Vulnerability researcher Michael Zalewski has published details
of four new
zero-day flaws in
Firefox and Internet Explorer (IE) that could be exploited to
log keystrokes, download malware and steal cookies.
Zalewski published his findings on Full
Disclosure, a mailing list hosted by Danish vulnerability
clearinghouse Secunia.
The first flaw affects IE 6 and 7. "When Javascript code
instructs IE 6/7 to navigate away from a page that meets
same-domain origin policy (and hence can be scripturally-accessed
and modified by the attacker) to an unrelated third-party site,
there is a window of opportunity for concurrently executed
Javascript to perform actions with the permissions for the old
page, but actual content for the newly loaded page," Zalewski
wrote.
Firefox also contains a Javascript flaw, according to Zalewski.
"Javascript can be used to inject malicious code, including
key-snooping event handlers, on pages that rely on IFRAMEs to
display contents or store state data [and] communicate with the
server," Zalewski wrote.
Firefox also contains a flaw that could be exploited on certain
confirmation dialogs. "A sequence of blur/focus operations can be
used to bypass delay timers implemented on certain Firefox
confirmation dialogs, possibly enabling the attacker to download or
run files without user's knowledge or consent," Zalewski wrote.
The fourth flaw affects IE 6 and allows malicious Web sites to
spoof URL bar data. IE7 is not affected because of certain
high-level changes in the browser, the researcher noted.
The issues are serious enough that the Bethesda, Md.-based
SANS Internet Storm Center (ISC) issued an
alert on its Web site.
The new flaws come less than a week after
Mozilla updated Firefox to fix a number of other
security flaws. Mozilla warned attackers could exploit those
flaws to access sensitive information, cause a denial of service
or run malicious code on targeted machines.