Welcome Guest. | Log In| Register | Membership Benefits
June 21, 2005 (2:31 PM EDT)

IE, Firefox Spoofable, Again

By TechWeb Technology News

Internet Explorer and Firefox -- even the newest edition that's getting ready for release -- can be spoofed by hackers intent on stealing passwords or other confidential information, a security firm said Tuesday.

According to Danish vulnerability tracker Secunia, Microsoft's Internet Explorer, Mozilla's Firefox, and virtually every other popular browser could be used by malicious Web site to display bogus Java dialog boxes atop legitimate sites.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- a prompt dialog box -- which appears to be from a trusted site," read the alert that Secunia posted.

An exploit requires that the user first visit a malicious site -- perhaps enticed there via e-mail or instant message -- that includes a link to a legit, trusted site, say an online banking portal. By leveraging the JavaScript bug, the attacker could display a fake password dialog, and trick the user into entering her account information.

Secunia has created a vulnerability test that users can quickly run to see if their browser is open to such a spoof.

Not only does the vulnerability exist in up-to-date editions of Internet Explorer, Firefox, Mozilla, Camino, Opera, and Safari, but it also affects the not-yet-released Firefox 1.0.5, which is in the last stages of testing.

"We expect a Firefox 1.0.5 release in the not too distant future," the quality control blog for Firefox read Tuesday. "We'd appreciate any help you all can offer by downloading and testing out these new bits."

It was expected that Firefox 1.0.5 would fix the frame insertion bug that crept back into the open-source browser's code, a gaffe that made news earlier in June.

Would 1.0.5 also fix this news flaw?

"We'll be taking a look at the vulnerability, and deciding whether it makes sense to put [a fix] in 1.0.5," said a Mozilla spokesman. "Firefox security is an ongoing process."

The spokesman wouldn't comment on whether any inclusion of a fix for the new vulnerability -- which Secunia rates as only a "less critical" threat -- would delay the appearance of 1.0.5, but said that the builds now available "were mostly for the development community. The release of 1.0.5 is a ways off."

Firefox 1.0.5 can be downloaded in its not-finished Windows, Mac, and Linux editions from the Mozilla Web site.


CAREER CENTER
Ready to take that job and shove it?
SEARCH
Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More Articles From Our Career Center

Advertisement


TechSearch for related stories



Specialty Resources

Featured Microsite


Microsites

Featured Topic

Additional Topics

Crush The Competition

TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.

Techencyclopedia

Get definitions for more than 20,000 IT terms.

Techwebcasts

Editorial and vendor perspectives


Vendor Resources


Focal Points