June 23, 2005 4:35 PM PDT
IE pop-up spoof won't get patch
By
Joris Evers
Staff Writer, CNET News
Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.
In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.
Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.
"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.
Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.
Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.
The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.
Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.
Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.
Graeme Wearden of ZDNet UK contributed to this report.
See more CNET content tagged:
pop-up,
attacker,
phishing,
attack,
Web browser
Latest tech news headlines
Resource center from CNET News sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security2009
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed.
Get a FREE trial today!
The Fastest Security Suite Anywhere
Experience the revolutionary Norton Internet Security 2009. With Norton Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans
Win a Trip to Space!*
Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.
FREE Trial!
Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed
Norton Safe Web NEW!
A community-based system that rates web site safety
Norton Labs NEW!
Users can download new security technologies and share input directly with developers. Help us shape our future products!

dialog box (via javascript) that can appear like any other normal
OS system level dialog box, not just a classic browser pop-
window window.
How it is MS cannot understand why this is a problem is beyond
comprehension. These guys just don't get it, and it doesn't bode
well for the average fellow with allusions that MS is actually
doing something about software security. Unfortunately, that
person will learn the hard way, whereas the more enlightened
among us have already ditched the MS Windows platform -
which is actually quite easy to do.
For those that choose to remain bound to MS Windows, you get
to read this http://www.microsoft.com/technet/security/
advisory/902333.mspx and wonder why you should expect a
dialog box that appears onscreen as a regular OS level dialog
box should have an address bar and/or lock icon.
dialog box (via javascript) that can appear like any other normal
OS system level dialog box, not just a classic browser pop-
window window.
How it is MS cannot understand why this is a problem is beyond
comprehension. These guys just don't get it, and it doesn't bode
well for the average fellow with allusions that MS is actually
doing something about software security. Unfortunately, that
person will learn the hard way, whereas the more enlightened
among us have already ditched the MS Windows platform -
which is actually quite easy to do.
For those that choose to remain bound to MS Windows, you get
to read this http://www.microsoft.com/technet/security/
advisory/902333.mspx and wonder why you should expect a
dialog box that appears onscreen as a regular OS level dialog
box should have an address bar and/or lock icon.
"Do not proceed if you do not know what you are doing."
....that's my take anyway,
...Steve
"Do not proceed if you do not know what you are doing."
....that's my take anyway,
...Steve