Users data at risk...
By Joris Evers
Published: 24 June 2005 08:45 GMT
Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.
In the attack, JavaScript is used to display a pop-up window in front of a trusted website. The pop-up appears to be part of the legitimate site but is actually linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.
Although the pop-ups could be used by attackers, overlaying multiple windows in a web browser is a feature, not a vulnerability, according to an advisory posted on Microsoft's TechNet website.
The advisory said: "This is an example of how current standard web browser functionality could be used in phishing attempts."
Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam email and fraudulent web pages that look like legitimate sites.
Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical". The issue affects most major browsers, Secunia said.
The problem is that JavaScript dialogue boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious website or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.
Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they come from trusted sites.
Opera has said its latest browser, 8.01, displays the origin of a pop-up, letting a user inspect its URL to see if it originated from a trusted site.
Graeme Wearden of ZDNet UK contributed to this report
Joris Evers writes for CNET News.com
UPS Service Engineer - South East - up to ? mobile phone - pension - life assurance Are you a Service or Maintenance Engineer with a background ...
Website Tester - Staffordshire, West Midlands - Payment Testing, Cross-Browser Testing, Testing Tools, My Staffordshire based client requires a ...
You will have previous experience of managing a European Sales team and a background in the UPS market. Due to continued growth a leading ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy