Vulnerability allows scammers to hijack pop-ups
Security researchers warned this week of a vulnerability in most Web browsers which could potentially allow scammers to launch phishing attacks from pop-up windows on trusted Web sites.
The vulnerability arises when an Internet user opens browser windows for both a legitimate Web site and a malicious site at the same time. Because of an old functionality that exists in most browsers, the malicious site can potentially display information in a pop-up window from the trusted site, according to Secunia Research.
The vulnerability has yet to be exploited but could present a very effective method for launching online fraud scams, often known as phishing, Secunia Chief Technology Officer Thomas Kristensen said Thursday.
While most users do not intentionally visit malicious Web sites, they often stumble upon them by following links, making it relatively common for Net surfers to have browser windows open for both legitimate and malicious sites at the same time, Kristensen said.
This could be a particularly dangerous situation if exploited to display misleading information on a pop-up window from a legitimate bank Web site, for example, he warned. Even if savvy users check for a the yellow "lock" icon on a Web site, signifying encryption, the pop-up could still display content from the malicious site, he said.
"This could be a surprisingly effective way to seduce or trick people into doing something," Kristensen said.
The vulnerability affects almost all browsers, including Internet Explorer (IE), Mozilla, Firefox, Opera, Konqueror, Safari and Netscape, the researcher said.
Secunia, based in Copenhagen, went public with its warning Wednesday, after saying that it had alerted browser vendors of the vulnerability months ago.
Microsoft said Thursday that it has investigated the report, and customers who use Windows XP SP2 and follow its advice on spoofing attacks are at a reduced risk.
The functionality described in the report allows a Web site to open or re-use a window without displaying the address bar. However, SP2 users will see a status bar in the pop-up window, allowing them to look for the yellow lock icon and confirm that the site is valid, Microsoft said.
Opera has also included measures to mitigate the vulnerability in the latest beta version of its software, Kristensen said.
He acknowledged that by going public with the warning he was also alerting Internet scammers to a new opportunity, but said that he felt the public should be aware of the threat since not all browser vendors had been responsive.
"We thought it would be better to openly talk about this and we are giving advice on how to mitigate it," Kristensen said.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
