June 8, 2006 4:26 PM PDT
Microsoft, Mozilla downplay browser bug
- Related Stories
-
Bumper crop of Microsoft patches on the way
June 8, 2006 -
Critical flaws squashed in Firefox update
June 2, 2006 -
Bugs bite into popular browsers
April 25, 2006 -
Opera releases beta of latest browser
April 20, 2006 -
'Critical' megapatch sews up 10 holes in IE
April 11, 2006
Internet Explorer and Firefox, as well as other Mozilla browsers, are flawed in the way they handle JavaScript, security experts warned this week. An attacker could use the problem to launch surreptitious file uploads, jeopardizing people's personal data, they said.
But exploiting the flaw requires so much user interaction that Microsoft and Mozilla don't think it poses much of a danger. The companies do not see a need to rush out a fix. Instead, both plan to address the bug in upcoming releases of their browsers, representatives said, but did not specify which update or when it might arrive.
"This vulnerability does not allow a malicious attacker to execute code against a user's machine but rather requires significant user interaction that could result in information disclosure," a Microsoft representative said in an e-mailed statement. "Microsoft plans to address this vulnerability in a future version of Internet Explorer."
Mike Schroepfer, vice president of engineering at Mozilla, made similar comments. "This is a relatively low severity issue, because it requires a specific set of user actions and does not pose a remote code execution risk," he said in a statement. "That said, we take every issue seriously and are working on a fix for a future release of Firefox."
The flaw relates to JavaScript "OnKeyDown" events. An attacker could craft a malicious Web site that surreptitiously captures a user's keystrokes into a hidden file-upload dialog box and then launches the upload, Symantec and Secunia said in security alerts issued earlier this week.
For an attack to be successful, victims have to type the full path of files the attacker wants to download. "This may require substantial typing from targeted users," security company Symantec said. Attackers will likely use Web pages such as keyboard-based games or blogs to exploit this issue, it added.
Microsoft noted that it has not seen any malicious code that attempts to exploit the vulnerability.
The security flaw is unusual because it affects not just one browser, but hits all current versions of Firefox, Mozilla SeaMonkey, Mozilla Suite, Netscape and Microsoft Internet Explorer, Secunia said. The security monitoring company deemed the problem "less critical," its second-lowest of five possible ratings.
Mozilla's browsers are vulnerable on multiple operating systems. Opera Software's namesake browser appears unaffected by this problem.
Security experts have advised people to be cautious when typing data at Web sites they do not know and trust, or to disable JavaScript.
My browser if better than your browser.
No it's not...Mine is better than yours.
My browswer is to better...and you're stupid and ugly too.
Yeah...well...your mother wears combat boots....and my browser is still better than yours...
Blah! Blah! Blah!
I guess since its possible to aim a car at school children we should just remove the steering wheel. I am sure that will solve the problem.
Besides, I applaud both companies for not dancing like puppets on a string whenever a so-called "security expert" (in reality, a hacker) spends hours and hours of time trying to hack these browsers in some arcane fashion just so he can get the headlines and the attention you guys are always so willing to give him as a reward.
There's a very thin line between "malicious hacker" behavior and the way in which many of these so-called "security experts" behave. It'd be nice if you'd mention that once in awhile.
another reason to use a more standards compliant browser like firefox, opera or whatever