TUCoPS :: HP Unsorted A :: tb11137.htm

Assorted browser vulnerabilities
Assorted browser vulnerabilities
Assorted browser vulnerabilities


Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:

1) Title    : MSIE page update race condition (CRITICAL)
   Impact   : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/ 

   ...aka the bait & switch vulnerability.

   When Javascript code instructs MSIE6/7 to navigate away from a page
   that meets same-domain origin policy (and hence can be scriptually
   accessed and modified by the attacker) to an unrelated third-party
   site, there is a window of opportunity for concurrently executed
   Javascript to perform actions with the permissions for the old page,
   but actual content for the newly loaded page, for example:

     - Read or set victim.document.cookie,

     - Arbitrarily alter document DOM, including changing form submission
       URLs, injecting code,

     - Read or write DOM structures that were not fully initialized,
       prompting memory corruption and browser crash.

   This is tested on MSIE6 and MSIE7, fully patched.

2) Title    : Firefox Cross-site IFRAME hijacking (MAJOR)
   Impact   : keyboard snooping, content spoofing, etc
Demo : http://lcamtuf.coredump.cx/ifsnatch/ 
   Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]

   Javascript can be used to inject malicious code, including key-snooping
   event handlers, on pages that rely on IFRAMEs to display contents or
   store state data / communicate with the server.

   This is related to a less severe variant independently reported by
   Ronen Zilberman two weeks earlier (bug 381300).

3) Title    : Firefox file prompt delay bypass (MEDIUM)
   Impact   : non-consentual download or execution of files
Demo : http://lcamtuf.coredump.cx/ffclick2/ 
   Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]

   A sequence of blur/focus operations can be used to bypass delay timers
   implemented on certain Firefox confirmation dialogs, possibly enabling
   the attacker to download or run files without user's knowledge or

3) Title    : MSIE6 URL bar spoofing (MEDIUM)
   Impact   : mimicking an arbitrary site, possibly including SSL data
Demo : http://lcamtuf.coredump.cx/ietrap2/ 

   MSIE6 vulnerability, similar but unrelated to my earlier onUnload
   entrapment flaw, allows sites to spoof URL bar data.

   MSIE7 is not affected because of certain high-level changes in the

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH