New vulnerabilities hit Firefox and Internet Explorer

• Hydro

  5 Jun 07, 10:19

  Security researcher Michal Zalewski has published four new vulnerabilities to the Full Disclosure mailing list for Microsoft Internet Explorer and Mozilla Firefox. There are no patches yet available from either vendor. The most serious is MSIE page update race condition, where users navigating with JavaScript from one page to another page with the same domain experience a window of opportunity for attackers to concurrently execute JavaScript to perform actions with the permissions of the previous page.
  
  The next most severe is Firefox Cross-site IFRAME hijacking where an attack against about:blank frames could allow malicious code execution. Zalewski also published two medium-threat vulnerabilities, one each for Firefox and Internet Explorer. Firefox file prompt delay bypass allows an "attacker to download or run files without user's knowledge or consent." And, finally, Internet Explorer 6 URL bar spoofing is a URL spoofing vulnerability. This last vulnerability does not affect Internet Explorer 7.
  
  http://www.download.com/8301-2007_4-9725125-12.html?tag=head
  
  
• turbo_drift

  5 Jun 07, 14:02

  
• spadeTwo

  5 Jun 07, 14:06

  err because this was cross posted and the other 1 in chit chat is locked.
  i think we will use this 1 to continue
  my question is why does such vulnerability occur and why computer will crash if it happens ? and how to avoid it....
• MyPillowTalks

  5 Jun 07, 14:17

  JIALAT!!!!!!!! MINE BROWSER ISH VULNERABLE!!!!!!!!!!!
  
  
• ndmmxiaomayi

  5 Jun 07, 19:08

  Originally posted by spadeTwo:

  err because this was cross posted and the other 1 in chit chat is locked.
  i think we will use this 1 to continue
  my question is why does such vulnerability occur and why computer will crash if it happens ? and how to avoid it....

  Why does such vulnerability occur - Humans are not perfect, so don't expect perfect programs from them.
  
  Will computer crash - For Firefox, it looks like the PC won't crash because it's used by attackers to remotely control a user.
  
  To avoid it, you can turn off frames in Firefox.
  
  Type in about:config in the address bar.
  
  Locate browser.frames.enabled
  
  Right click and select Toggle to change it to False.
  
  For IE users:
  
  1st vulnerability - JavaScript vulnerability
  
  If you ask me, it probably will cause a PC to crash, depending on how the attacker writes the JavaScript. If the PC doesn't crash, IE will.
  
  Disable JavaScript. Not exactly a good answer, because most sites use JavaScript.
  
  2nd vulnerability - URL spoofing
  
  IE6 has no URL spoofing protection as far as I know, unless you use 3rd-party toolbars. The possibility of it crashing is low, but it will not warn you when you get into a fake website.
  
  Just be careful of what website you are accessing. When unsure, type in the website manually. You can do a Google search for the website and get in directly via the Google results. It's usually the first result of Google search.
• kawasaki2

  7 Jun 07, 00:47

  Expect more updates, coming your way.
  
  2nd Tuesday of each month. MS will release a out-of-cycle patch if needed.