IE, Firefox Users at Risk from New Flaws Pair of Vulnerabilities Affects Both Browsers Sean Michael Kerner
It's not every day a potential security risk emerges that could affect both Microsoft's Internet Explorer and Mozilla Firefox Web browsers. But that is the case today.
Reports abound of a flaw existing in both browsers that could allow for unintended information disclosure, putting users at risk.
Security researcher Plebo Aesdi Nael first reported a pair of vulnerabilities on a public security mailing list. Only one of the flaws affects both IE and Mozilla browsers.
Security firm Secunia has rated the flaws "less critical," but the SANS Internet Storm Center noted that the risk has, "raised some of our neck hairs."
The first flaw involves HTML applications (HTAs), which, according to Microsoft, are full-fledged applications that are trusted and display only the menus, icons, toolbars, and title information that the Web developer creates.
The alleged vulnerability requires a user to click on an icon which then takes advantage of the software flaw to disclose potentially confidential user information.
The second flaw involves the exploitation of the "object.documentElement.outerHTML" property.
"The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user," according to the SANS Internet Storm Center (ISC).
So an attacker could rip the data that a user has entered for other Web sites that they may be logged into and steal their user credentials for whatever malicious purpose they desire.
Though Nael's original mailing list posting just identifies IE as being at risk, independent analysis by SANS ISC has shown that Firefox is vulnerable to the "object.documentElement.outerHTML" property flaw, as well.
Both Nael and Secunia have posted public proof of concept (PoC) code that demonstrates the flaw in action.
Microsoft Security Response Center (MSRC) staffer Adrian Stone indicated on the
MSRC blog that Microsoft was aware of the issue and is investigating. Microsoft is currently unaware of any attacks that take advantage of the flaw.
Mozilla is scheduled to release a Firefox 1.5.0.5 update on July 25, though it is unclear as to whether that update will address the flaw.
