Few Browsers Safe from Latest Spoofing Flaw Flaw Could Lead to Phishing Attacks Sean Michael Kerner
Microsoft Internet Explorer isn't the only browser hit by a spoofing flaw that could be exploited by phishers. But it also won't be releasing a patch for it anytime soon.
According to Secunia Research, IE, Mozilla Firefox, Opera, and Apple Safari all have a similar "flaw" related to their use of JavaScript (define) dialog boxes.
"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open, e.g. a prompt dialog box, which appears to be from a trusted site," a Secunia advisory states. A malicious site could potentially trick a user into disclosing personally identifiable information that could then be used for fraudulent purposes.
To further back its claim, Secunia has posted a proof-of-concept test of how the exploit works.
In a security advisory issued yesterday by Microsoft, the potential exploit was described as a potential issue relating to user confusion with the overlapping browser windows.
"Common to various browsers, including Internet Explorer, it is possible to have multiple, overlapping browser windows," Microsoft's advisory states. "An attacker could arrange windows in such a way as to trick users into thinking that an unidentified dialog or pop-up window is trustworthy when it is in fact fraudulent."
Microsoft does not plan on issuing a security update to address the dialog box threat.
"This is an example of how current standard Web browser functionality could be used in phishing attempts," the Microsoft advisory states.
As of press time no advisory on the issue had been posted on Mozilla's security site.
