Four recently discovered vulnerabilities in two rival Internet browsers should serve as a “wake-up call” to Web surfers, Canadian security experts say.
On Wednesday, Polish computer security expert Michal Zalewski disclosed two flaws he found in Mozilla’s open-source Firefox browser and two defects in Microsoft’s Internet Explorer (IE).
According to Zalewski’s posting on the Full-Disclosure mailing list , the most critical vulnerability resides in IE.
The flaw allows hackers to steal sign-on cookies from online banks and other trusted sites as well as “hijack” a victim’s machine, said Zalewski, who has achieved fame as a white-hat hacker.
He said malicious hackers can take advantage of a “brief window of opportunity” when IE navigates from a sensitive Web page to an unrelated site. During this time, an attacker can execute JavaScript actions that can compromise a victim’s machine.
The security expert said attackers can read cookies controlled by the trusted site, change form submission URLs, inject malicious code or crash the browser.
“The entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks .”
A second flaw affects IE 6.0. The vulnerability, which was rated a “medium” threat, enables hackers to mimic Web sites, possibly including those that deliver content over a protected channel.
The researcher said Firefox does not appear to be affected by the IE bugs. However, one of two flaws found in the Mozilla browser can be considered “critical”.
Attackers are able to intercept keystrokes, spoof and inject malware into a legitimate Web site using an IFrame vulnerability in Firefox 2.0.
The second Firefox vulnerability, rated as a “medium” threat, is found in the delay timer implemented during certain confirmation dialogs. By imitating the sequence of “blur/focus operations”, an attacker can cause a victim to download and execute a malicious code, Zalewski said.
Mozilla has been alerted about the flaws, and the bugs have been posted on the Bugzilla Web site , the company’s bug-tracking system.
Microsoft said it is not aware of any ongoing attacks attributed to the recently discovered IE flaws, but the company is investigating Zalewski’s report.
Patches issued by the company can be found on the Microsoft TechNet site.
Technology industry experts said the discovery of the bugs should serve as a reminder to organizations and individual computer users to be vigilant in their installation of security patches.
“This is definitely a wake-up call for users who have the impression that Firefox is safe from attacks,” said Eldon Sprickerhoff, founder of online security firm eSentire Inc. of Cambridge, Ont.
He said there is a perception among some users that Firefox is “impervious to bugs” because most publicized attacks target Internet Explorer which is more popular with corporate organizations.
However, running an older Firefox version or neglecting to install upgrades or patches renders a machine vulnerable to attacks, Sprickerhoff said.
He also said the lag time between the discovery of a vulnerability and the actual implementation of a patch “works in favour of the hackers.”
It usually takes up to a month for software developers to work out a remedy for a flaw, but hackers are able to exploit a bug in one to 10 days after it has been reported, said the security expert.
Once a patch has been released, it often takes up to a month for organizations to deploy it, he added.
Not all companies are eager to install security patches because the procedure affects normal system operations, according to Robert Beggs, chief executive officer, Digital Defense Inc., a network security firm based in Toronto.
Installing a patch often requires shutting down a critical systems for testing.
Taking into account that some tests can last up to 30 days, companies often decide the patch is not worth the disruption, said Beggs. “I’ve done work with some companies where the last patch on a system was installed in 2003”.
QuickLink 073991