Microsoft does not plan to update Internet Explorer to prevent a spoofing attack that could trick users into giving out personal information to hackers.
In the attack, JavaScript is used to display a pop-up window in front of a trusted Web site. The pop-up appears to be part of the legitimate site, but actually is linked to a different, malicious site. A user might be fooled into sending personal information to the scammers.
Although the pop-ups could be used by attackers, overlaying multiple windows in a Web browser is a feature, not a vulnerability, according to an advisory posted on Tuesday on Microsoft's TechNet Web site.
"This is an example of how current standard Web browser functionality could be used in phishing attempts," Microsoft said in the advisory.
Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam email and fraudulent Web pages that look like legitimate sites.
Earlier this week, security monitoring company Secunia warned of the browser problem and rated it 'less critical'. The issue affects most major browsers, Secunia said.
The problem is that JavaScript dialogue boxes do not display or include their origin. For an attack to occur, a user would have to visit a malicious Web site or click on a link before going to a trusted site, such as that of a bank. The attacker could then overlay part of the trusted site with a window asking for data such as a user name and password. Information entered would go to the attacker, instead of the bank.
Firefox developers at the Mozilla Foundation have been making moves to combat this kind of attack. In April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites.
Opera has said that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.
Talkback
I can't believe Microsoft won't make a patch against this hack.
I reckon we have only seen the start of exploits using this technique. Sometime soon someone is going to come up with a real novell exploit which will catch a lot of people out.
Just another reason people should use Firefox I guess.
Translation: we still can't do what our competitors already could so please believe our PR FUD until some time from now we can tell you about a great "innovation" of ours that you can obtain with blood, sweat and tears to finally get, somewhat, what you could have had years ago if you were smart enough to think and look for yourselves. Thank you for your ignorance because that's really our business. Now for the next dream we would like you to fall for, errr, believe in.
First Microsoft makes Windows users pay more for the broken promise of protection (see antivirus stories), then they won't show the URL for a Javascript pop up because it's a "feature". Are they this horrible on purpose?