Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Firefox Share a Vulnerability

Posted by kdawson on from the upload-with-daring-and-whimsy dept.

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

5 of 207 comments (clear)

  1. Oh really... by Brad_sk · · Score: 0, Troll

    Firefox has a vulnerability... thats impossible!!...Lets blame it on windows as usual.

  2. Re:frosty piss by Anonymous Coward · · Score: -1, Troll

    Do you feel like more of a man for modding me down? I bet you told all your friends about it. LOOOOOSER!!

  3. Re:Try as I might... by Anonymous Coward · · Score: -1, Troll
    Yes moron. If you had read the damned summary you would have read the words, "The vulnerability is not platform-specific, but these demonstrations are -- they work only on Windows systems."

    Does using Linux preclude you from thinking as well?

  4. IE and Firefox Share a Vulnerability by kfuq · · Score: -1, Troll

    This is old news.. I posted it on digg 9 days ago http://digg.com/security/MSIE7_Focus_bug_demo

    --
    iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
  5. Re:Awww, that's so cute by jtcm · · Score: 1, Troll
    From the DropMyRights link:

    Create a shortcut and enter DropMyRights.exe as the target executable, followed by the path to the application you want to execute in lower privilege. For example:

    C:\warez\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

    For shame! What's that directory doing on a computer at Microsoft Security Engineering?

    --
    @ASP.NET's parent-teacher meeting: "Little Johnny.NET is very bright, but he doesn't play well with others."