February 16, 2007 11:53 AM PST

Microsoft, Mozilla look into browser flaws

Related Stories

Two flaws found in Firefox

February 7, 2007

IE 7 reaches 100 million users

January 16, 2007

When the cookie crumbles

October 18, 2005
Microsoft and Mozilla are each working to tackle recently disclosed security flaws in the Internet Explorer and Firefox Web browsers.

The vulnerabilities were described earlier this week in postings to a popular security mailing list by researcher Michal Zalewski. Each browser could enable miscreants to grab data via malicious Web sites, Zalewski said.

In addition, another Firefox flaw could let attackers change cookie files on the user's PC, he said.

In the case of Internet Explorer, the problem affects the latest version, IE 7, and probably earlier releases, Zalewski wrote. Microsoft confirmed that the flaw could open up files stored on a PC's hard drive to an attacker, but only if the location of a given file is already known.

"In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's Web page through social engineering," a Microsoft representative said in an e-mail statement Friday. The software giant is still investigating the issue and will take "appropriate action," the representative said.

Flaws in Firefox
Firefox is affected by two security holes, both described by Zalewski. One is similar to the Internet Explorer problem, while the other could let miscreants change cookie files stored on a PC running the vulnerable browser. Cookies are small files stored on a PC by Web sites, to remember login credentials and site preferences, for example.

"The impact is quite severe," Zalewski wrote, regarding the cookie problem, in a posting to the Full Disclosure mailing list on Wednesday. Because cookies can be changed by a malicious Web site, an attacker can change the way other sites are displayed or how they work, he wrote.

Firefox developers, coordinated by Mozilla, have already crafted a fix for this flaw, according to a bug entry on the organization's Web site. The patch has not yet been made available to the browser's users. Mozilla typically releases updates with a number of fixes, and the next patch release could come soon, according to the site posting. The bugs affect the latest versions of the open-source browser, Zalewski wrote.

"The proposed fix seems to be OK and was provided swiftly," Zalewski wrote in an e-mail interview Friday. Last week, two other information-disclosure bugs in Firefox were publicized.

Meanwhile, smart Internet users should be aware of the Web sites they visit. Firefox users can also install the "NoScript" add-on to prevent script code from running on Web sites. This blocks Zalewski's proof-of-concept exploit for the information disclosure bug and will also prevent many other attacks.

See more CNET content tagged:
attacker, cookie, flaw, Mozilla Corp., Firefox

38 comments

Join the conversation!
Add your comment
Wasn't Internet explorer 7 recently Updated on Patch Tuesday!
Is not internet explorer 7 recently updated this past week on update Tuesday! I seem to recall, seeing an update for internet explorer 7.

Just wondering if this repairs the flaw? If it does then, go and update!!!
Posted by Robynsnest613 (12 comments )
Reply Link Flag
No fix yet
That Tuesday update doesn't fix this flaw. Microsoft is still looking into it and may issue a fix later.

Joris Evers
CNET News.com
Posted by JorisEvers (48 comments )
Link Flag
Heh - 30 days of vulnerability for you, then...
...see you next "Patch Tuesday". (while Firefox gets patched much, much sooner, and Safari wasn't affected at all, apparently...)

/P
Posted by Penguinisto (5042 comments )
Link Flag
Wasn't Internet explorer 7 recently Updated on Patch Tuesday!
Is not internet explorer 7 recently updated this past week on update Tuesday! I seem to recall, seeing an update for internet explorer 7.

Just wondering if this repairs the flaw? If it does then, go and update!!!
Posted by Robynsnest613 (12 comments )
Reply Link Flag
No fix yet
That Tuesday update doesn't fix this flaw. Microsoft is still looking into it and may issue a fix later.

Joris Evers
CNET News.com
Posted by JorisEvers (48 comments )
Link Flag
Heh - 30 days of vulnerability for you, then...
...see you next "Patch Tuesday". (while Firefox gets patched much, much sooner, and Safari wasn't affected at all, apparently...)

