Zero-day flaws affect Firefox, IE

Vulnerability researcher Michael Zalewski has published details of four new zero-day flaws in Firefox and Internet Explorer (IE) that could be exploited to log keystrokes, download malware and steal cookies.

Zalewski published his findings on Full Disclosure, a mailing list hosted by Danish vulnerability clearinghouse Secunia.

The first flaw affects IE 6 and 7. "When Javascript code instructs IE 6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scripturally-accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page," Zalewski wrote.

Firefox also contains a Javascript flaw, according to Zalewski. "Javascript can be used to inject malicious code, including key-snooping event handlers, on pages that rely on IFRAMEs to display contents or store state data [and] communicate with the server," Zalewski wrote.

Firefox also contains a flaw that could be exploited on certain confirmation dialogs. "A sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user's knowledge or consent," Zalewski wrote.

The fourth flaw affects IE 6 and allows malicious Web sites to spoof URL bar data. IE7 is not affected because of certain high-level changes in the browser, the researcher noted.

The issues are serious enough that the Bethesda, Md.-based SANS Internet Storm Center (ISC) issued an alert on its Web site.

The new flaws come less than a week after Mozilla updated Firefox to fix a number of other security flaws. Mozilla warned attackers could exploit those flaws to access sensitive information, cause a denial of service or run malicious code on targeted machines.