February 22nd, 2007
Yet another 'critical' Firefox flaw
Less than 24 hours before the scheduled release of Firefox 2.0.0.2 as a high-priority browser refresh, a new “critical” vulnerability has been reported by Polish hacker Michal Zalewski.
Zalewski, who appears to be running an unofficial MOFFB (month of Firefox bugs) project, released a demo of a memory corruption issue that crashes the browser and puts users at risk of PC takeover attacks.
“Firefox is susceptible to a pretty nasty, and apparently easily exploitable memory corruption vulnerability. When a location transition occurs and the structure of a document is modified from within onUnload event handler, freed memory structures are left in inconsistent state, possibly leading to a remote compromise,” Zalewski warned.
Mozilla’s security team is tracking the issue.
Zalewski’s ongoing browser research has also uncovered a “quite nasty” flaw in Microsoft’s Internet Explorer 7.
He described the IE 7 issue as a “combination-type vulnerability” that allows the attacker to:
a) Trap the visitor in a Matrix-esque tarpit webpage that cannot be left by normal means (this is a known brain-damaged design of onUnload Javascript handlers),b) Spoof transitions between pages so that the user thinks he actually managed to leave the affected site, and so that the URL bar displays other addresses we didn’t actually go to.
“This opens a plethora of spoofing/phishing scenarios,” Zalewski warned. A demonstration page is available for testing purposes.
So far this month, Zalewski’s demos have included focus bugs, a location.hostname issue (critical), a blank bug, a bookmark issue and today’s unload and trap flaws.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
