14 DAY TRIAL // Internet Explorer 7 and Firefox 2.0 are two browsers with security "at heart," so to speak. IE7 because of the focus associated with the Microsoft development effort, and Firefox 2.0 because of the relatively small market share together with an inactive threat environment. Customer perception aside, both the Microsoft browser and Mozilla's open source solution bring to the table a high level of user protection. But in the end, IE and Firefox 2.0 are imperfect.
Security researcher Michal Zalewski has made public a list of four vulnerabilities affecting IE6, IE7 and Firefox 2.0 (Firefox 1.5 will no longer be referenced as Mozilla has dropped support at the end of the previous month) on Monday June 4, 2007. "Will keep it brief. A couple of browser bugs, fresh from the oven, hand crafted with love," begins the message from Zalewski, and the vulnerabilities are "MSIE page update race condition," rated as critical, "Firefox Cross-site IFRAME hijacking," considered a major threat, "Firefox file prompt delay bypass," exposing the users to a medium risk and "MSIE6 URL bar spoofing" also delivering a medium risk.
"When Javascript code instructs MSIE to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: read or set victim.document.cookie, arbitrarily alter document DOM, including changing form submission URLs, injecting code, or even crashing the browser due to memory corruption while reading and writing not fully initialized data structures," Zalewski revealed about the "MSIE page update race condition" vulnerability for which he posted a test here.
Zalewski informed that Firefox has managed to dodge this flaw and the vulnerability was not tested on other browsers except IE6 and IE7, both vulnerable. Zalewski added that the exploit will cause the whole security model of IE to collapse leaving the users wide opened to attacks. However, with my copy of Internet Explorer 7 on Windows Vista I am not apparently vulnerable to this attack, as the exploit failed to obtain a cookie after 120 seconds. Perhaps the mitigations that Windows Vista + IE7 have in place render the exploit useless.
Firefox is affected by two flaws one a Cross-site IFRAME hijacking and the other a file prompt delay bypass. Just follow the links with the Mozilla open source browser to access demos of the exploits. "Javascript can be used to inject malicious code, including key-snooping event handlers, on pages that rely on IFRAMEs to display contents or store state data / communicate with the server," Zalewski described the first Firefox flaw, while the second is "a sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user's knowledge or consent."
The last vulnerability impacts only users of Internet Explorer 6, but with over half the versions of IE active being IE6, the risk for exploits is widely generalized. The attack will attempt to spoof URL bar data, the demo can be accessed here.