Group bug: Flaws flagged in IE, Mozilla, Safari

Newly disclosed, unpatched flaws in three browsers could make the web a more dangerous place to surf, security experts have warned.

Security researchers published details of the bugs in Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari to security mailing lists over the weekend. The Firefox and Safari bugs could cause the browsers to crash, while the IE hole could be exploited to hijack a vulnerable Windows computer, Secunia said in advisories on its website.

The security monitoring company deems the IE flaw, reported by bug hunter Michal Zalewski, "highly critical". The problem has been confirmed on version 6 of the popular software but could also affect other versions, the company said. The vulnerability lies in the way IE processes HTML tags. An attacker could exploit the bug by crafting a malicious website, Secunia said.

The alerts come just days after security researcher Tom Ferris reported several unpatched holes in Apple software including Safari. And, earlier this month, Microsoft issued a patch for IE to plug 10 holes, most of which it called "critical".

Microsoft is investigating the newly disclosed vulnerability and believes it is not as serious as Secunia claims, the software maker said in an emailed statement on Tuesday. It said: "Our initial investigation has revealed that the issues described would most likely result in the browser closing unexpectedly or failing to respond."

Symantec also said the IE flaw could be exploited to run malicious code on a vulnerable PC. However, this has not been confirmed, the security specialist said in a note to subscribers of its DeepSight service. Symantec said: "Exploit attempts likely result in crashing the affected application."

Secunia rates the Firefox and Safari problems as "not critical". A miscreant could cause both browsers to crash by crafting a malicious website because of flaws, it said, noting that the programs are flawed in the way certain data is handled.

Safari version 2.0.3 has been confirmed as vulnerable, and other versions may also be affected, Secunia said. Firefox 1.5.0.2, the most recent version, is flawed and earlier versions may also be, according to Secunia's advisory. Apple and Mozilla did not immediately respond to requests for comment.

Because fixes are not available for any of the security holes, Secunia recommends not browsing untrusted websites to avoid the problem.

Joris Evers writes for CNET News.com