Quick and simple version:
There are two (different) bugs in IE7 (and lower) and Firefox 2.0.0.1 (and lower). They each end up producing similar security holes. The IE7 bug is new, the Firefox one is older (but was never fixed).
If you type things into a malicious site's form, they can divert some of the keystrokes to somehow trick the browser into thinking you want to send a file from your computer. It looks like you have to type in the right letters to spell out the name of the file. I wouldn't type in any untrusted sites' forms if I were you, at least until the holes are patched.
There are already demos out, so I expect copycats soon.
The moral is
don't type anything into any online form you don't trust.
There's a second bug in Firefox that looks like it can pretend to be another site and write cookies, but not read them.
I think Neopets cookies have non-random names and are vulnerable, but I'm not sure. This also might have been what sparked the "bind login info to IP" change (if that's what TNT did - I'm not clear on the details). But this obviously
extends past Neopets cookie-grabbing - be careful!
News article:
http://blogs.zdnet.com/security/?p=37
NOTE:
THE DEMOS THE ARTICLE LINKS TO ARE SUPPLIED BY THE HACKER, NOT ZDNET - do not try them unless you trust him/her.
For those who are too paranoid to click on the news article:
Ryan Naraine @ 12:31 pm Feb 15 2007 at ZDnet wrote:
Firefox and Internet Explorer users beware: There are serious, unpatched flaws in both browsers that could allow the manipulation of authentication cookies and the hijacking of files from your Windows machine.
Details on both vulnerabilities have already been posted to the Full Disclosure mailing list by Polish researcher Michal Zalewski. SecurityFocus provides coverage of the issue, which dates back to 2006.
According to Zalewski, a well-known hacker credited with several major flaw discoveries, there are two very different issues affecting Firefox and IE 7.
First up is a brand-new IE 7 bug that could be used to divert keystrokes from Web-based games, blog entries and comment forms, online chats. In certain scenarios, an attacker could exploit the flaw to read sensitive local files on a computer. "Some user interaction is required, but only to an extent commonly expected on some popular Web site. XSS attacks make it far worse," Zalewski said.
Click here for an online demonstration of the IE 7 (and prior) vulnerability.
Firefox 1.5 and 2.0 users can test for the flaw here.
Separately, Zalewski also warned about a new bug in the way Firefox handles writes to the 'location.hostname' DOM property. The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy, according to a note on the F-Secure blog.
Click here for a demo of the Firefox 2.0.01 bug, which requires JavaScript. Mozilla's security response team is already working on a patch.
[UPDATED: February 15, 2007; 6:17 PM Eastern] Just received this note from the Microsoft Security Response Center:
Microsoft's initial investigation reveals that an attacker could gain access to user files if the location of a given file is already known. In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's Web page through social engineering. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers.
Login
Register
FAQ
Search
