Explorer, Firefox Take Heat Zero-Day Flaws in Both IE and Firefox Reported Sean Michael Kerner
Whether you're running Microsoft Internet Explorer or Mozilla Firefox, there may be new reason for concern, as both browsers are allegedly open to a number of high-risk vulnerabilities.
Security researcher Michal Zalewski has alleged in a mailing list posting that fully patched versions of the top browsers contain two vulnerabilities. And to add further insult to injury, a security researcher said Mozilla might have made things worse with its recent update.
For Internet Explorer 6 and 7, Zalewski alleges that there is a page update race condition that could lead to cookie stealing, page hijacking, or memory corruption.
"When JavaScript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scripturally accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed JavaScript to perform actions with the permissions for the old page, but actual content for the newly loaded page," Zalewski wrote.
For IE 6, Zalewski alleges that he has found an address-bar spoofing condition that could be used for phishing attacks.
A Microsoft spokesperson told internetnews.com that Microsoft is investigating new public claims of two possible vulnerabilities in Internet Explorer. So far Microsoft is not aware of any attacks attempting to use the possible vulnerabilities.
Microsoft will continue to investigate the claims to help provide additional guidance for customers as necessary and will take the appropriate action to protect customers, which may include issuing a security advisory or providing a security update through the monthly release process.
Microsoft also lashed out at Zalewski by noting that responsible disclosure of vulnerabilities is the best way to minimize risk to computer users.
"Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone's best interests," the Microsoft spokesperson said. "This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
But Zalewski didn't just expose issues in Microsoft's browser, he also found a pair of holes in Mozilla's Firefox.
One alleged flaw is a Cross-site IFRAME hijacking vulnerability that could allow a malicious user to use JavaScript to inject malicious code. IFRAME is an inline frame tag in HTML that is widely used on Web sites.
A second flaw that Zalewski tagged as being less critical could let an attacker use a Firefox file prompt delay in order to force arbitrary files down on unsuspecting users.
Mozilla is aware of both of Zalewski's alleged flaws, though it has tagged both with a low severity rating.
"Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first. Just because a bug has a lower severity rating does not mean we dismiss it," Mozilla's Chief Security Office Widow Snyder blogged. "We fix all bugs with any security risk as part of our commitment to security."
There may be more than just unpatched bugs for Mozilla to worry about, though. Security researcher Thor Larholm has alleged that a bug Mozilla claims to have patched in the recent 2.0.0.4 release is in fact still a vulnerability.
Among the numerous fixes in Firefox 2.0.0.4 is one for a directory traversal vulnerability that could have allowed an attacker to read local files.
"However, the patch only partially fixed the vulnerability on Windows systems and accidentally circumvents an existing input validation check," Larholm wrote in a mailing list posting.
"The net result is that you can still read some local files on Windows and all user accessible files on Linux/Unix/OS X, with all user-accessible files potentially readable as well on Windows through the patch regression."
Mozilla has not yet responded directly to Larholm's allegations, though Larholm claims that he did provide advance notification to Mozilla.
"The Mozilla security team are usually quick to respond but have not been as accommodating with this report, ignoring the advice in my May 25 notice and releasing a flawed patch and lastly taking the better part of five days to even respond on my May 31 notice," Larholm told internetnews.com. "That response asked for a functional exploit before it would be investigated further."
Larholm does have a solution for Mozilla, that is, if they're willing to listen to him.
"Mozilla has a wide range of options, from simply rearranging their input validation routine to undergoing a larger review of their URI resolver logic source code," Larholm said.
