Phishing Exploit Affects Major Browsers

Sometimes the argument over which browser is most secure is a moot point. Tuesday, Secunia Research posted an advisory on a secuirty flaw that affects all major Web browsers. The firm demonstrated how even a link to a 'trusted' Web site may not be as harmless as it may seem.

In its advisory, Secunia detailed how malicious users can exploit a vulnerability found in JavaScript to craft dialog boxes that pop up in front of the user's browser after the user navigates to a trusted Web site. This method can be used to obtain personally identifiable information, called phishing, by making it seem as if the dialog box was loaded by the target Web site.

The potential exploit affects users of Internet Explorer for both Windows and Mac OS X, Opera, Safari, iCab and all Mozilla-based variants including Mozilla, Firefox and Camino. Secunia has a live proof of concept on its Web site that may be used to test for the vulnerability.

"Secunia rated this as 'less critical'. I think that's about right - it's really just a little JavaScript hack that anyone could use to try to trick a user into entering sensitive information. This isn't so much a bug as a 'feature' that could be abused in a malicious way," said Andrew Jaquith, a Senior Analyst with Yankee Group.

"The broader issue here is that users need to be careful when supplying sensitive information to web sites. A suspicious pop-up window is just that - suspicious."

Vendors are preparing patches for their browsers.