IE and Firefox Share a Vulnerability

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

Awww, that's so cute

[varmint+jerky]

Next thing you know they'll be coquettishly batting eyelashes at each other and accidently eating the same strand of spaghetti.

Re:How it works

[amrust]

Getting someone to type something might prove easier though now due to the prevalence of Capchas.

You took the words right out of my keyboard, no pun intended*.

It won't affect my commenting on blogs or sites that I normally frequent. But after that demo, I admit I probably won't look at captchas the same way again.

* OK maybe one quick pun.

Re:IE7 Vista

[evilgrug]

It didn't protect IE on Vista for me. I created a dummy boot.ini and IE7 Vista happily spat it out.

Re:IE7 Vista

[brainhum]

The latest Web 2.0 Captcha:

C:\ W IN D O W S\ sys tem 32\config\S AM

You heard it here first! /.

Works on FireFox under Linux

[smiggly]

It just takes a few changes. Try this:

http://www.thanhngan.org/fflinuxversion.html