JavaScript Flaw Leaves Every Browser Open to Attack

LONDON -- A new browser flaw could allow attackers to trick users into relinquishing sensitive information such as passwords. The flaw is unusual in that it affects every mainstream browser and can be exploited on the Mac OS X operating system as easily as on Windows, according to security company Secunia.

Because of the way most browsers handle JavaScript dialog boxes, it's unclear which site a dialog box originates from, Secunia reported. An untrusted site could direct a user to a secure site such as a bank, and then cause a dialog box to pop up in front of the bank site's window.

When the user entered password information, that data would be sent to the attacker, Secunia stated. "Successful exploitation normally requires that a user is tricked into opening a link from a malicious Web site to a trusted Web site," the company observed in its advisory.

Opera Patched

The flaw has been confirmed in Opera, Safari, Mozilla-based browsers, iCab, and Mac and Windows versions of Internet Explorer. As of Wednesday, only Opera had issued a patch, in version 8.01. The bug has been fixed in the beta of iCab version 3.0.

Secunia published a test to demonstrate the flaw.

Microsoft confirmed that IE was vulnerable, but said it has no plans to distribute a fix. "Customers who already follow our general guidance about avoiding spoofing and phishing attacks are at reduced risk of being affected by this issue," Microsoft stated in an advisory.

Spoofing flaws such as these become increasingly dangerous as they are exploited by scammers to siphon off users' personal information. Despite the wealth of publicity around such scams, they remain surprisingly effective, according to security experts.