Explorer, Firefox Take Heat

UPDATED: Whether you're running Microsoft Internet Explorer or Mozilla Firefox, there may be new reason for concern today. Both browsers are allegedly open to a number of high-risk vulnerabilities.

Security researcher Michal Zalewski has alleged in a mailing list posting that fully patched versions of the top browsers contain two vulnerabilities. And to add further insult to injury, a security researcher said Mozilla might have made things worse with its recent update.

For Internet Explorer 6 and 7, Zalewski alleges that there is a page update race condition that could lead to cookie stealing, page hijacking or memory corruption.

"When JavaScript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scripturally accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed JavaScript to perform actions with the permissions for the old page, but actual content for the newly loaded page," Zalewski wrote.

For IE 6, Zalewski alleges that he has found an address-bar spoofing condition that could be used for phishing attacks.

A Microsoft spokesperson told internetnews.com that Microsoft is investigating new public claims of two possible vulnerabilities in Internet Explorer. So far Microsoft is not aware of any attacks attempting to use the possible vulnerabilities.

Microsoft will continue to investigate the claims to help provide additional guidance for customers as necessary and will take the appropriate action to protect customers, which may include issuing a security advisory or providing a security update through the monthly release process.

Microsoft also lashed out at Zalewski by noting that responsible disclosure of vulnerabilities is the best way to minimize risk to computer users.

"Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone's best interests," the Microsoft spokesperson said. "This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

But Zalewski didn't just expose issues in Microsoft's browser; he also found a pair of holes in Mozilla's Firefox.

One alleged flaw is a Cross-site IFRAME hijacking vulnerability that could allow a malicious user to use JavaScript to inject malicious code. IFRAME is an inline frame tag in HTML that is widely used on Web sites.

A second flaw that Zalewski tagged as being less critical could let an attacker use a Firefox file prompt delay in order to force arbitrary files down on unsuspecting users.

Mozilla is aware of both of Zalewski's alleged flaws, though it has tagged both with a low severity rating.

"Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first. Just because a bug has a lower severity rating does not mean we dismiss it," Mozilla's Chief Security Office Widow Snyder blogged. "We fix all bugs with any security risk as part of our commitment to security."

This article was first published on InternetNews.com. To read the full article, click here.