Follow us on twitter Find us on Facebook Join us on LinkedIn

New zero-day bugs crop up in IE, Firefox

Critical flaw in Internet Explorer and a major bug in Firefox

By Gregg Keizer, Framingham | Wednesday, 06 June 2007

A noted security researcher disclosed four new zero-day vulnerabilities in Microsoft and Mozilla's browsers, including a critical flaw in Internet Explorer (IE) and a major bug in Firefox.

Michael Zalewski, who regularly publishes browser flaw findings, posted details on the full-disclosure mailing list for cookie-stealing, keystroke-snooping, malicious downloading and site-spoofing bugs.

The most serious of the four, said Zalewski, is an IE6 and IE7 flaw he rated "critical." Dubbing it a "bait-and-switch" vulnerability, he said that the Microsoft browser gives hackers a window of opportunity to run malicious Javascript to hijack the PC.

"The entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks," Zalewski claimed in notes that accompanied a demonstration of the IE bug. Up-to-date IE6 and IE7 are both at risk, he said, although Firefox is not.

But Mozilla's browser also suffered at Zalewski's hands. A new IFrame vulnerability in Firefox 2.0 can let attackers plant keyloggers or drop malicious content into a legitimate web site. The flaw, rated as "major," is related to a similar bug discovered last year; although Mozilla patched that problem, Zalewski said the fix hadn't plugged all the holes.

Zalewski posted information about two other bugs, both rated "medium." A Firefox vulnerability could lead to unauthorised downloads, while IE6 is open to yet another address bar-spoofing flaw. "IE7 is not affected because of certain high-level changes in the browser," Zalewski said of the fourth vulnerability.

Mozilla is aware of both Firefox bugs — they have been posted to its Bugzilla management system — and a Microsoft spokeswoman said the company's security team is looking into Zalewski's claims. "Upon completion of this investigation, Microsoft will take the appropriate action, which may include issuing a security advisory or providing a security update," she added.

Microsoft also said it knows of no ongoing attacks using the vulnerabilities.
 

MOST POPULAR

 

Reseller News New Zealand

subscribe to Reseller News
  • NZCS progresses on cloud initiative
  • Google names Fronde Top Partner for APAC
  • Red Hat rolls out ISV web portal
  • Juniper turns new leaf with resellers

subscribe to Reseller News

Signup to Reseller newsletter
  • ChannelBeat - a weekly newsletter catchup on the most important stories for and about the channel.
  • Shipping News (weekly)- A weekly digest of the latest technology product releases.

Signup to Reseller Newsletter

 

© Fairfax Media Business Group, Fairfax New Zealand Limited,

FairfaxBG | Computerworld | PC World | PressF1 | Reseller News | CIO | Unlimited | actv8

Email Webmaster | Contact Fairfax Media Business Group | Magazine Subscriptions | Advertise With Us | Privacy Policy | rss feed for Reseller News website | Sitemap