Microsoft Internet Explorer isn’t the only browser hit by a spoofing flaw that could be exploited by phishers. But it also won’t be releasing a patch for it anytime soon.
According to Secunia Research, IE, Mozilla Firefox, Opera and Apple Safari have a similar “flaw” related to their use of JavaScript
“The problem is that JavaScript dialog boxes do not display or include
their origin, which allows a new window to open, e.g. a prompt dialog box,
which appears to be from a trusted site,” a Secunia advisory states. A
malicious site could potentially trick a user into disclosing personally
identifiable information that could then be used for fraudulent purposes.
To further back its claim, Secunia has posted a proof-of-concept test of how the exploit works.
In a security advisory issued yesterday by Microsoft, the potential
exploit was described as a potential issue relating to user confusion with
the overlapping browser windows.
“Common to various browsers, including Internet Explorer, it is possible
to have multiple, overlapping browser windows,” Microsoft’s advisory states.
“An attacker could arrange windows in such a way as to trick users into
thinking that an unidentified dialog or pop-up window is trustworthy when it
is in fact fraudulent.”
Microsoft does not plan on issuing a security update to address the
dialog box threat.
“This is an example of how current standard Web browser functionality
could be used in phishing attempts,” the Microsoft advisory states.
As of press time no advisory on the issue had been posted on Mozilla’s
security site.