AOH :: HP Unsorted A :: TB11137.HTM

Assorted browser vulnerabilities
Assorted browser vulnerabilities
Assorted browser vulnerabilities


Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:

1) Title    : MSIE page update race condition (CRITICAL)
   Impact   : cookie stealing / setting, page hijacking, memory corruption
Demo : 

   ...aka the bait & switch vulnerability.

   When Javascript code instructs MSIE6/7 to navigate away from a page
   that meets same-domain origin policy (and hence can be scriptually
   accessed and modified by the attacker) to an unrelated third-party
   site, there is a window of opportunity for concurrently executed
   Javascript to perform actions with the permissions for the old page,
   but actual content for the newly loaded page, for example:

     - Read or set victim.document.cookie,

     - Arbitrarily alter document DOM, including changing form submission
       URLs, injecting code,

     - Read or write DOM structures that were not fully initialized,
       prompting memory corruption and browser crash.

   This is tested on MSIE6 and MSIE7, fully patched.

2) Title    : Firefox Cross-site IFRAME hijacking (MAJOR)
   Impact   : keyboard snooping, content spoofing, etc
Demo : 
   Bugzilla : [May 30]

   Javascript can be used to inject malicious code, including key-snooping
   event handlers, on pages that rely on IFRAMEs to display contents or
   store state data / communicate with the server.

   This is related to a less severe variant independently reported by
   Ronen Zilberman two weeks earlier (bug 381300).

3) Title    : Firefox file prompt delay bypass (MEDIUM)
   Impact   : non-consentual download or execution of files
Demo : 
   Bugzilla : [Apr 04]

   A sequence of blur/focus operations can be used to bypass delay timers
   implemented on certain Firefox confirmation dialogs, possibly enabling
   the attacker to download or run files without user's knowledge or

3) Title    : MSIE6 URL bar spoofing (MEDIUM)
   Impact   : mimicking an arbitrary site, possibly including SSL data
Demo : 

   MSIE6 vulnerability, similar but unrelated to my earlier onUnload
   entrapment flaw, allows sites to spoof URL bar data.

   MSIE7 is not affected because of certain high-level changes in the

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to