Vulnerabilities in Firefox and Internet Explorer
Browser security specialist Michal Zalewski has struck again. Four online demos illustrate previously unknown vulnerabilities in Internet Explorer 6 and 7 and Firefox 2.0. A race condition when navigating to a new web page can be exploited to confuse Internet Explorer's domain policy, which usually prevents a web page from domain A from accessing content of a web page originating from domain B.
The second demo demonstrates how a malicious web page opened in Firefox can read keyboard input to another open web page. According to the description, the cause of the problems is that IFRAMES can be replaced using the document.write() method. The problem has been known about since 2006, but has been only partly resolved.
A third demo illustrates how a system can be spied upon using a vulnerability in Firefox. A type of mini game tries to get the user to press the return key at specific moments. In doing so the user is actually confirming an invisible security message box to enable the exploit to read the content of the root directory. In principle this could also be used to download or run files.
Finally Zalewski presents a problem in Internet Explorer 6, which can be exploited to spoof the address bar. However this demo is also extremely flaky and failed to work in tests by the heise Security editorial team.
On top of all this, Thor Larholm has reported another vulnerability in Firefox 18.104.22.168, which likewise allows files to be read on Windows or Unix systems. To exploit this it is sufficient to enter a URL with a specific resource://-protocol-handler.
- Assorted browser vulnerabilities, report from Michal Zalewski
- Unpatched input validation flaw in Firefox 22.214.171.124, report from Thor Larholm