Translate To:


[code via DI]

Flash Updates

Subscribe By MailE-Mail Address:

Making Of

MP3

Tips Tricks Hacks

Google Tips

Firefox & IE Tweaks

Vulnerabilities Found

A Note About

Reviewed

Scary Vulnerabilities In IE7 And Firefox 2.0

This Article Is Sponored By You! | Tuesday, February 27, 2007 by Salman Siddiqui | Comments
I am now blogging on my self hosted blog CompuWorld and started another blog of mine the Senorita


This is scary. I could see my boot.ini file online? Huh. The common vulnerability makes it clear that the flaw in programming could be used for some dangerous works over the Internet.

Affected Software
Internet Explorer 7
Internet Explorer 6
Internet Explorer 5.01
FireFox 2.0.0.2
FireFox 1.5.0.9

Description
For demonstration of vulnerability in IE7 click here. For FireFox click here. This is a must see for all of the Internet users around. Using the vulnerability some diverted keystrokes which you hit to enter forms on a web page could be used to enter commands over the Internet to see your boot.ini. And this could just be the beginning.
"Both examples are Windows-specific, and require C:BOOT.INI to exist and be readable by users. The attack itself is not limited to a particular operating system, but I decided to provide a demonstration for most popular desktop OS - *nix versions that access /etc/hosts or /etc/passwd are easy to develop,” Zalewski, one who found the vulnerability, stated.

“In all modern browsers, <"INPUT TYPE=FILE"> form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, “.value” parameter cannot be set or changed, and any changes to .type reset the contents of the field,” added Michal Zalewski.
Workaround Available
User interaction is a must if both vulnerabilities are to be successfully exploited. In this context, the user would have to enter text in malformed areas on a web page, either from IE or FireFox. Zalewski explained that the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker.

No real workaround looks to be available currently but we will keep you updated with the latest news.

Microsoft on one side was shouting that there IE7 is free of vulnerabilities while FireFox was busy releasing patches this month. Now this kick will surely add to there wounds. Let us wait and see how they react.


Source: Softpedia
Technorati Tags: internet explorer, firefox, vulnerability in IE and firefox

Labels: , , , ,


My Mom Hates Me Blogging!Will You Help Me Show Her That I Am Good At It...Please?


==========Your Comments==========

>>>>>>>Click Here To Leave Your Precious Comments.<<<<<<<



“This Article”

Recently Published Articles

Exhaustive Windows Vista Software Compatibility Li... - Posted on Tuesday, February 27, 2007

Love Letter By A WEB 2.0 Nerd - Posted on Monday, February 26, 2007

IBM not ready to say Oracle's Linux compatible - Posted on Sunday, February 25, 2007

US To Retain Control Over ICANN - Posted on Saturday, February 24, 2007

Vulnerability In Versions 7.08 And Earlier Of Adob... - Posted on Wednesday, February 21, 2007

"Google Me The Movie" - Trailor Available Online - Posted on Sunday, February 18, 2007

You, Your Wife, Your Baggage and Microsoft -- Shar... - Posted on Saturday, February 17, 2007

Yahoo digged, Microsoft On The Way - Posted on Saturday, February 17, 2007

Microsoft To Support "Open"ID - Posted on Tuesday, February 13, 2007

Vienna, The Vista Successor, Planned For Late 2009... - Posted on Monday, February 12, 2007

Moved

I am now blogging on my self hosted blog CompuWorld and started another blog of mine the Senorita

Money Makers


PPP Direct

Archives

Blogroll

Recent Comments