June 4, 2007 10:07 AM PDT

New vulnerabilities hit Firefox and Internet Explorer

Posted by Robert Vamosi

Font size
Print
E-mail
Share

Security researcher Michal Zalewski has published four new vulnerabilities to the Full Disclosure mailing list for Microsoft Internet Explorer and Mozilla Firefox. There are no patches yet available from either vendor. The most serious is MSIE page update race condition, where users navigating with JavaScript from one page to another page with the same domain experience a window of opportunity for attackers to concurrently execute JavaScript to perform actions with the permissions of the previous page.

The next most severe is Firefox Cross-site IFRAME hijacking where an attack against about:blank frames could allow malicious code execution. Zalewski also published two medium-threat vulnerabilities, one each for Firefox and Internet Explorer. Firefox file prompt delay bypass allows an "attacker to download or run files without user's knowledge or consent." And, finally, Internet Explorer 6 URL bar spoofing is a URL spoofing vulnerability. This last vulnerability does not affect Internet Explorer 7.

Originally posted at News Blog

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.

Topics:: Browsers and extensions,; Security and spyware

Tags:: Firefox,; Internet Explorer,; security

Share:: Digg; Del.icio.us; Reddit

About Webware

Say No to boxed software! The future of applications is online delivery and access. Software is passé. Webware is the new way to get things done.

Add this feed to your online news reader

Webware topics

In the news now

Apple: DRM-free tunes, unibody MacBook Pro

roundup At Macworld, Phil Schiller touts 10 million songs sans DRM, plus 69-cent songs, a unibody 17-inch notebook, iLife updates, and more.

Countdown to CES

special coverage The tech community descends on Las Vegas as the Consumer Electronics Show gets ready to kick off in all its gadgety glory.

Inside CNET News

Scroll Left Scroll Right

Business Tech
OLPC slashes workforce in half, cuts salaries
Founder of the project tasked with giving laptops to children in developing nations blames tough economic times for restructuring.
Gallery
Photos: Inside Macworld 2009
Apple
Apple awards raises to key executives
COO Tim Cook, CFO Peter Oppenheimer, and Mac hardware chief Bob Mansfield will have a little more spending money in 2009.
CES 2009
Live blog: Ballmer at CES
Windows 7 will be front and center when Microsoft's CEO takes the Sin City stage at 6:30 p.m. PST. CNET News will be blogging it live here.
Video
CES Press Conference Day 1
CES 2009
Verizon intros on-the-go DVR programming
Verizon adds remote control for some Fios TV customers to allow them to program and manage their DVRs from an online computer or Verizon cell phone.
Video
Ludacris's HD hip-hop album
Politics and Law
Tech lobbyists: Spend $30 billion in tax dollars, get a million jobs
A new report by the Information Technology and Innovation Foundation suggests spending $30 billion on IT infrastructure would create or save 949,000 U.S. jobs.
Cutting Edge
'60 Minutes' video: Tech that reads your mind
This segment investigates breakthroughs researchers have made in identifying what people are thinking by conducting brain scans, and why the Supreme Court might one day get involved.
Gallery
Photos: Jobs fill-in touts media, MacBook updates
CES 2009
AMD introduces Dragon PC gaming platform and new Phenom II CPUs
AMD introduces new Dragon PC gaming platform with Phenom II chips, FX790 chipsets, and Radeon HD 4000-series GPUs.
Green Tech
Termite stomach bug to make ethanol
Start-up ZeaChem raises $34 million to build a cellulosic ethanol plant that uses the microbes in termites' guts, rather than genetically designed specialty bugs.