/P
Posted by Penguinisto (5042 comments )
Link Flag
Firefox workaround
There is a workaround for the cookie related flaw in Firefox at least:
<a class="jive-link-external" href="http://mozillalinks.org/wp/2007/02/new-firefox-cookie-vulnerability-workaround/" target="_newWindow">http://mozillalinks.org/wp/2007/02/new-firefox-cookie-vulnerability-workaround/</a>
Posted by pcabellor (13 comments )
Reply Link Flag
Firefox workaround
There is a workaround for the cookie related flaw in Firefox at least:
<a class="jive-link-external" href="http://mozillalinks.org/wp/2007/02/new-firefox-cookie-vulnerability-workaround/" target="_newWindow">http://mozillalinks.org/wp/2007/02/new-firefox-cookie-vulnerability-workaround/</a>
Posted by pcabellor (13 comments )
Reply Link Flag
Then Microsoft Needs to Get making XP With Service Pack 3!!
As there now is probally well over 100 patches, and climbing. Service pack 3 would be good now!!! I'm not upgrading to Vista, as that's probally very full of bugs too, worse than XP!
Posted by Robynsnest613 (12 comments )
Reply Link Flag
vista clueless
Got my first vista PC from Dell today. What a cluster fk. Even MS own outlook web access wont work. MS office 2003 wont install. Corporate Norton AV - dont even ask.
Posted by gggg sssss (2285 comments )
Link Flag
Then Microsoft Needs to Get making XP With Service Pack 3!!
As there now is probally well over 100 patches, and climbing. Service pack 3 would be good now!!! I'm not upgrading to Vista, as that's probally very full of bugs too, worse than XP!
Posted by Robynsnest613 (12 comments )
Reply Link Flag
vista clueless
Got my first vista PC from Dell today. What a cluster fk. Even MS own outlook web access wont work. MS office 2003 wont install. Corporate Norton AV - dont even ask.
Posted by gggg sssss (2285 comments )
Link Flag
The main thing abt IE n FF is the time to patch.
I still dun understand why MS need to patch every month, at least for home users there would be less problems compared to corporate users who have more compatibility issues. Why cant patches be provided as and when they are available when there is auto-update? At the very least they can do it like FF do, they notify of new versions (read: patches) when u open the browser.
interestingly for non xp and ie products, they do have non-regular patches such as for windows defender. So why not for IE?
True MS provide patches for download before patching but its hidden in the downloads site where u actually have to search for it.
Posted by pjianwei (206 comments )
Reply Link Flag
Why do you get Anti-Virus updated daily?
Why do you get Anti-Virus updated daily?
+ Cause stuff get's discovered.
+ You'll have to pardon Uncle Billy and his team for being a human being.
Posted by kamchoor (42 comments )
Link Flag
Simple...
The only time releasing patches off-schedule makes sense is for zero-day exploits. However, these are overall the minority of exploits.

Whenever you release a patch for a previously unknown exploit, you're advertising what the exploit is. Thus releasing on a schedule helps ensure that as many people as possible can update immediately which helps reduce the window between when the vulnerability becomes public and when most machines are patched.
Posted by Meh234 (37 comments )
Link Flag
Simple...
The only time releasing patches off-schedule makes sense is for zero-day exploits. However, these are overall the minority of exploits.

