Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

IE, Firefox Spoofable, Again
Yahoo News ^ | 21 June 2005 | Unknown

Posted on 06/22/2005 10:44:40 AM PDT by ShadowAce

Internet Explorer and Firefox -- even the newest edition that's getting ready for release -- can be spoofed by hackers intent on stealing passwords or other confidential information, a security firm said Tuesday.

According to Danish vulnerability tracker Secunia, Microsoft's Internet Explorer, Mozilla's Firefox, and virtually every other popular browser could be used by malicious Web site to display bogus Java dialog boxes atop legitimate sites.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- a prompt dialog box -- which appears to be from a trusted site," read the alert that Secunia posted.

An exploit requires that the user first visit a malicious site -- perhaps enticed there via e-mail or instant message -- that includes a link to a legit, trusted site, say an online banking portal. By leveraging the JavaScript bug, the attacker could display a fake password dialog, and trick the user into entering her account information.

Secunia has created a vulnerability test that users can quickly run to see if their browser is open to such a spoof.

Not only does the vulnerability exist in up-to-date editions of Internet Explorer, Firefox, Mozilla, Camino, Opera, and Safari, but it also affects the not-yet-released Firefox 1.0.5, which is in the last stages of testing.

"We expect a Firefox 1.0.5 release in the not too distant future," the quality control blog for Firefox read Tuesday. "We'd appreciate any help you all can offer by downloading and testing out these new bits."

It was expected that Firefox 1.0.5 would fix the frame insertion bug that crept back into the open-source browser's code, a gaffe that made news earlier in June.

Would 1.0.5 also fix this news flaw?

"We'll be taking a look at the vulnerability, and deciding whether it makes sense to put [a fix] in 1.0.5," said a Mozilla spokesman. "Firefox security is an ongoing process."

The spokesman wouldn't comment on whether any inclusion of a fix for the new vulnerability -- which Secunia rates as only a "less critical" threat -- would delay the appearance of 1.0.5, but said that the builds now available "were mostly for the development community. The release of 1.0.5 is a ways off."

Firefox 1.0.5 can be downloaded in its not-finished Windows, Mac, and Linux editions from the Mozilla Web site.


TOPICS: Technical
KEYWORDS: browser; firefox; ie; spoof
Navigation: use the links below to view more comments.
first previous 1-2021-4041-52 next last
To: atomic_dog
Added that puppy a couple weeks ago.

Works like a charm, and I was amazed to see how many scripts were being caught...

21 posted on 06/22/2005 11:11:05 AM PDT by Damocles ("This young century will be Liberty's century" - President Bush)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Blood of Tyrants

Could be. It takes a tiny tuning but works great for me.


22 posted on 06/22/2005 11:11:13 AM PDT by atomic_dog
[ Post Reply | Private Reply | To 14 | View Replies]

To: kevkrom
Typical shoddy tech reporting... they say it's a Java problem, and then talk about a JavaScript exploit. JavaScript is to Java as Velveeta is to Cheddar.

I was about to bring that up, but I like your analogy better. Just about the only thing that JavaScript and Java have in common is that they both have 'Java' in the name. Thus, the confusion.

23 posted on 06/22/2005 11:19:04 AM PDT by SpottedBeaver
[ Post Reply | Private Reply | To 19 | View Replies]

To: ShadowAce

Works on Firefox 1.0.4, but I do get an obviously suspicious small blank window before the dialog comes up to ask for my password.

We'll be seeing these things as long as we're working on HTTP and JavaScript, neither of which were really designed with security in mind.


24 posted on 06/22/2005 11:36:20 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

bump for later


25 posted on 06/22/2005 11:39:01 AM PDT by csvset
[ Post Reply | Private Reply | To 1 | View Replies]

I'm beginning to wonder if Secunia is a security firm or a hacker educational service.


26 posted on 06/22/2005 12:03:13 PM PDT by D-fendr
[ Post Reply | Private Reply | To 23 | View Replies]

To: ShadowAce

bttt


27 posted on 06/22/2005 12:19:12 PM PDT by MJY1288 ("Dingy" Harry Reid & "Disturbed" Durbin are a Waste of Tax Payers Money)
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
...but I do get an obviously suspicious small blank window before the dialog comes up to ask for my password.

I noticed the same thing in Opera (ver 7.50). The reporting website recommends a particular fix which I have not investigated yet, or simply upgrading to the latest browser version. I will probably do the new version download today a bit later on...

