Experts Warn of Security Flaws in Alternative Browsers

IT security services firm Secunia issued a warning that the so-called tabbed browsing function in a host of alternative Web browsers made and distributed by Mozilla, Opera, Netscape, Avant, Camino and others leave users vulnerable to spoofed Web sites that attempt to steal personal information. Secunia said the flaws are moderately critical.

Browser Vulnerabilities

Tabbed browsers allow users to have multiple pages open within a single browser window and to tab back and forth among them without having to close any. Secunia said the most serious flaw enables spoofed Web sites opened in those tabs to display dialogue boxes in other tabs, potentially making it appear that they originate from trusted sites, such as banks, when, in fact, they are spoofing attempts to gain personal data.

A second vulnerability could enable data that is being entered to a secure, trusted page to be intercepted by a page on another tab.

Secunia's chief technology officer, Thomas Kristensen, said the flaw is in the basic design of almost all tab browsers.

Alternative Web Style

"Because all the browser tabs are in a single application window, it's harder to tell which Web site is responsible for any given action," he said. "It's one of the drawbacks of having so much going on in the same window."

Ionically, the warnings come as security concerns about Internet Explorer (IE) have led many Web users to reconsider which browser they deploy to access the Internet, leading to the first serious challenge to Microsoft's browser since it overtook Netscape. The U.S. Computer Emergency Readiness Team (CERT) warned users to forgo the IE browser until a batch of vulnerabilities could be addressed.

Web analytics firm WebSideStory said IE use has dropped from more than 95 percent earlier this year to around 93 percent. While that still gives IE a dominant share of the market, it does show considerable adoption of alternatives.

Hoping to capitalize on that trend, supporters of the Mozilla foundation plan to launch a media campaign that includes ads in the New York Times designed to raise awareness of the Firefox 1.0 release.

Shut It Down?

However, alternative browser supporters could take solace in the fact that on the same day the tabbing vulnerability was announced, security experts were warnings that a persistent flaw in IE now appears to leave even machines that are loaded with the Windows XP Service Pack 2 security upgrade vulnerable.

Denmark-based Secunia said the IE vulnerability is "highly critical" and could leave machines open to remote attack.

Sophos antivirus consultant Graham Cluley said IE remains the favorite target of malicious code writers because it is so widely used and because new vulnerabilities are constantly being identified.

While alternative browsers offer a way to steer clear of IE-related flaws, they don't solve the Internet security risk, as the new vulnerabilities show, he added. Alternatives might, in fact, offer some users a false sense of security.

"Given that it looks likely that there will be more browser flaws and more exploits that take advantage of them -- in some cases before patches are even available -- some companies might want to consider whether it's prudent to give all the users on their network full Web access," Cluley said. "They have to weigh whether the risks are worth it in the long run."