June 8, 2006 4:26 PM PDT

Microsoft, Mozilla downplay browser bug

Microsoft and Mozilla have acknowledged that a security hole in their Web browsers could let an intruder nab files, but say it is tough to exploit and so not that high a risk.

Internet Explorer and Firefox, as well as other Mozilla browsers, are flawed in the way they handle JavaScript, security experts warned this week. An attacker could use the problem to launch surreptitious file uploads, jeopardizing people's personal data, they said.

But exploiting the flaw requires so much user interaction that Microsoft and Mozilla don't think it poses much of a danger. The companies do not see a need to rush out a fix. Instead, both plan to address the bug in upcoming releases of their browsers, representatives said, but did not specify which update or when it might arrive.

"This vulnerability does not allow a malicious attacker to execute code against a user's machine but rather requires significant user interaction that could result in information disclosure," a Microsoft representative said in an e-mailed statement. "Microsoft plans to address this vulnerability in a future version of Internet Explorer."

Mike Schroepfer, vice president of engineering at Mozilla, made similar comments. "This is a relatively low severity issue, because it requires a specific set of user actions and does not pose a remote code execution risk," he said in a statement. "That said, we take every issue seriously and are working on a fix for a future release of Firefox."

The flaw relates to JavaScript "OnKeyDown" events. An attacker could craft a malicious Web site that surreptitiously captures a user's keystrokes into a hidden file-upload dialog box and then launches the upload, Symantec and Secunia said in security alerts issued earlier this week.

For an attack to be successful, victims have to type the full path of files the attacker wants to download. "This may require substantial typing from targeted users," security company Symantec said. Attackers will likely use Web pages such as keyboard-based games or blogs to exploit this issue, it added.

Microsoft noted that it has not seen any malicious code that attempts to exploit the vulnerability.

The security flaw is unusual because it affects not just one browser, but hits all current versions of Firefox, Mozilla SeaMonkey, Mozilla Suite, Netscape and Microsoft Internet Explorer, Secunia said. The security monitoring company deemed the problem "less critical," its second-lowest of five possible ratings.

Mozilla's browsers are vulnerable on multiple operating systems. Opera Software's namesake browser appears unaffected by this problem.

Security experts have advised people to be cautious when typing data at Web sites they do not know and trust, or to disable JavaScript.

See more CNET content tagged:
attacker, Mozilla Corp., JavaScript, vulnerability, Web browser


Join the conversation!
Add your comment
Wait for it....
Ok...Let the stone throwing commence!

My browser if better than your browser.

No it's not...Mine is better than yours.

My browswer is to better...and you're stupid and ugly too.

Yeah...well...your mother wears combat boots....and my browser is still better than yours...

Blah! Blah! Blah!
Posted by (63 comments )
Reply Link Flag
my browser is better than your browser. o_O

I think we should all just get rid of our computers and phone and lights and go back to cave painting. Then the only bugs we have to worry about are the ones were going to eat. :)
Posted by System Tyrant (1453 comments )
Link Flag
lol :-)
see subject
Posted by Gino Deblauwe (25 comments )
Link Flag
Opera, Opera, Opera!
Another reason to love Opera...
Posted by Mendz (519 comments )
Reply Link Flag
Opera? Maybe.
I dont recall if there have been any security vulnerabilities revealed in Opera as yet, but it has other problems. The chief problem is that it has far more trouble rendering web sites properly than either Microsoft's IE or Mozillas browsers. That seems to be particularly true of financial sites.

If you are using Opera you may or may not be effected by this with the particular sites you visit, but some people are with the sites they visit. On the other hand, IE and Firefox are practically universal in their ability to render properly just about any site on the web. That is not because they are better browsers, but because their popularity has made it incumbent on site designers to code their sites to accommodate them.

But I know what you have in mind with your comment. I have used Opera and it is nice, very nice with all the options it offers. However, if it were to become more popular it too would be shown to have security problems. It is the nature of what browsers do that makes them particularly attractive to hackers and Opera cant be expected to be free of security problems any more than any other browser.

In any case, all browsers are safe to use if the user takes the usual protection measures; up to date patches, virus definitions and so on.
Posted by gmcaloon--2008 (72 comments )
Link Flag
This is stupid
How can you even call this a vulenability? That is a function of JavaScript and fixing it would actually limit functionality in the browser. If some hacker gets a user to input the FULL PATH to a file, I say the idiot deserved it.

I guess since its possible to aim a car at school children we should just remove the steering wheel. I am sure that will solve the problem.
Posted by umbrae (1073 comments )
Reply Link Flag
You misunderstand
Exploiting this bug would require the user to type but since javascript can selectively control which characters are actually input to the hidden control the goal would be to provide some sort of interactive content to the user which would have them enter the desired keystrokes in the desired order over a period of time, the javascript could still respond to all keystrokes entered by the user but only deposit the ones it wants into the hidden field until it has the complete name of the file it want to upload. That would be made easier by making sure the name of the file is short and uses few unique letters.
This problem would still require the user to do something with the uploaded file or require another exploit (known or unknown) to take advantage of the uploaded file.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
This is Stupid?
It is definitely a vulnerability. That it involves JavaScript doesnt make it less of one. Nor is it the first time JavaScript has been a problem. Hackers have used it before.

Fixing the problem doesnt make the browser any less functional any more than previous fixes did. The recommendation to not use JavaScript is simply a work-around that some might like to try. Not all web sites depend on its presence to function properly. However, given the nature of this particularly crude hacker design requiring the user to go through all sorts of hoops to implement it, there is no need for the user to do anything at the moment other than wait for the fixes. The various virus companies will have a definition for it long before that anyway given that the story mentions Symantec.
Posted by gmcaloon--2008 (72 comments )
Link Flag
Flaw is in the hacker...
...not in the browsers. When are you guys going to get that straight?...;)

Besides, I applaud both companies for not dancing like puppets on a string whenever a so-called "security expert" (in reality, a hacker) spends hours and hours of time trying to hack these browsers in some arcane fashion just so he can get the headlines and the attention you guys are always so willing to give him as a reward.

There's a very thin line between "malicious hacker" behavior and the way in which many of these so-called "security experts" behave. It'd be nice if you'd mention that once in awhile.
Posted by Walt Connery (89 comments )
Reply Link Flag
What's new Microsoft software is full of bugs from throwing in tons and tons of features without bug testing.

another reason to use a more standards compliant browser like firefox, opera or whatever
Posted by primefalcon (2 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.