mailing list archives
Assorted browser vulnerabilities
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Mon, 4 Jun 2007 13:02:40 +0200 (CEST)
Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:
1) Title : MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/
...aka the bait & switch vulnerability.
that meets same-domain origin policy (and hence can be scriptually
accessed and modified by the attacker) to an unrelated third-party
site, there is a window of opportunity for concurrently executed
but actual content for the newly loaded page, for example:
- Read or set victim.document.cookie,
- Arbitrarily alter document DOM, including changing form submission
URLs, injecting code,
- Read or write DOM structures that were not fully initialized,
prompting memory corruption and browser crash.
This is tested on MSIE6 and MSIE7, fully patched.
2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
Impact : keyboard snooping, content spoofing, etc
Demo : http://lcamtuf.coredump.cx/ifsnatch/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]
event handlers, on pages that rely on IFRAMEs to display contents or
store state data / communicate with the server.
This is related to a less severe variant independently reported by
Ronen Zilberman two weeks earlier (bug 381300).
3) Title : Firefox file prompt delay bypass (MEDIUM)
Impact : non-consentual download or execution of files
Demo : http://lcamtuf.coredump.cx/ffclick2/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]
A sequence of blur/focus operations can be used to bypass delay timers
implemented on certain Firefox confirmation dialogs, possibly enabling
the attacker to download or run files without user's knowledge or
3) Title : MSIE6 URL bar spoofing (MEDIUM)
Impact : mimicking an arbitrary site, possibly including SSL data
Demo : http://lcamtuf.coredump.cx/ietrap2/
MSIE6 vulnerability, similar but unrelated to my earlier onUnload
entrapment flaw, allows sites to spoof URL bar data.
MSIE7 is not affected because of certain high-level changes in the
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Assorted browser vulnerabilities Michal Zalewski (Jun 04)