IE pop-up spoof won't get patch

By Joris Evers, CNET News.com
Friday, June 24, 2005 10:16 AM

Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted Tuesday on Microsoft's TechNet Web site.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical." The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialog boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.

Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Graeme Wearden of ZDNet UK contributed to this report.


WORTHWHILE?

0

0 votes
Blog

Talkback 0 comments

There are currently no comments for this post.

Guest user

Guest user

Level: 
Joined: —
Already a member? Log in »



 

Loading...

News from Countries/Region

Tech Jobs Now!


Search for your ideal tech job:

How to recession-proof IT

Tech Management

In the current economic environment, IT is well positioned to make a compelling case for strategic spending that can help weather the storm.


Read more »



  • HPC Applications

    Ever wondered if High Performing Computing systems really matter in our day-to-day world? Let Dr David Scott from Intel take you a for quick tour on developing HPC applications.
    Play video


  • Maximize IT Spend: Business Acceleration

    How do you ensure your IT solutions are well integrated and streamlined across your enterprise? Rajen from Oracle highlights the important considerations ...
    Play video


  • HPC Architecture: Explained

    Why is High Performance Computing increasingly in demand in today's businesses? Find out which is the most widely deployed HPC architecture today.
    Play video

Tags

  1. apps
  2. attack
  3. attacks
  4. bank
  5. card
  6. chrome
  7. cisco
  8. data
  9. details
  10. facebook
  11. fix
  12. flaw
  13. flaws
  14. google
  15. hack
  16. issues
  17. makes
  18. malware
  19. mcafee
  20. microsoft
  21. patches
  22. privacy
  23. researchers
  24. risk
  25. security
  26. symantec
  27. uk
  28. updates
  29. us
  30. vmware

No-holds barred on netbooks

Blog thumbnail

The journalist group that I belong to, CyberPress, held our regular industry forum last Friday and I should say that it was the best that we've ever had since we..... by Melvin G. Calimag

Read more »