April 25, 2006 3:57 PM PDT

Bugs bite into popular browsers

Newly disclosed, unpatched flaws in three browsers could make the Web a more dangerous place to surf, security experts have warned.

Security researchers published details on the bugs in Microsoft's Internet Explorer, Apple Computer's Safari and Mozilla's Firefox to security mailing lists over the weekend. The Firefox and Safari bugs could cause the browsers to crash, while the IE hole could be exploited to hijack a vulnerable Windows computer, Secunia said in advisories on its Web site.

The security monitoring company deems the IE flaw, reported by bug hunter Michal Zalewski, "highly critical." The problem has been confirmed on version 6 of the popular software, but could also affect other versions, the company said. The vulnerability lies in the way IE processes HTML tags. An attacker could exploit the bug by crafting a malicious Web site, Secunia said.

The alerts come just days after security researcher Tom Ferris reported several unpatched holes in Apple software including Safari. Also, Microsoft earlier this month issued a patch for IE to plug 10 holes, most of which it called "critical".

Microsoft is investigating the newly disclosed vulnerability and believes it is not as serious as Secunia claims, the software maker said in an e-mailed statement Tuesday. "Our initial investigation has revealed that the issues described would most likely result in the browser closing unexpectedly or failing to respond," it said.

Symantec also said that the IE flaw could be exploited to run malicious code on a vulnerable PC. However, this has not been confirmed, the security specialist said in a note to subscribers to its DeepSight service. "Exploit attempts likely result in crashing the affected application," Symantec said.

Secunia rates the Firefox and Safari problems as "not critical." A miscreant could cause both browsers to crash by crafting a malicious Web site because of flaws, it said, noting that the programs are flawed in the way certain data is handled.

Safari version 2.0.3 has been confirmed as vulnerable, and other versions may also be affected, Secunia said. Firefox, the most recent version, is flawed and so may be earlier versions, according to Secunia's advisory. Apple and Mozilla did not immediately respond to requests for comment.

Because fixes are not available for any of the security holes, Secunia recommends not browsing untrusted Web sites to avoid the problem.

See more CNET content tagged:
Apple Computer, Microsoft Internet Explorer, Firefox, bug, Web browser


Join the conversation!
Add your comment
Opera 9
Its looking better all the time.
Posted by kaufmanmoore (42 comments )
Reply Link Flag
Not only just "looking"...
It *is* getting better all the time. I don't know why people put up with anything else.
Posted by lemonlovr (9 comments )
Link Flag
Best as always
Opera has always been careful about security issues. I don't know if they hunt their own bugs in advance but I can safely say that it's the most secure browser I know. Even if a flaw occurs they fix it in a record time, unlike IE that takes weeks and Firefox. Look up Opera on Secunia and see: <a class="jive-link-external" href="http://secunia.com/product/4932/" target="_newWindow">http://secunia.com/product/4932/</a>
"The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Opera 8.x."
Posted by PhoenixP3K (17 comments )
Link Flag
Somewhere, somehow, somebody missed something when
browser's were created.

Strange, but using some old-ass browsers on old OS 8/9 and
Win95 computers seen to yield no problems for me.
Posted by fakespam (239 comments )
Reply Link Flag
I crashed FF yesterday
probably not related at all... but it was a rude awakening... while testing validation on a web form, I started pasting text into a textarea... and kept pasting... more and more... and before long, the browser just crashed. No scripts tied to any behaviors or anything... just a plain textarea... with too much text. Sad. Very sad.
Posted by David Arbogast (1709 comments )
Reply Link Flag
FireFox and No Script
The Java script problem listed by secunia can be easily solved by installing the NoScript extension and using it to block Java scripts from running on untrusted sites. Installing takes about 2 minutes
Posted by sophist (1 comment )
Reply Link Flag
as of applying ms updates, my ff crashed and burned
tried 2 redownload but it just won't open also found virus in my dos system. i'm running everything under the sun but it got me. anyone know of a browser that doesn't use ie mozilla doesn't like my ie 7. anyone else know what's going on. running xp and ie 7 lots of memory and 40 hard drive. thxs and goodluck
Posted by chris2 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.