Michal Zalewski, a computer security expert and white hat hacker published demos of four different browser vulnerabilities on the Full Disclosure mailing list. These Multiple vulnerabilities pertaining to cookie stealing, keystroke snooping, page hijacking, malicious downloading and content spoofing can be exploited by malicious people to compromise a User's System.
MSIE bait & switch vulnerability (page update race condition), has been rated critical affecting Microsoft's IE 6 and IE 7 (fully patched). This IE Vulnerability gives attackers a window of opportunity to run malicious Javascript to hijack the System. Firefox is not vulnerable. Click here for an online demo and technical details.
Firefox cross-site IFRAME hijacking bug was rated as a major vulnerability that could allow Malicious Coders to use Javascript to inject malicious code including keystroke snooping and content spoofing attacks, on pages that rely on IFRAMEs to diplay contents or store state data. Click here for an online demo and technical details.
Third Vulnerability targeting Firefox is realted to bypassing the Firefox file prompt delay. An attacker can download or run files without user's knowledge by using a sequence of focus operations that can be used ti bypass delay timers implemented on certain Firefox confirmation dialogs. Click here for an online demo and technical details.
Finally, the last vulnerability is a URL bar spoofing that affects MS IE 6 and could allow an attacker to mimic an arbitary site, possibly including SSL data. Click here for an online demo and technical details.
Mozilla is aware of both the Firefox bugs and Microsoft said the company's security team is looking into Michal Zalewski's claims.
No comments:
Post a Comment