Whenever you release a patch for a previously unknown exploit, you're advertising what the exploit is. Thus releasing on a schedule helps ensure that as many people as possible can update immediately which helps reduce the window between when the vulnerability becomes public and when most machines are patched.
Posted by Meh234 (37 comments )
Link Flag
The main thing abt IE n FF is the time to patch.
I still dun understand why MS need to patch every month, at least for home users there would be less problems compared to corporate users who have more compatibility issues. Why cant patches be provided as and when they are available when there is auto-update? At the very least they can do it like FF do, they notify of new versions (read: patches) when u open the browser.
interestingly for non xp and ie products, they do have non-regular patches such as for windows defender. So why not for IE?
True MS provide patches for download before patching but its hidden in the downloads site where u actually have to search for it.
Posted by pjianwei (206 comments )
Reply Link Flag
Why do you get Anti-Virus updated daily?
Why do you get Anti-Virus updated daily?
+ Cause stuff get's discovered.
+ You'll have to pardon Uncle Billy and his team for being a human being.
Posted by kamchoor (42 comments )
Link Flag
Simple...
The only time releasing patches off-schedule makes sense is for zero-day exploits. However, these are overall the minority of exploits.

Whenever you release a patch for a previously unknown exploit, you're advertising what the exploit is. Thus releasing on a schedule helps ensure that as many people as possible can update immediately which helps reduce the window between when the vulnerability becomes public and when most machines are patched.
Posted by Meh234 (37 comments )
Link Flag
Simple...
The only time releasing patches off-schedule makes sense is for zero-day exploits. However, these are overall the minority of exploits.

Whenever you release a patch for a previously unknown exploit, you're advertising what the exploit is. Thus releasing on a schedule helps ensure that as many people as possible can update immediately which helps reduce the window between when the vulnerability becomes public and when most machines are patched.
Posted by Meh234 (37 comments )
Link Flag
No, just upgrade to Vista
There is no XP-SP3, get real, it's Vista Time Baby!
Posted by kamchoor (42 comments )
Reply Link Flag
No, just upgrade to Vista
There is no XP-SP3, get real, it's Vista Time Baby!
Posted by kamchoor (42 comments )
Reply Link Flag
don't care
please tell it to someone who cares or has not heard this whining before.
thanks,
Posted by kamchoor (42 comments )
Reply Link Flag
don't care
please tell it to someone who cares or has not heard this whining before.
thanks,
Posted by kamchoor (42 comments )
Reply Link Flag
don't care
please tell it to someone who cares or has not heard this whining before.
thanks,
Posted by kamchoor (42 comments )
Reply Link Flag
Different flaws... cannot compare
Both are flaws and both are found in browsers...

IE has multiple vulnerabilities, the highest rated as Highly Critical by www.secunia.org

IE v5.01 still has 6 out of 68 vulnerabilities unpatched as of this date. The unpatched are bugs from 2004-02-27, 2004-04-01, 2004-09-18, 2004-12-08, 2005-01-18 and 2006-02-14.

IE v5.5 still has 7 out of 70 vulnerabilities unpatched as of this date.
The unpatched are bugs from 2004-02-27, 2004-04-01, 2004-09-18, 2004-12-08, 2005-01-18, 2006-02-14 and 2006-04-27 with several of the moderately critical.

IE v6.x still has 19 out of 111 vulnerabilities unpatched as of this date.
The upatched are bugs from 2003-11-07, 2004-02-27, 2004-04-01, 2004-09-18, 2004-11-10, 2004-11-17, 2004-11-26, 2004-12-08, 2005-01-18, 2005-02-17, 2005-02-21, 2005-06-21, 2005-09-26, 2005-11-16, 2006-02-14, 2006-02-28, 2006-04-27, 2006-06-06, and 2007-01-09 with numerous ones are moderately critical.

And finally IE v7.x still has 4 of 6 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2006-06-06, 2006-10-19, 2006-10-25, 2006-10-30 one of them moderately critical and given time... I'm sure this unpatched list will grow for Microsoft!!!

But now let's compare that to Foxfire's past track record:

Foxfire v0.x still has 2 of 39 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2004-08-30 and 2004-09-18 both criticality very low.

Foxfire v1.x still has 4 of 39 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2004-08-30, 2004-09-18, 2006-06-06 and 2006-11-22 all very low criticality.

Foxfire v2.x still has 4 of 5 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2006-06-06, 2006-11-22, 2007-02-16 and 2007-02-19 all very low criticality.

