Full Disclosure: Re: Firefox/MSIE focus stealing vulnerability

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Firefox/MSIE focus stealing vulnerability - clarification

From: "Ruud H.G. van Tol" <rvtol () isolution nl>
Date: Mon, 12 Feb 2007 23:31:56 +0100 (CET)

Michal Zalewski wrote:

  2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
     which in turn was a rediscovery of a problem known to Mozilla since
     2000 (!); attempts to fix it in official releases failed because the
     problem was repeatedly marked as a duplicate of a too narrowly
     defined issue with control hiding. A broader redesign probably
     eliminated the issue in development branches, but it still affects
     Firefox 1.5 and 2.0.

     This can be considered an independent rediscovery and a more
     practical demonstration of a previously reported vulnerability.
     The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html


Without JavaScript on, this doesn't work. See http://noscript.net/

-- 
Affijn, Ruud


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Firefox focus stealing vulnerability (possibly other browsers), (continued)
- Firefox/MSIE focus stealing vulnerability - clarification Michal Zalewski (Feb 11)
  - Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)
  - Re: Firefox/MSIE focus stealing vulnerability - clarification Ruud H.G. van Tol (Feb 12)
    - Re: Firefox/MSIE focus stealing vulnerability - clarification Tyop? (Feb 12)
    - Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)