* * PLEASE NOTE: I have added the direct hyper-links to the 'web sites' as given in the article! * *
February 15th, 2007
Browser beware: Unpatched holes in Firefox, IE 7
by Ryan Naraine @ 12:31 pm
Firefox and Internet Explorer users beware: There are serious, unpatched flaws in both browsers that could allow the manipulation of authentication cookies and the hijacking of files from your Windows machine.
Details on both vulnerabilities have already been posted to the Full Disclosure mailing list by Polish researcher Michal Zalewski. SecurityFocus provides coverage of the issue, which dates back to 2006.
According to Zalewski, a well-known hacker credited with several major flaw discoveries, there are two very different issues affecting Firefox and IE 7.
First up is a brand-new IE 7 bug that could be used to divert keystrokes from Web-based games, blog entries and comment forms, online chats. In certain scenarios, an attacker could exploit the flaw to read sensitive local files on a computer. "Some user interaction is required, but only to an extent commonly expected on some popular Web site. XSS attacks make it far worse," Zalewski said.
Click here for an online demonstration of the IE 7 (and prior) vulnerability. > http://lcamtuf.coredump.cx/focusbug/ieversion.html
Firefox 1.5 and 2.0 users can test for the flaw here. > http://lcamtuf.coredump.cx/focusbug/ffversion.html
Separately, Zalewski also warned about a new bug in the way Firefox handles writes to the 'location.hostname' DOM property. The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy, according to a note on the F-Secure blog.
Click here for a demo of the Firefox 2.0.01 bug > http://lcamtuf.dione.cc/ffhostname.html .. which requires JavaScript. Mozilla's security response team is already working on a patch. > https://bugzilla.mozilla.org/show_bug.cgi?id=370445
I have a query in to Microsoft for a comment on the IE 7 issue. Will update as necessary.
[UPDATED: February 15, 2007; 6:17 PM Eastern] Just received this note from the Microsoft Security Response Center:
Microsoft's initial investigation reveals that an attacker could gain access to user files if the location of a given file is already known. In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's Web page through social engineering. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers.
- - - -
- Magpye
This message was edited Feb 15, 2007 7:02 PM