Thanks to Javascript, all web browsers are again vunerable to spoof attacks.
Internet Explorer and Firefox -- even the newest edition that's getting ready for release -- can be spoofed by hackers intent on stealing passwords or other confidential information, a security firm said Tuesday.
According to Danish vulnerability tracker Secunia, Microsoft's Internet Explorer, Mozilla's Firefox, and virtually every other popular browser could be used by malicious Web site to display bogus Java dialog boxes atop legitimate sites.
"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- a prompt dialog box -- which appears to be from a trusted site," read the alert that Secunia posted.
An exploit requires that the user first visit a malicious site -- perhaps enticed there via e-mail or instant message -- that includes a link to a legit, trusted site, say an online banking portal. By leveraging the JavaScript bug, the attacker could display a fake password dialog, and trick the user into entering her account information.