Why does it take Microsoft over 4 years to fix some moderately critical flaws in their past released products?

Time to patch will differentiate the two enough to keep both of them out of the same article at the same time.

You CANNOT compare the two!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Different flaws... cannot compare
Both are flaws and both are found in browsers...

IE has multiple vulnerabilities, the highest rated as Highly Critical by www.secunia.org

IE v5.01 still has 6 out of 68 vulnerabilities unpatched as of this date. The unpatched are bugs from 2004-02-27, 2004-04-01, 2004-09-18, 2004-12-08, 2005-01-18 and 2006-02-14.

IE v5.5 still has 7 out of 70 vulnerabilities unpatched as of this date.
The unpatched are bugs from 2004-02-27, 2004-04-01, 2004-09-18, 2004-12-08, 2005-01-18, 2006-02-14 and 2006-04-27 with several of the moderately critical.

IE v6.x still has 19 out of 111 vulnerabilities unpatched as of this date.
The upatched are bugs from 2003-11-07, 2004-02-27, 2004-04-01, 2004-09-18, 2004-11-10, 2004-11-17, 2004-11-26, 2004-12-08, 2005-01-18, 2005-02-17, 2005-02-21, 2005-06-21, 2005-09-26, 2005-11-16, 2006-02-14, 2006-02-28, 2006-04-27, 2006-06-06, and 2007-01-09 with numerous ones are moderately critical.

And finally IE v7.x still has 4 of 6 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2006-06-06, 2006-10-19, 2006-10-25, 2006-10-30 one of them moderately critical and given time... I'm sure this unpatched list will grow for Microsoft!!!

But now let's compare that to Foxfire's past track record:

Foxfire v0.x still has 2 of 39 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2004-08-30 and 2004-09-18 both criticality very low.

Foxfire v1.x still has 4 of 39 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2004-08-30, 2004-09-18, 2006-06-06 and 2006-11-22 all very low criticality.

Foxfire v2.x still has 4 of 5 unpatched vulnerabilities as of this date.
The unpatched bugs are from 2006-06-06, 2006-11-22, 2007-02-16 and 2007-02-19 all very low criticality.

Why does it take Microsoft over 4 years to fix some moderately critical flaws in their past released products?

Time to patch will differentiate the two enough to keep both of them out of the same article at the same time.

You CANNOT compare the two!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
No mention of a third choice...
Notice how they always mention either IE or FF having a flaw, but never Opera. I know Opera has had a flaw or two and they patch just like IE or FF, but they still don't get mentioned as much.

Is opera the MACOSX of browsers?
Posted by thedreaming (573 comments )
Reply Link Flag
No mention of a third choice...
Notice how they always mention either IE or FF having a flaw, but never Opera. I know Opera has had a flaw or two and they patch just like IE or FF, but they still don't get mentioned as much.

Is opera the MACOSX of browsers?
Posted by thedreaming (573 comments )
Reply Link Flag
Internet Explorer 7 update last Tuesday
I have had at least one problem ever since the update I didn't have before. I can no longer communicate with my Outlook Express mail from the command bar. It will not allow me. To confirm this I removed IE6 and went back to 6 and I could communicate with e mail. I reinstalled IE7 and could still communicate but along came the catchup Tuesday patch and it locked my e mail off from the command bar. Some quality control!
Posted by donaldgray (2 comments )
Reply Link Flag
Internet Explorer 7 update last Tuesday
I have had at least one problem ever since the update I didn't have before. I can no longer communicate with my Outlook Express mail from the command bar. It will not allow me. To confirm this I removed IE6 and went back to 6 and I could communicate with e mail. I reinstalled IE7 and could still communicate but along came the catchup Tuesday patch and it locked my e mail off from the command bar. Some quality control!
Posted by donaldgray (2 comments )
Reply Link Flag
don't care
please tell it to someone who cares or has not heard this whining before.
thanks,
Posted by kamchoor (42 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.