28 posted on 06/22/2005 1:08:52 PM PDT by Utilizer (WinDoze "XXX"ES. Adult-rated, ready 4 the desktop! It STILL sucks -but you need us to tell you that?)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Zuben Elgenubi

Why would one want to turn off Java? Just curious. Thanks


29 posted on 06/22/2005 2:23:05 PM PDT by ncpatriot
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce

Wow, I'm shocked, shocked, shocked to find that FireFox has ... gasp ... the same security flaws as IE. So much for the million eyeballs make better security theory... /SARCASM


30 posted on 06/22/2005 8:51:03 PM PDT by Bush2000 (Linux -- You Get What You Pay For ... (tm)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ncpatriot
Why would one want to turn off Java? Just curious. Thanks

Let's distinguish between Java and JavaScript. Java is a bytecode-oriented virtual machine; that is, code is "compiled" into a kind of intermediate bytecode that can be literally compiled (or JITed) at runtime. Whereas, JavaScript is an interpreted script engine that bears no resemblance to Java. JavaScript is a marketing term adopted by Netscape in order to leverage the one-time popularity of Java.

That said, the Java VM is pretty bloated. It takes a long time to spin the thing up and, when you do, it's a memory-sucking pig. Because of this, few web pages use client-side Java (other than research-y or lame websites).

There have been a lot of vulnerabilities found in scripting engines (particularly, JavaScript and VBScript) -- and in the browser objects that they manipulate (ie. cross-site scripting: stealing info from sites within another browser frameset, security vulnerabilities that allow privilege escalations, etc).

To be much safer on the Web, turn off both Java and JavaScript. But your experience won't be as rich. You won't get the same interactivity.
31 posted on 06/22/2005 8:58:51 PM PDT by Bush2000 (Linux -- You Get What You Pay For ... (tm)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Bush2000
Would this also then blow up the theory that paid experts at Microsoft can produce a more secure product than a hand full of guys doing things in their spare time?
32 posted on 06/23/2005 4:34:45 AM PDT by N3WBI3 (I musta taken a wrong turn at 198.182.159.17)
[ Post Reply | Private Reply | To 30 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...
IE pop-up spoof won't get patch
33 posted on 06/24/2005 9:40:07 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

Cant say I much disagree with him on this, the browser is doing exactly what it was desigened to do. That being said there should be a patch which give the user some indication of there that windows is from!

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Im a FF user myself but kudos to the good folks at operasoft..

34 posted on 06/24/2005 9:49:37 AM PDT by N3WBI3 (I musta taken a wrong turn at 198.182.159.17)
[ Post Reply | Private Reply | To 33 | View Replies]

To: N3WBI3
That being said there should be a patch which give the user some indication of there that windows is from!

Couldn't agree more.

35 posted on 06/24/2005 9:52:29 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 34 | View Replies]

To: N3WBI3

Does the "NoScript" Extension in Firfox take care of this?

https://addons.mozilla.org/extensions/?application=firefox

I just installed it yesterday, and it seemed to crash FireFox when I had the "Auto Reload Page after permission change" turned on.


36 posted on 06/24/2005 10:07:01 AM PDT by Craigon
[ Post Reply | Private Reply | To 6 | View Replies]

To: Craigon

Whoops, I see someone already answered my question on NoScript above...


37 posted on 06/24/2005 10:08:09 AM PDT by Craigon
[ Post Reply | Private Reply | To 36 | View Replies]

To: Craigon

I would think youre better off just turning off java scripting


38 posted on 06/24/2005 10:27:04 AM PDT by N3WBI3 (I musta taken a wrong turn at 198.182.159.17)
[ Post Reply | Private Reply | To 36 | View Replies]

To: N3WBI3
Would this also then blow up the theory that paid experts at Microsoft can produce a more secure product than a hand full of guys doing things in their spare time?

You're saying a "hand full of guys" put together FireFox? Is that your story now?
39 posted on 06/24/2005 1:45:59 PM PDT by Bush2000 (Linux -- You Get What You Pay For ... (tm)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Bush2000

Fire fox has very few core developers when compared to ie


40 posted on 06/24/2005 1:49:15 PM PDT by N3WBI3 (I musta taken a wrong turn at 198.182.159.17)
[ Post Reply | Private Reply | To 39 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-52 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson