Assorted browser vulnerabilities Jun 04 2007 11:02AM
Michal Zalewski (lcamtuf dione ids pl)

Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:

1) Title : MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/

...aka the bait & switch vulnerability.

When Javascript code instructs MSIE6/7 to navigate away from a page
that meets same-domain origin policy (and hence can be scriptually
accessed and modified by the attacker) to an unrelated third-party
site, there is a window of opportunity for concurrently executed
Javascript to perform actions with the permissions for the old page,
but actual content for the newly loaded page, for example:

- Read or set victim.document.cookie,

- Arbitrarily alter document DOM, including changing form submission
URLs, injecting code,

- Read or write DOM structures that were not fully initialized,
prompting memory corruption and browser crash.

This is tested on MSIE6 and MSIE7, fully patched.

2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
Impact : keyboard snooping, content spoofing, etc
Demo : http://lcamtuf.coredump.cx/ifsnatch/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]

Javascript can be used to inject malicious code, including key-snooping
event handlers, on pages that rely on IFRAMEs to display contents or
store state data / communicate with the server.

This is related to a less severe variant independently reported by
Ronen Zilberman two weeks earlier (bug 381300).

3) Title : Firefox file prompt delay bypass (MEDIUM)
Impact : non-consentual download or execution of files
Demo : http://lcamtuf.coredump.cx/ffclick2/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]

A sequence of blur/focus operations can be used to bypass delay timers
implemented on certain Firefox confirmation dialogs, possibly enabling
the attacker to download or run files without user's knowledge or

3) Title : MSIE6 URL bar spoofing (MEDIUM)
Impact : mimicking an arbitrary site, possibly including SSL data
Demo : http://lcamtuf.coredump.cx/ietrap2/

MSIE6 vulnerability, similar but unrelated to my earlier onUnload
entrapment flaw, allows sites to spoof URL bar data.

MSIE7 is not affected because of certain high-level changes in the

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus