|
Full Disclosure
mailing list archives
Re: Firefox/MSIE focus stealing vulnerability - clarification
From: "Tyop?" <tyoptyop () gmail com>
Date: Tue, 13 Feb 2007 05:44:54 +0100
On 2/12/07, Ruud H.G. van Tol <rvtol () isolution nl> wrote:
Michal Zalewski wrote:
2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
which in turn was a rediscovery of a problem known to Mozilla since
2000 (!); attempts to fix it in official releases failed because the
problem was repeatedly marked as a duplicate of a too narrowly
defined issue with control hiding. A broader redesign probably
eliminated the issue in development branches, but it still affects
Firefox 1.5 and 2.0.
This can be considered an independent rediscovery and a more
practical demonstration of a previously reported vulnerability.
The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html
Without JavaScript on, this doesn't work. See http://noscript.net/
Without a browser too, this doesn't work. See http://netcat.sourceforge.net/
--
Guasconi Vincent
French Student.
http://altmylife.blogspot.com [Fr]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: Firefox focus stealing vulnerability (possibly other browsers), (continued)
Firefox/MSIE focus stealing vulnerability - clarification Michal Zalewski (Feb 11)
|
Intro
