“New vulnerabilities in virtually every non-Internet Explorer browser give hackers a way to hijack confidential data entered into Web sites, a security firm warned late Wednesday,” TechWeb reports.
“The flaws, which affect the Mozilla/Firefox family of browsers, Opera, Apple’s Safari, AOL’s Netscape, and the Linux-based Konqueror, open up a spoofing avenue that attackers can exploit to rip off information, said Secunia in an advisory,’ TechWeb reports. “All these browsers offer tabbed windows, a feature that lets users quickly load multiple pages or Web sites, then flip between them. Unfortunately, the vulnerabilities allow hackers to launch dialog boxes from one tabbed window but make it seem as if it’s actually appearing in another. The other bug allows a site open in one tab to grab information typed into forms on a site open in a second.”
“The hack needs some help from the user, said Secunia. ‘Successful exploitation would normally require that a user is tricked into opening a link from a malicious Web site to a trusted Web site in a new tab,’ the alert read in part,’ TechWeb reports. “Among the affected browsers are Mozilla 1.7.2 and 1.7.3, Firefox 0.10.1, Opera 6.x and Opera 7.x, Safari 1.x, Netscape 7.x, and Konqueror 3.x.”
Full article here.
im not worried…
that’s what the “block pop-up windows” setting in the preferences is for…
Dah…Wow..
Repent! The end is near! Turn in all of your non-Windows computers! Our Lord Bill will prevail!
this vulnerabilty may be exploited on windows, but most mac users are too careful, this is basic common sense. Also they will probably fix this in 10.3.6
Just for information:
This works in every non-tabbed browser as well. Just tested with IE 5.2.3 on Mac. Just open the link in a new window. When you fill in the info in the testbox, the info will show up on the test page as well.
I think this is just another attempt to discredit everything that doesn’t come from M$.
Are you sure that Secunia employees are not on MSs payroll?
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
Can’t see Safari on Secunia’s site. They just mention Mozilla, Firefox & Camino and rated as “less critical”.
Just turn off JavaScript this will defeat the mentioned vulnerability.
The web is getting to be a dangerous place. Try to travel in the safe neighborhoods, and try not to stray too far from the highway in strange cities.
zac
Amazing no one had discovered that flaw until now. I don’t think I would ever fall for that, but I bet a lot of people would if the message on the dialog box looked relevant and official enough.
rogozhin, the “block pop-up windows” setting has no effect on this; the flaw is based on dialog boxes, not pop-up windows.
malicious website link: http://www.microsoft.com/
do NOT open in tab browsing. or better yet: do NOT open at ALL COST.
i agree with you on that. i had a feeling for a while about this.
like i’m gonna check my online bank while surfing the porn sites… well, i guess some people might want to check their balance before paying for that all access pass.
If you go to the test page, it clearly states that
Note: On Safari and Internet Explorer for Mac the demonstration does not work in tabs. Only when the link above is opened in a new window.
http://secunia.com/multiple_browsers_dialog_box_spoofing_test/
AL, you got that right.
I tried the example with tabs and it does not work. Secunia is a joke.
Sounds to me that the simple solution is to only have one tab when viewing any site that you enter personal info in, right? It doesn’t matter. I’m betting Apple releases a fix by the end of the day today.
Actually, while it doesn’t affect tabbed browing in Safari, the flaw “works” just fine when you open new windows, and lots of people surf by opening multiple windows instead of using tabs. And in Firefox and Netscape tabbed browsing is indeed affected.
It is a genuine potential security flaw, but I’m sure we’ll see patches very soon.
Don’t let Secunia fool you. I found the same flaw in Internet Explorer 5.2 (for Mac) when running the “Dialog Box Spoofing Vulnerability” test.
So IE is not immune to this.
It works on IE in XP as well. Just open a new window.
It works on IE in XP as well. Just open a new window.
Which version of XP do you run? Someone on a forum yesterday told me that SP2 was not affected by this.
Cool, Safari does the expected behavior when using tabs, and honestly, I don’t see anything particularly flawed about this, except that Safari has two types of dialogs for javascript dialogs…. one attached to the window and an application modal one. If they forced Safari to use a sheet for the Javascript prompt() function, then you’d *need* to switch to the calling window/tab in order to fill in the information. All Mac browsers (except for IE) could follow this behavior and the problem would be solved. OS X already has the solution…. attaching a dialog to the window it belongs with, which is the root of the problem. Windows has no such interface elements, so all browsers are vulnerable over there.
XP SP2 is also affected. Just tried it.
ed, I stand corrected. You’re absolutely right; I wasn’t paying attention to the issue Secunia was actually talking about. Guess that makes me the first person in the history of the internet to go spouting off about something, without knowing what I’m talking about!!
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
so is it a tabs thing or isnt it?
Why is it that when I only hover my mouse over the link (without clicking anything) the javascript box pops up and I haven’t opened any Tab or Window?
(Using Safari 1.2.3 v125.9)
Has anybody tried the flaw on some other site other than the Secunia one?
Is OmniWeb safe then? No mention of it.