IE, Firefox Sport New Zero-Day Flaw - InformationWeek
07:53 PM

IE, Firefox Sport New Zero-Day Flaw

According to Symantec, all versions of Microsoft Internet Explorer and Mozilla Firefox browsers could be used to harvest data through a JavaScript key-filtering vulnerability.

Multiple security organizations warned Tuesday that Internet Explorer, Firefox, Mozilla, and SeaMonkey -- on Windows, Linux, and the Mac -- are vulnerable to a JavaScript bug that could allow a determined attacker to dupe users into giving up sensitive personal information such as credit card or bank account numbers and passwords.

According to Symantec, which issued an alert late afternoon Tuesday, all versions of the Microsoft and Mozilla browsers could be used to harvest data through a JavaScript key-filtering vulnerability.

"This issue is triggered by utilizing JavaScript 'OnKeyDown' events to capture and duplicate keystrokes from users," went the Symantec warning.

The bug would let crafty criminals filter keystrokes entered into a form, say a credit card form to pay for online goods, to an invisible file upload dialog on the same Web page. Once the information's trapped in that hidden dialog -- the vulnerability discoverer used the analogy of the keystrokes "bouncing" from the legit (or at least legitimate-looking form) to the cloaked one -- the data could be sent to the attacker.

"Exploiting this issue requires that users manually type the full path of files that attackers wish to download[and] may require substantial typing from targeted users, so keyboard-based games, blogs, or other similar pages are likely to be utilized by attackers to entice users to enter the required keyboard input to exploit this issue," continued Symantec.

Danish vulnerability tracker Secunia also posted warnings of the bug Tuesday, and ranked it as "less critical," the second-from-the-bottom rating in its five-step scoring system.

The bug is unusual in that it affects not only Internet Explorer -- including fully-patched IE 6.0 and even IE 7 Beta 2 -- but also Firefox (though the most current version, the Mozilla suite, and the separately-developed successor to Mozilla, SeaMonkey. It's also out of the ordinary by virtue of its multi-platform impact: users of those browsers running Windows, Linux, and Mac OS X are vulnerable, said Symantec.

Charles McAuley, who first posted information about the bug on the Full Disclosure security mailing list Monday, also published proof-of-concept code to demonstrate how an exploit might work.

Symantec advised users to avoid unfamiliar Web neighborhoods and/or disable scripting or active content capabilities of the affected browsers.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll