FXOpen Broker

10+ years’
experience in FX


Trading Accounts

Micro, Crypto


Free Demo

Practice Forex trading
risk free


PAMM Technology

Become a Master
or a Follower

Results 1 to 3 of 3

Thread: Explorer, Firefox Take Heat

  1. #1
    Join Date
    Jun 2007
    Thanked 0 Times in 0 Posts

    Default Explorer, Firefox Take Heat

    Whether you're running Microsoft Internet Explorer or Mozilla Firefox, there may be new reason for concern today. Both browsers are allegedly open to a number of high-risk vulnerabilities.

    Security researcher Michal Zalewski has alleged in a mailing list posting that fully patched versions of the top browsers contain two vulnerabilities. And to add further insult to injury, a security researcher said Mozilla might have made things worse with its recent update.

    For Internet Explorer 6 and 7, Zalewski alleges that there is a page update race condition that could lead to cookie stealing, page hijacking or memory corruption.

    "When JavaScript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scripturally accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed JavaScript to perform actions with the permissions for the old page, but actual content for the newly loaded page," Zalewski wrote.

    For IE 6, Zalewski alleges that he has found an address-bar spoofing condition that could be used for phishing attacks.

    A Microsoft spokesperson told internetnews.com that Microsoft is investigating new public claims of two possible vulnerabilities in Internet Explorer. So far Microsoft is not aware of any attacks attempting to use the possible vulnerabilities.

    Microsoft will continue to investigate the claims to help provide additional guidance for customers as necessary and will take the appropriate action to protect customers, which may include issuing a security advisory or providing a security update through the monthly release process.

    Microsoft also lashed out at Zalewski by noting that responsible disclosure of vulnerabilities is the best way to minimize risk to computer users.

    "Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone's best interests," the Microsoft spokesperson said. "This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

    But Zalewski didn't just expose issues in Microsoft's browser; he also found a pair of holes in Mozilla's Firefox.

    One alleged flaw is a Cross-site IFRAME hijacking vulnerability that could allow a malicious user to use JavaScript to inject malicious code. IFRAME is an inline frame tag in HTML that is widely used on Web sites.

    A second flaw that Zalewski tagged as being less critical could let an attacker use a Firefox file prompt delay in order to force arbitrary files down on unsuspecting users.

    Mozilla is aware of both of Zalewski's alleged flaws, though it has tagged both with a low severity rating.

    "Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first. Just because a bug has a lower severity rating does not mean we dismiss it," Mozilla's Chief Security Office Widow Snyder blogged. "We fix all bugs with any security risk as part of our commitment to security."

    There may be more than just unpatched bugs for Mozilla to worry about, though. Security researcher Thor Larholm has alleged that a bug Mozilla claims to have patched in the recent release is in fact still a vulnerability.

    Among the numerous fixes in Firefox is one for a directory traversal vulnerability that could have allowed an attacker to read local files.

    "However, the patch only partially fixed the vulnerability on Windows systems and accidentally circumvents an existing input validation check," Larholm wrote in a mailing list posting.

    "The net result is that you can still read some local files on Windows and all user accessible files on Linux/Unix/OS X, with all user-accessible files potentially readable as well on Windows through the patch regression."

    Mozilla has not yet responded directly to Larholm's allegations, though Larholm claims that he did provide advance notification to Mozilla.

    "The Mozilla security team are usually quick to respond but have not been as accommodating with this report, ignoring the advice in my May 25 notice and releasing a flawed patch and lastly taking the better part of five days to even respond on my May 31 notice," Larholm told internetnews.com. "That response asked for a functional exploit before it would be investigated further."

    Larholm does have a solution for Mozilla, that is, if they're willing to listen to him.

    "Mozilla has a wide range of options, from simply rearranging their input validation routine to undergoing a larger review of their URI resolver logic source code," Larholm said.

  2. #2
    Director of FXOpen Aus FXOjafar's Avatar
    Join Date
    Apr 2007
    Thanked 79 Times in 51 Posts


    Bah, viruses are an unknown thing amongst Linux users like myself
    Jafar Calley - Director
    FXOpen AU Pty Ltd
    Level 26 • 1 Bligh Street
    Sydney NSW 2000
    AFSL:412871 ABN:61 143 678 719

  3. #3
    In Profit
    Join Date
    Jun 2007
    Thanked 0 Times in 0 Posts


    the best and the fast is opera

    try it and then tell me about it

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
2022 © FXOpen. All rights reserved. Various trademarks held by their respective owners.

Risk Warning: Trading on the Forex market involves substantial risks, including complete possible loss of funds and other losses and is not suitable for all members. Clients should make an independent judgment as to whether trading is appropriate for them in the light of their financial condition, investment experience, risk tolerance and other factors.

FXOpen Markets Limited, a company duly registered in Nevis under the company No. C 42235. FXOpen is a member of The Financial Commission.

FXOpen AU Pty Ltd., a company authorised and regulated by the Australian Securities & Investments Commission (ASIC). AFSL 412871ABN 61 143 678 719.

FXOpen Ltd. a company registered in England and Wales under company number 07273392 and is authorised and regulated by the Financial Conduct Authority (previously, the Financial Services Authority) under FCA firm reference number 579202.

FXOpen EU is a trading name of FXOpen EU Ltd. FXOpen EU Ltd is authorized and regulated by the Cyprus Securities and Exchange Commission (CySEC) under license number 194/13.

FXOpen does not provide services for United States residents.

Join us