[ISN] Old bugs blight shiny new browsers

From: InfoSec News (alerts@private)
Date: Mon Oct 30 2006 - 22:20:03 PST


http://www.theregister.co.uk/2006/10/30/ie_firefox_vulns/

By John Leyden
30th October 2006

An old security bug provides a way to crash Firefox 2.0, security 
researchers have discovered. The memory corruption vulnerability 
involving the handling of JavaScript code has been known about since 
June 2006 and Firefox version 1.5.0.7 was supposed to fix the problem.

Despite this, Firefox 2.0 remains vulnerable to this issue. Due to code 
reuse, other Mozilla products are also likely to be affected, a posting 
on Bugtraq warns. The flaw might be used to inject hostile code into 
vulnerable systems, but so far nothing more dangerous than an ability to 
crash the browser has been demonstrated.

In other browser security news, security notification firm Secunia has 
published details of another bug involving IE7. In default 
configuration, IE7 is vulnerable to a Window Injection vulnerability 
that previously hit IE6.

The flaw means it's possible for a malicious website to inject new 
content into a popup window, which has been opened by a trusted site and 
is thus potentially useful in phishing attacks.

"In IE7 this is mitigated by the address bar always being visible. 
However, if this is combined with the IE7 'Popup Address Bar Spoofing 
Weakness' issue from last week, the attack would be very convincing," 
Secunia CTO Thomas Kristensen said.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Oct 30 2006 - 22:25:58 PST