erykjj ( 213892 )
    That's why I use NoScript [mozilla.org] with my Firefox.
    • I can't be the only one who though the ***s were curses
      Developer Comments:
      This is not a support forum! If you need support,
      you're welcome at http://www.noscript.net/ [noscript.net]
      where you can ***read the FAQ*** or use the forum.
    • Way too many reviews saying this extension causes frequent crashes.

      I can't wait until this is worked out so I can use this extension...
  • To solve this problem, javascript multitasking must be disabled, only letting the current active window or tab having keyboard focus to run its javascript. Other tabs' scripts must not be disabled, but instead paused until they in turn receive focus.
  • by null etc. ( 524767 ) on Friday June 24, 2005 @09:15AM (#12900311)
    Isn't this just a rehash of every other bug they've announce this year, in a slightly different permutation? Next month, I expect they'll announce that frames within a DSHTML portion of a popup window can be loaded from non-trusted domains.

    It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

    • It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.

      I'm sure you are absolutely right. And hopefully he'll keep doing it because you there are crackers, phishers, and criminals out there who delight in spending 16 hours a day trying to twist browsers i
  • by luvirini ( 753157 ) on Friday June 24, 2005 @09:18AM (#12900339)
    It is not really the pop-ups that are the security propble. It is the fact that the user interface is written in a way that does not make the different things clearly separated.

    It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".

    Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.

  • by Shotgun ( 30919 ) on Friday June 24, 2005 @09:19AM (#12900348)
    My front door has a major flaw, in that con artist can walk up to it and claim they are from and officially federal agency and have an urgent need for me to help them.

    Doors from major outlets, including those of Lowe's and Home Depot, are affected by this flaw. Our investigations have determined that this flaw has been known for years, yet the major distributors have not plans to release an update to correct the problem.

    US Senator, C. Ritter has introduce legislation under the title "Omnibus Weak Nutz United", the OWN-U bill, that seeks to station a security agent to watch over every door in the case the occupants cannot determine that they are being conned.
  • I agree that this is an issue, but saying this is a vulnerability in the browser seems a little odd. It feels a little like saying that your email program displaying phishing emails is a vulnerability in the email program. I'm not saying that this isn't something that could be addressed by a change to the browsers, but the headline (and TFA) make it sound like the code in the browsers is faulty.
  • Odd (Score:4, Interesting)

    by Sheepdot ( 211478 ) on Friday June 24, 2005 @09:34AM (#12900481) Journal
    If Secunia is reporting it, why not link directly to Secunia?

    http://secunia.com/multiple_browsers_dialog_origin _vulnerability_test [secunia.com]

    I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.

    In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

    This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.
    • In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

      Microsoft hasn't fixed the underlying problem, which is that a web browser or a component used by a web browser has no business providing a mechanism by which a web page can even request the execution of a downloaded native-code applet or scripts with local file access. That capability should not even be in the HTML display control.

      That way i
    • I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page.

      As far as the computer is concerned, the Javascript is executing in the context of the malicious page, and whatever security applies to that page applies to the Javascript. The idea you have is a non-issue.

      The vulnerability being discussed is that it's not clear to the user that the popup that executes is from the malicious page. You can't use this t

  • And all this time I thought JS Popups were a flaw all by themselves.
  • by greed ( 112493 ) on Friday June 24, 2005 @09:38AM (#12900520)
    Firefox and Mozilla, and probably any other Gecko-based browsers, have a way of disabling the disabling of various UI elements when JavaScript opens a window. I found this in another Slashdot thread last year, but forgot which one.

    Open about:config [about]. You'll probably have to type that, Mozilla won't follow it from an http: URL.

    Key in dom.disable_window_open_feature as a filter.

    Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)

    Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.

    Now the location will be visible in any pop-up window.

    So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.

    • This is true, but the security flaw is about opening JavaScript dialog boxes, not new browser windows.

      For goodness sakes, the referenced article even had a test you could run on your own. You would have seen first-hand that your idea, while correct, doesn't address this problem at all.
  • this "vulnerability" is like saying a banking company has a security vulnerability because some peon is pretending to be the CEO

    mod +1 next story please
  • by anthm ( 894202 )
    It may be possible for JavaScript to help evil-doers but it's up to the implementer of the Application using the engine to avoid that, not the language or its core developers. If every invention that could potentially be used for evil was struck down there would be nothing left. JavaScript can do plenty of good and the developers of the open source engines have gone out of their way to make it well documented, embeddable and extensible so you can add it to almost anything that needs a little help with a la
  • by slashkitty ( 21637 ) on Friday June 24, 2005 @10:00AM (#12900728) Homepage
    Firefox has a nice setting to open new windows in tabs. This trick did not work at all on me, because any new window created has the full url and toolbar. It was very easy to see it was not google.

    On another note, when will sites stop relying on freaking popup windows. Besided being blocked by many normal people, they are a real pain and always seem to have bugs associated with them. If you can't design your website to a full browser window, you shouldn't be designing websites!

  • "Major Browsers Have JS Pop-Up Flaw"

    They sure do! ..... They implement it! ;)
  • by zr-rifle ( 677585 ) <`zedr' `at' `zedr.com'> on Friday June 24, 2005 @10:09AM (#12900808) Homepage
    I tried it out on Konqueror 3.4.0 and it is also affected. The only minor change is a blank popup window opening together with the javascript query.
  • by crovira ( 10242 ) on Friday June 24, 2005 @10:17AM (#12900885) Homepage
    A dialog box is 'owned' and drops down modally on top of the window that 'owns' it.

    A new window is a new window and opens below (if there's room) and to the right (if there's room) of the requesting object window regardless of the amount of gadgetry on it (like title bars, buttons, window styles.)

    Its always possible to fool somebody and they'll possibly be fooled into revealing their personal data, but eventually the problem will take care of itself hen these people and bust-ass broke and smothered in spam.

    There's only so much people can do with a stateless environment. This would be a problem regardless of the language used (both computing & human), the browser used or the platform used (both hardware & software.)

    At some point, people will realize this and stop trying to do the impossible.

    Transactions are 'transactions'. That means that they have a 'commit point,' which means that they need a state engine which runs from the beginning of the process to the end of the process.

    And yes, it CAN be done over the internet over a secure connection. But the control has to shift to the transaction machine while the transaction is going on. Neither you or anyone else should never be able to spawn a new GUI window while the transaction is happening.
  • Lynx Rocks! (Score:2, Funny)

    by ehaggis ( 879721 )
    These security flaws do not seem to affect Lynx as often. I rarely have a new terminal "pop-up" while browsing with Lynx.
  • he problem is that JavaScript dialog boxes do not display or include their origin,

    I can assure you that even if they did contain their origin, it would still not make much of a difference--most users wouldn't bother to look.

    Maybe what we need is a secure web standard, something that runs only over https, uses strict XHTML, dispenses with JavaScript, pop-ups, frames, and popups, and is used for banking and similar applications. Preferably, that should be a separate browser.
  • Connect the Dots (Score:4, Interesting)

    by Doc Ruby ( 173196 ) on Friday June 24, 2005 @10:41AM (#12901128) Homepage Journal
    I want a window manager that draws lines between parent/child windows, parent/child processes. While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position? Yeah, I want to drag windows around, and save their positions with the window manager, then open that state with a single click on a desktop menu. While we're at it, I want the groups to include arbitrary windows from multiple apps. So I can open a "workplace", and immediately begin working in a familiar environment. If this works, how about letting me drag a line from any window to another, piping STDIN/OUT/ERR between processes? If I can minimize the windows into icons, my window manager is now a visual programming environment. Which, to come full circle, could let me as a user tell by looking which info is tainted by which untrusted windows and datapaths, including innocent-looking JS popup windows.
  • by 93 Escort Wagon ( 326346 ) on Friday June 24, 2005 @10:56AM (#12901280)
    I know, I know, I must be new here. But it was a very short article, and right near the bottom it says this (bold text is mine):

    "Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering said.

    Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

    "This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.


    So what does this tell us?

    - The folks somehow blaming Opera for this announcement obviously didn't read past the first couple of paragraphs of this very short article.

    - The folks who are saying "JavaScript is bad" obviously didn't read... okay I'm sure they just saw the word "JavaScript" and went off from there anyway. Hey, guys, enjoy your static black text on white background pages - and we'll see you in the unemployment line. Any ideas on how to manipulate the DOM without JavaScript?

    - While I agree MS shouldn't blow this off, they're probably still busy patching some of those more critical problems [eeye.com].

    - Once again, end user education is probably the answer.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...