You are here: silicon.com > Software > Security Strategy

Security Strategy

More flaws: Bugs hit Firefox, IE

Your data is at risk...

Tags: ie 7, firefox

By Joris Evers

Published: 19 February 2007 08:25 GMT

Microsoft and Mozilla are each working to tackle recently disclosed security flaws in their respective web browsers.

The vulnerabilities were described last week in postings to a popular security mailing list by researcher Michal Zalewski. Firefox and Internet Explorer could enable miscreants to grab data via malicious websites, Zalewski said.

In addition, another Firefox flaw could let attackers change cookie files on the user's PC, he said.

In the case of IE, the problem affects the latest version - IE 7 - and probably earlier releases, Zalewski wrote. Microsoft confirmed the flaw could open up files stored on a PC's hard drive to an attacker but only if the location of a given file is already known.

A Microsoft representative said in a statement: "In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's web page through social engineering." The software giant is still investigating the issue and will take "appropriate action", the representative added.

Firefox is affected by two security holes, both described by Zalewski. One is similar to the IE problem, while the other could let miscreants change cookie files stored on a PC running the vulnerable browser. Cookies are small files stored on a PC by websites, to remember login credentials and site preferences, for example.

Regarding the cookie problem, Zalewski wrote in a posting to the Full Disclosure mailing list: "The impact is quite severe." Because cookies can be changed by a malicious website, an attacker can change the way other sites are displayed or how they work, he said.

Firefox developers, co-ordinated by Mozilla, have already crafted a fix for this flaw, according to a bug entry on the organisation's website. The patch has not yet been made available to the browser's users. Mozilla typically releases updates with a number of fixes, and the next patch release could come soon, according to the site posting. The bugs affect the latest versions of the open source browser, Zalewski wrote.

He added: "The proposed fix seems to be OK and was provided swiftly." Last week, two other information-disclosure bugs in Firefox were publicised.

Meanwhile, smart internet users should be aware of the websites they visit. Firefox users can also install the "NoScript" add-on to prevent script code from running on websites. This blocks Zalewski's proof-of-concept exploit for the information disclosure bug and will also prevent many other attacks.

Joris Evers writes for CNET News.com

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Tim Ferguson Exclusive: Former MySQL boss Marten Mickos talks open source Why Microsoft could become one of the "biggest friends of open source" and why Oracle getting its hands on MySQL could be "one of the biggest open source coups ever"...

Naked CIO Naked CIO: Cloud computing more expensive than we thought? Smart IT leaders will examine the impact of how they pay for tech


  • Jobs
Web Designer North Yorkshire 20-28kDOE Graphic Design XHTML CSS Javascript

Key responsibilities and accountabilities are as follows:- • Conceptual designs • Design and build of web pages • Existing website ...

Graduate Web Developer / Web Designer / Graphic Designer

Adobe CS2/CS3 Web 2.0 Flash technologies Search Engine Optimisation Web Standards (W3C, disability standards) Understanding of different browser ...

Web Application Developer

Desirable: Front End Web Dev Skills (DHTML, Flash, Silverlight, CSS, Javascript) Active Directory Internet Technologies, Web Server Administration, ...

Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.





Quick Sitemap Links: