You are here: silicon.com > Software > Applications

Applications

Microsoft: No plans to patch IE spoof

Users data at risk...

Tags: spoof, phishing, pop-up, ie

By Joris Evers

Published: 24 June 2005 08:45 BST

Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.

In the attack, JavaScript is used to display a pop-up window in front of a trusted website. The pop-up appears to be part of the legitimate site but is actually linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.

Although the pop-ups could be used by attackers, overlaying multiple windows in a web browser is a feature, not a vulnerability, according to an advisory posted on Microsoft's TechNet website.

The advisory said: "This is an example of how current standard web browser functionality could be used in phishing attempts."

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam email and fraudulent web pages that look like legitimate sites.

Earlier this week, security monitoring company Secunia warned of the browser problem and rated it "less critical". The issue affects most major browsers, Secunia said.

The problem is that JavaScript dialogue boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious website or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.

Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they come from trusted sites.

Opera has said its latest browser, 8.01, displays the origin of a pop-up, letting a user inspect its URL to see if it originated from a trusted site.

Graeme Wearden of ZDNet UK contributed to this report

Joris Evers writes for CNET News.com

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

  • Jobs
Linux / Cisco Network Specialist UKs Top IT Employer - Oxfordshire

Cisco IOS, Linux (RHEL4), Firewalls such as PIX & Firewall 1, TCP/IP, DNS, POP, SMTP, SNMP, proxies, email servers, PHP, MySQL, Apache, Tomcat, ...

Graduate Integration Engineer London- c.£21k

This will be achieved through the development of 'agents' which gather information from our clients to display on the website. You are confident and ...

Development Team Leader C# / ASP.NET / SharePoint Oxfordshire

We strive to reflect RMs core values by providing a great working environment, and our active sports & social team hosts a wide variety of events ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.





Quick Sitemap Links: