Menu
New zero-day bugs crop up in IE, Firefox

New zero-day bugs crop up in IE, Firefox

The IE flaw could allow attackers to run JavaScript code to hijack a PC

A noted security researcher Monday disclosed four new zero-day vulnerabilities in Microsoft and Mozilla's browsers, including a critical flaw in Internet Explorer (IE) and a "major" bug in Firefox.

Michael Zalewski, who regularly publishes browser flaw findings, posted details on the Full-disclosure mailing list for cookie-stealing, keystroke-snooping, malicious downloading and site-spoofing bugs.

The most serious of the four, said Zalewski, is an IE6 and IE7 flaw he rated "critical." Dubbing it a "bait-and-switch" vulnerability, he said that the Microsoft browser gives hackers a window of opportunity to run malicious JavaScript to hijack the PC.

"The entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks," Zalewski claimed in notes that accompanied a demonstration of the IE bug. Up-to-date IE6 and IE7 are both at risk, he said, although Firefox is not.

But Mozilla's browser also suffered at Zalewski's hands. A new IFrame vulnerability in Firefox 2.0 can let attackers plant keyloggers or drop malicious content into a legitimate Web site. The flaw, rated as "major," is related to a similar bug discovered last year; although Mozilla patched that problem, Zalewski said the fix hadn't plugged all the holes.

Zalewski posted information about two other bugs, both rated "medium." A Firefox vulnerability could lead to unauthorized downloads, while IE6 is open to yet another address bar-spoofing flaw. "IE7 is not affected because of certain high-level changes in the browser," Zalewski said of the fourth vulnerability.

Mozilla is aware of both Firefox bugs -- they have been posted to its Bugzilla management system -- and a Microsoft spokeswoman said the company's security team is looking into Zalewski's claims. "Upon completion of this investigation, Microsoft will take the appropriate action, which may include issuing a security advisory or providing a security update," she added.

Microsoft also said it knows of no ongoing attacks using the vulnerabilities.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments