Zalewski, a well-respected security researcher, published demos of four different browser vulnerabilities on the Full Disclosure mailing list, warning of unpatched cookie stealing, page hijacking, memory corruption and URL bar spoofing bugs.
The most serious of the four -- a page update race condition affecting Microsoft's IE 6 and IE 7 -- is rated "critical." Zalewski explains with an online demo of an exploit:
"In other words, the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks," Zalewski warns, noting that local system compromise is also possible.
Zalewski also dropped details of a "major" Firefox cross-site IFRAME hijacking bug that could allow malicious code execution, keystroke interception and content spoofing attacks. Click here for an online demo and technical details.
Demos of two other medium-risk flaws affecting IE and Firefox were also released.
One is a Firefox prompt-delay bypass issue (demo here) that allows non-consensual download of execution of files.
A sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user's knowledge or consent.
The other is a URL bar spoofing flaw that affects IE 6 (demo here). It could allow an attacker to mimic an an arbitrary site, possibly including SSL data. Internet Explorer 7 is not affected by this bug because of certain high-level changes in the browser, Zalewski said.
[UPDATE: June 4, 2007 @ 1:50 PM] Microsoft is looking into Zalewski's warning. A statement from an MSRC spokesman:
Microsoft is investigating new public claims of two possible vulnerabilities in Internet Explorer. Microsoft is not aware of any attacks attempting to use the possible vulnerabilities or of customer impact at this time. Microsoft will continue to investigate the claims to help provide additional guidance for customers as necessary.