IE and Firefox: new vulnerabilities

15th June 2007

Polish security researcher Michal Zalewski revealed four new vulnerabilities in Internet Explorer and Firefox, two for each browser. The most serious of them affects IE, allowing an attacker to steal settings and user cookie, and also to intercept the control by downloaded pages and fulfill the buffer overflow. Besides, malefactor can run on execution arbitrary code JavaScript. This vulnerability operates in IE 6 and IE 7, even with the latest updates. The second serious vulnerability in Firefox is associated with the tag “IFRAME”, which creates floating frame, which is located within the common document and allows you to download in the area of assigned sizes any other independent papers. As a result of use of frame “about: blank” snooping-attack can be implemented. This type of attacks involves infecting of the user computer, after which all the requested content and web-pages will initially go through the remote server, where can be easily changed. Any outcoming information is also intercepted. As for the other vulnerabilities, the second error in Firefox allows uncontrolled downloads and launch of files, and in the case of IE collects information about the entered addresses and sends it to plotter (works only in IE 6).