Bugs Reported In Both IE And FirefoxBugs Reported In Both IE And Firefox

Polish security researcher Michal Zalewski added to his long string of discovered browser vulnerabilities by announcing four new bugs -- two he says are in Microsoft's Internet Explorer and two in Mozilla's Firefox.

Mozilla's Window Snyder, who has the title of chief "security something-or-other" and oversees security for Mozilla's products, said in a blog post Tuesday afternoon that both the Firefox bugs are being given a low-threat rating.

A Microsoft spokesman said in an e-mail to information that the company's researchers are investing the "claims" of two possible vulnerabilities in IE. "Microsoft is not aware of any attacks attempting to use the possible vulnerabilities or of customer impact at this time," he said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."

The bugs, which affect fully patched versions of Internet Explorer versions 6 and 7, enable hackers to steal sign-on cookies, corrupt memory, and hijack pages, according to a posting on Zalewski's Full-Disclosure mailing list. He called it the "bait and switch vulnerability."

He explained that there is a "window of opportunity" when a user navigates away from one page to another site when a hacker could execute JavaScript from the old page on the new site. That could allow him to inject code or alter document DOM. In the DOM, the document object provides a basic way to represent HTML and XML.

"In other words, the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks; and local system compromise is not out of question, either," Zalewski wrote in another posting.

The other reported bug in Internet Explorer allows a hacker to mimic an arbitrary Web site, according to Zalewski, who gave it a medium rating.

For Firefox, Snyder explained that one DOM-related bug allows the attacker to spoof content and potentially even JavaScript. "The spoofed content would be in the attacker's domain, not the spoofed domain," she wrote in a blog. "This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks."

With the second Firefox vulnerability, Snyder noted that it requires an additional flaw in a content handler to actually compromise a user. The Firefox bug alone cannot be used to execute or even place code on the user's machine. Mozilla is considering ways to improve management of content handlers to protect users from potential vulnerabilities, she wrote.