June 23, 2005 4:35 PM PDT

IE pop-up spoof won't get patch

Related Stories

Pop-up vulnerability found in major browsers

June 22, 2005
Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Graeme Wearden of ZDNet UK contributed to this report.

18 comments

Join the conversation!
Add your comment (Log in or register)
Security, security, security, security...
This is exactly why I don't use IE anymore. Microsoft won't address these issues and I am not about to compromise my computer. FIREFOX RULES!!!
Posted by newrican (8 comments )
Reply Link Flag
Are you serious?
<a class="jive-link-external" href="http://secunia.com/advisories/15489/" target="_newWindow">http://secunia.com/advisories/15489/</a>
Posted by KTLA_knew (378 comments )
Link Flag
Security, security, security, security...
This is exactly why I don't use IE anymore. Microsoft won't address these issues and I am not about to compromise my computer. FIREFOX RULES!!!
Posted by newrican (8 comments )
Reply Link Flag
Are you serious?
<a class="jive-link-external" href="http://secunia.com/advisories/15489/" target="_newWindow">http://secunia.com/advisories/15489/</a>
Posted by KTLA_knew (378 comments )
Link Flag
As far as I know....
firefox already has a way to prevent this from happening. If I'm not mistaken, the article said that the latest version of firefox allows users to check the origin of a script to see if it's trusted, something which microsoft has failed to do.
Posted by (41 comments )
Reply Link Flag
As far as I know....
firefox already has a way to prevent this from happening. If I'm not mistaken, the article said that the latest version of firefox allows users to check the origin of a script to see if it's trusted, something which microsoft has failed to do.
Posted by (41 comments )
Reply Link Flag
Missed the Bus
Start running maybe you can catch it.
Posted by (2 comments )
Reply Link Flag
Missed the Bus
Start running maybe you can catch it.
Posted by (2 comments )
Reply Link Flag
The state of denial
The problem here is that the exploit can be used to create a
dialog box (via javascript) that can appear like any other normal
OS system level dialog box, not just a classic browser pop-
window window.

How it is MS cannot understand why this is a problem is beyond
comprehension. These guys just don't get it, and it doesn't bode
well for the average fellow with allusions that MS is actually
doing something about software security. Unfortunately, that
person will learn the hard way, whereas the more enlightened
among us have already ditched the MS Windows platform -
which is actually quite easy to do.

For those that choose to remain bound to MS Windows, you get
to read this <a class="jive-link-external" href="http://www.microsoft.com/technet/security/" target="_newWindow">http://www.microsoft.com/technet/security/</a>
advisory/902333.mspx and wonder why you should expect a
dialog box that appears onscreen as a regular OS level dialog
box should have an address bar and/or lock icon.
Posted by Terry Murphy (83 comments )
Reply Link Flag
The state of denial
The problem here is that the exploit can be used to create a
dialog box (via javascript) that can appear like any other normal
OS system level dialog box, not just a classic browser pop-
window window.

How it is MS cannot understand why this is a problem is beyond
comprehension. These guys just don't get it, and it doesn't bode
well for the average fellow with allusions that MS is actually
doing something about software security. Unfortunately, that
person will learn the hard way, whereas the more enlightened
among us have already ditched the MS Windows platform -
which is actually quite easy to do.

For those that choose to remain bound to MS Windows, you get
to read this <a class="jive-link-external" href="http://www.microsoft.com/technet/security/" target="_newWindow">http://www.microsoft.com/technet/security/</a>
advisory/902333.mspx and wonder why you should expect a
dialog box that appears onscreen as a regular OS level dialog
box should have an address bar and/or lock icon.
Posted by Terry Murphy (83 comments )
Reply Link Flag
Firefox already fixed
Mozilla Firefox browser already has a fix for this in their latest nightly test builds that will become Firefox 1.0.5 soon. So we now again see how Microsoft doesn't care about security and their customers. Anyone that is smart enough has already switched to better and more secure browsers like Firefox, Mozilla, Opera, Safari.
Posted by JLP (38 comments )
Reply Link Flag
Firefox already fixed
Mozilla Firefox browser already has a fix for this in their latest nightly test builds that will become Firefox 1.0.5 soon. So we now again see how Microsoft doesn't care about security and their customers. Anyone that is smart enough has already switched to better and more secure browsers like Firefox, Mozilla, Opera, Safari.
Posted by JLP (38 comments )
Reply Link Flag
IE pop-up spoof won't get patch
I think that about 80% of PC Security problems could be solved by education, and insuring User Responsibility! If someone came to your door, pretending to be from the local bank, and asked these people to give out the kind of personal information that they aare willing to share with the world (via a web site), I bet that they would think twice? Maybe (for these people) we need to supply PC operating systems with a WARNING - like you see on the TV lately: "Warning - using the following Email program can be dangerous to your Personal Security!!!!" - or some such message.
"Do not proceed if you do not know what you are doing."
....that's my take anyway,
...Steve
Posted by stevezd (9 comments )
Reply Link Flag
It is not a bug, it is a feature.
Only MS would be arrogant enough to not try to put in tools to help the average Joe figure out if that pop-up is legit or not. There is a reason why IE and other MS apps are stagnant and losing market share and why MS stock is stagnant at best. They think they can continue to pinch off a loaf and people will flock to the stores to buy it, even though it is crap. While a few massively boneheaded MS fans will still do that, more and more people are getting hip to the fact that MS makes their computing life harder and are moving away from them.

Everytime I think they are finally on the slow road to respectibility, they go and do something stupid like this. If you are going to cater to those who don't understand computers, you better damn well make it secure out of the box and super easy to use in a productive and secure manner. MS fails on both counts. It may not be a true bug, but the can add in a few small features to make it easier for folk to avoid problems. IE is already bloated beyond repair, what harm is a few kb going to cause?
Posted by Bill Dautrive (1180 comments )
Link Flag
IE pop-up spoof won't get patch
I think that about 80% of PC Security problems could be solved by education, and insuring User Responsibility! If someone came to your door, pretending to be from the local bank, and asked these people to give out the kind of personal information that they aare willing to share with the world (via a web site), I bet that they would think twice? Maybe (for these people) we need to supply PC operating systems with a WARNING - like you see on the TV lately: "Warning - using the following Email program can be dangerous to your Personal Security!!!!" - or some such message.
"Do not proceed if you do not know what you are doing."
....that's my take anyway,
...Steve
Posted by stevezd (9 comments )
Reply Link Flag
It is not a bug, it is a feature.
Only MS would be arrogant enough to not try to put in tools to help the average Joe figure out if that pop-up is legit or not. There is a reason why IE and other MS apps are stagnant and losing market share and why MS stock is stagnant at best. They think they can continue to pinch off a loaf and people will flock to the stores to buy it, even though it is crap. While a few massively boneheaded MS fans will still do that, more and more people are getting hip to the fact that MS makes their computing life harder and are moving away from them.

Everytime I think they are finally on the slow road to respectibility, they go and do something stupid like this. If you are going to cater to those who don't understand computers, you better damn well make it secure out of the box and super easy to use in a productive and secure manner. MS fails on both counts. It may not be a true bug, but the can add in a few small features to make it easier for folk to avoid problems. IE is already bloated beyond repair, what harm is a few kb going to cause?
Posted by Bill Dautrive (1180 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Inside CNET News

1-2 of 12

Scroll Left Scroll Right

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.03%) 0.01 30.50
Dow Jones Industrials (0.41%) 52.22 12,853.45
S&P 500 (0.46%) 6.15 1,348.79
NASDAQ (0.62%) 17.86 2,921.74
CNET TECH (0.53%) 10.71 2,042.73
  Symbol Lookup