Wednesday, June 06, 2007

eWeek: Gaping Holes Found in IE, Firefox

eWeek reports:

The researcher, Michal Zalewski, on June 4 reported a JavaScript flaw in fully patched IE 6 and 7 that can allow an attacker to fiddle with a document's Document Object Model—a model for representing HTML or XML and related formats.

The result can be cookie stealing or cookie resetting, browser crash, page hijacking, code injection or memory corruption.

The vulnerability occurs when JavaScript code instructs the IE application to navigate away from a page that meets same-domain origin policy, Zalewski said...
Mozilla said that this flaw is a duplicate of a previously reported flaw, Bug 381300 "Frame spoofing is possible within a short time frame while the window is loading."

Now we have to wait until Mozilla and Microsoft issue a fix (yet again).

Link

(Via UT)

3 comments:

  1. Using the NoScript addon to FireFox can prevent scripts, including cross-site scripts, from executing unless you specifically allow them to.
    This is a great tool and I have all of my users trained and using it. It's so cool that I've even put money in the budget to make a donation to the developer.

    ReplyDelete
  2. Wow. Beat to the punch. I'll put in a second vote for NoScript. I have scripting disabled on all sites be default, and certainly for all advertisement servers. I just enable it for those sites I need to trust for the moment, and those mostly temporarily. It's a pain, but hey, it's dangerous out there.

    ReplyDelete
  3. NoScript it is. Somehow among the myriad of addons I have for Firefox, NoScript was not installed.

    I had looked at it once and did not install it, leaving it for later, then I promptly forgot about it. It is installed now.

    Thanks for the pointer (and reminder).

    ReplyDelete