New vulnerabilities hit Firefox and Internet Explorer
Security researcher Michal Zalewski has published four new vulnerabilities to the Full Disclosure mailing list for Microsoft Internet Explorer and Mozilla Firefox. There are no patches yet available from either vendor. The most serious is MSIE page update race condition, where users navigating with JavaScript from one page to another page with the same domain experience a window of opportunity for attackers to concurrently execute JavaScript to perform actions with the permissions of the previous page.
The next most severe is Firefox Cross-site IFRAME hijacking where an attack against about:blank frames could allow malicious code execution. Zalewski also published two medium-threat vulnerabilities, one each for Firefox and Internet Explorer. Firefox file prompt delay bypass allows an "attacker to download or run files without user's knowledge or consent." And, finally, Internet Explorer 6 URL bar spoofing is a URL spoofing vulnerability. This last vulnerability does not affect Internet Explorer 7.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
- wow then why people hate ie?
- by afolgueira June 4, 2007 2:14 PM PDT
- for the looks it may be safer than firefox
- Like this Reply to this comment
-
-
- lol
- by Dalkorian June 4, 2007 4:14 PM PDT
- Applicatons intimately integrated into the OS are *NEVER* safer
- Like this
-
- Why not?
- by ben::zen June 4, 2007 6:18 PM PDT
- Since both have insecurities, you intend to say
- Like this
-
- IE isn't as good because...
- by mwknowles92 June 4, 2007 9:17 PM PDT
- IE doesn't get fixed until patch Tuesday.
- Like this
-
(4 Comments)than applications running within an OS. Even when the OS in
question is the security mine field that Winblows is.
M$ never has understood security and I doubt if they ever will at
this point.
Before you flame for that, let's wait and see who releases a security
update to address these issues first. I bet it's Mozilla.
that MSIE is safer? Even though, considering
that MSIE is liable to need to wait for Patch
Tuesday? Also, since most web-savvy people only
download from sites they trust, this SHOULD not
be a problem. Plus, who says they'll upgrade
both 6 and 7? Maybe this can be another "we'll
make IE7 look better" scenario. Maybe microsoft
can fix the "Generic Host Process" and
SVCHost.exe errors _finally_, which have been
around for way too long.
IE has a much larger history of needing patches and have almost always been rather serious.
Firefox is younger, but if you were to actually compare the ratio of number of exploits found to time the program has been on, IE is way higher.
That's only getting in to the security part tooo...