Patch/Configuration Management, Vulnerability Management

Pairs of Internet Explorer, Firefox flaws revealed on mailing list

Polish researcher Michal Zalewski has revealed four new browser vulnerabilities — two each in Microsoft's Internet Explorer (IE) and Mozilla's Firefox — on the Full Disclosure mailing list this week.

Zalewski disclosed a "critical" page update race condition flaw in Internet Explorer versions 6 and 7, saying that it could be exploited for cookie stealing, page hijacking and memory corruption.

The flaw can be exploited when JavaScript instructs the browser "to navigate away from a page that meets same-domain origin policy to an unrelated third-party site," said Zalewski, who added that the vulnerability was tested on fully patched versions of IE6 and IE7.

The researcher also unveiled a URL bar-spoofing flaw in IE6 that he ranked as "medium" risk, which can allow a hacker to mimic an arbitrary site, "possibly including SSL data."

IE7 is not affected "because of certain high-level changes in the browser," according to Zalewski.

A Microsoft spokesperson said today that the company is investigating the flaw reports, and is not aware of any attacks attempting to exploit the flaw.

Microsoft encourages responsible disclosure of flaws, "which serves everyone’s best interests," according to the spokesperson.

Zalewski also revealed a cross-site IFRAME hijacking flaw in Firefox that can be exploited for keyboard snooping and content spoofing, among other types of attacks. An attacker can use JavaScript to inject malicious code on pages that rely on IFRAMES to display contents or store data.

Zalewski ranked the flaw as "major." He also disclosed a file prompt delay bypass flaw in Firefox that can be exploited for the non-consensual download or execution of files.

Attackers can use a series of blur/focus operations "to bypass delay timers implemented on certain Firefox confirmation dialogs," allowing the attacker to run files without the user’s consent, according to Zalewski, who did not specify what version of Firefox the flaw affects.

Window Snyder, Mozilla chief security something-or-other, posted today on the company's security blog that both flaws have "low" risk, but said the company would not write them off.

"Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first," she said. "Just because a bug has a lower severity rating does not mean we dismiss it. We fix all bugs with any security risk as part of our commitment to security."

Handler Robert Danford of the SANS Internet Storm Center said today on the organization's diary that a number of readers referred the organization to the flaw.

US-CERT said today that it was aware of the reports, and encouraged users to follow web browser security guidelines.


Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.