Microsoft, Mozilla look into browser flaws

Recently disclosed security holes that affect Internet Explorer 7 and Firefox could let attackers grab data via malicious Web sites.
Written by Joris Evers, Contributor
Microsoft and Mozilla are each working to tackle recently disclosed security flaws in the Internet Explorer and Firefox Web browsers.

The vulnerabilities were described earlier this week in postings to a popular security mailing list by researcher Michal Zalewski. Each browser could enable miscreants to grab data via malicious Web sites, Zalewski said.

In addition, another Firefox flaw could let attackers change cookie files on the user's PC, he said.

In the case of Internet Explorer, the problem affects the latest version, IE 7, and probably earlier releases, Zalewski wrote. Microsoft confirmed that the flaw could open up files stored on a PC's hard drive to an attacker, but only if the location of a given file is already known.

"In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's Web page through social engineering," a Microsoft representative said in an e-mail statement Friday. The software giant is still investigating the issue and will take "appropriate action," the representative said.

Flaws in Firefox
Firefox is affected by two security holes, both described by Zalewski. One is similar to the Internet Explorer problem, while the other could let miscreants change cookie files stored on a PC running the vulnerable browser. Cookies are small files stored on a PC by Web sites, to remember login credentials and site preferences, for example.

"The impact is quite severe," Zalewski wrote, regarding the cookie problem, in a posting to the Full Disclosure mailing list on Wednesday. Because cookies can be changed by a malicious Web site, an attacker can change the way other sites are displayed or how they work, he wrote.

Firefox developers, coordinated by Mozilla, have already crafted a fix for this flaw, according to a bug entry on the organization's Web site. The patch has not yet been made available to the browser's users. Mozilla typically releases updates with a number of fixes, and the next patch release could come soon, according to the site posting. The bugs affect the latest versions of the open-source browser, Zalewski wrote.

"The proposed fix seems to be OK and was provided swiftly," Zalewski wrote in an e-mail interview Friday. Last week, two other information-disclosure bugs in Firefox were publicized.

Meanwhile, smart Internet users should be aware of the Web sites they visit. Firefox users can also install the "NoScript" add-on to prevent script code from running on Web sites. This blocks Zalewski's proof-of-concept exploit for the information disclosure bug and will also prevent many other attacks.

Editorial standards