Posted on 06/22/2005 10:44:40 AM PDT by ShadowAce
Internet Explorer and Firefox -- even the newest edition that's getting ready for release -- can be spoofed by hackers intent on stealing passwords or other confidential information, a security firm said Tuesday.
According to Danish vulnerability tracker Secunia, Microsoft's Internet Explorer, Mozilla's Firefox, and virtually every other popular browser could be used by malicious Web site to display bogus Java dialog boxes atop legitimate sites.
"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- a prompt dialog box -- which appears to be from a trusted site," read the alert that Secunia posted.
An exploit requires that the user first visit a malicious site -- perhaps enticed there via e-mail or instant message -- that includes a link to a legit, trusted site, say an online banking portal. By leveraging the JavaScript bug, the attacker could display a fake password dialog, and trick the user into entering her account information.
Secunia has created a vulnerability test that users can quickly run to see if their browser is open to such a spoof.
Not only does the vulnerability exist in up-to-date editions of Internet Explorer, Firefox, Mozilla, Camino, Opera, and Safari, but it also affects the not-yet-released Firefox 1.0.5, which is in the last stages of testing.
"We expect a Firefox 1.0.5 release in the not too distant future," the quality control blog for Firefox read Tuesday. "We'd appreciate any help you all can offer by downloading and testing out these new bits."
It was expected that Firefox 1.0.5 would fix the frame insertion bug that crept back into the open-source browser's code, a gaffe that made news earlier in June.
Would 1.0.5 also fix this news flaw?
"We'll be taking a look at the vulnerability, and deciding whether it makes sense to put [a fix] in 1.0.5," said a Mozilla spokesman. "Firefox security is an ongoing process."
The spokesman wouldn't comment on whether any inclusion of a fix for the new vulnerability -- which Secunia rates as only a "less critical" threat -- would delay the appearance of 1.0.5, but said that the builds now available "were mostly for the development community. The release of 1.0.5 is a ways off."
Firefox 1.0.5 can be downloaded in its not-finished Windows, Mac, and Linux editions from the Mozilla Web site.
Works like a charm, and I was amazed to see how many scripts were being caught...
Could be. It takes a tiny tuning but works great for me.
I was about to bring that up, but I like your analogy better. Just about the only thing that JavaScript and Java have in common is that they both have 'Java' in the name. Thus, the confusion.
Works on Firefox 1.0.4, but I do get an obviously suspicious small blank window before the dialog comes up to ask for my password.
We'll be seeing these things as long as we're working on HTTP and JavaScript, neither of which were really designed with security in mind.
bump for later
I'm beginning to wonder if Secunia is a security firm or a hacker educational service.
bttt
I noticed the same thing in Opera (ver 7.50). The reporting website recommends a particular fix which I have not investigated yet, or simply upgrading to the latest browser version. I will probably do the new version download today a bit later on...
Why would one want to turn off Java? Just curious. Thanks
Wow, I'm shocked, shocked, shocked to find that FireFox has ... gasp ... the same security flaws as IE. So much for the million eyeballs make better security theory... /SARCASM
Cant say I much disagree with him on this, the browser is doing exactly what it was desigened to do. That being said there should be a patch which give the user some indication of there that windows is from!
Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.
Im a FF user myself but kudos to the good folks at operasoft..
Couldn't agree more.
Does the "NoScript" Extension in Firfox take care of this?
https://addons.mozilla.org/extensions/?application=firefox
I just installed it yesterday, and it seemed to crash FireFox when I had the "Auto Reload Page after permission change" turned on.
Whoops, I see someone already answered my question on NoScript above...
I would think youre better off just turning off java scripting
Fire fox has very few core developers when compared to ie
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.