Pairs of Internet Explorer, Firefox flaws revealed on mailing list

Share this article:

Polish researcher Michal Zalewski has revealed four new browser vulnerabilities — two each in Microsoft's Internet Explorer (IE) and Mozilla's Firefox — on the Full Disclosure mailing list this week.

Zalewski disclosed a "critical" page update race condition flaw in Internet Explorer versions 6 and 7, saying that it could be exploited for cookie stealing, page hijacking and memory corruption.

The flaw can be exploited when JavaScript instructs the browser "to navigate away from a page that meets same-domain origin policy to an unrelated third-party site," said Zalewski, who added that the vulnerability was tested on fully patched versions of IE6 and IE7.

The researcher also unveiled a URL bar-spoofing flaw in IE6 that he ranked as "medium" risk, which can allow a hacker to mimic an arbitrary site, "possibly including SSL data."

IE7 is not affected "because of certain high-level changes in the browser," according to Zalewski.

A Microsoft spokesperson said today that the company is investigating the flaw reports, and is not aware of any attacks attempting to exploit the flaw.

Microsoft encourages responsible disclosure of flaws, "which serves everyone’s best interests," according to the spokesperson.

Zalewski also revealed a cross-site IFRAME hijacking flaw in Firefox that can be exploited for keyboard snooping and content spoofing, among other types of attacks. An attacker can use JavaScript to inject malicious code on pages that rely on IFRAMES to display contents or store data.

Zalewski ranked the flaw as "major." He also disclosed a file prompt delay bypass flaw in Firefox that can be exploited for the non-consensual download or execution of files.

Attackers can use a series of blur/focus operations "to bypass delay timers implemented on certain Firefox confirmation dialogs," allowing the attacker to run files without the user’s consent, according to Zalewski, who did not specify what version of Firefox the flaw affects.

Window Snyder, Mozilla chief security something-or-other, posted today on the company's security blog that both flaws have "low" risk, but said the company would not write them off.

"Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first," she said. "Just because a bug has a lower severity rating does not mean we dismiss it. We fix all bugs with any security risk as part of our commitment to security."

Handler Robert Danford of the SANS Internet Storm Center said today on the organization's diary that a number of readers referred the organization to the flaw.

US-CERT said today that it was aware of the reports, and encouraged users to follow web browser security guidelines.

 

Get more IT security news. Click here for SC Magazine Blogs.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.