
This one's a tiddler, say Microsoft and Mozilla...
By Joris Evers
Published: 9 June 2006 08:15 GMT
Microsoft and Mozilla have acknowledged that a security hole in their web browsers could let an intruder nab files but say it is tough to exploit and so not that high a risk.
Internet Explorer and Firefox, as well as other Mozilla browsers, are flawed in the way they handle JavaScript, security experts warned this week. An attacker could use the problem to launch surreptitious file uploads, jeopardising people's personal data, they said.
But exploiting the flaw requires so much user interaction that Microsoft and Mozilla don't think it poses much of a danger. The companies do not see a need to rush out a fix. Instead, both plan to address the bug in upcoming releases of their browsers, representatives said, but did not specify which update or when it might arrive.
A Microsoft representative said in an emailed statement: "This vulnerability does not allow a malicious attacker to execute code against a user's machine but rather requires significant user interaction that could result in information disclosure. Microsoft plans to address this vulnerability in a future version of Internet Explorer."
Mike Schroepfer, vice president of engineering at Mozilla, made similar comments. "This is a relatively low-severity issue, because it requires a specific set of user actions and does not pose a remote code execution risk," he said in a statement. "That said, we take every issue seriously and are working on a fix for a future release of Firefox."
The flaw relates to JavaScript 'OnKeyDown' events. An attacker could craft a malicious website that surreptitiously captures a user's keystrokes into a hidden file-upload dialogue box and then launches the upload, Secunia and Symantec said in security alerts issued earlier this week.
For an attack to be successful, victims have to type the full path of files the attacker wants to download. Security company Symantec said: "This may require substantial typing from targeted users." Attackers will be likely to use web pages such as keyboard-based games or blogs to exploit this issue, it added.
Microsoft noted it has not seen any malicious code that attempts to exploit the vulnerability.
The security flaw is unusual because it affects not just one browser but hits all current versions of Firefox, Mozilla SeaMonkey, Mozilla Suite, Microsoft Internet Explorer and Netscape Secunia said. The security monitoring company deemed the problem "less critical", its second-lowest of five possible ratings.
Mozilla's browsers are vulnerable on multiple operating systems. Opera Software's namesake browser appears unaffected by this problem.
Security experts have advised people to be cautious when typing data at websites they do not know and trust, or to disable JavaScript.
Joris Evers writes for CNET News.com
The Software Localisation engineer must have attention to detail and the ability to create and adapt.The Localisation Engineer performs general ...
file storage, viewing online, sending files.Learn how to use video equipment and help maintaining them in good function Help It Manager Set up a ...
These services include providing support of the Operating System configuration and associated file systems, log files, processes, problem ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy