It’s not every day that a potential security risk emerges that could affect
both Microsoft’s Internet Explorer and Mozilla Firefox Web browsers. But it is today.
Reports abound of a flaw that exists in both browsers that could allow for unintended information disclosure that could put users at risk.
Security researcher Plebo Aesdi Nael first reported a pair of
vulnerabilities on a public security mailing list. Only one of the flaws affects both IE and Mozilla
browsers.
Security firm Secunia has rated the flaws “less critical,”
but the SANS Internet Storm Center noted that the risk has, “raised some of
our neck hairs.”
The first flaw involves HTML applications (HTAs), which, according to Microsoft, are full-fledged applications that
are trusted and display only the menus, icons, toolbars, and title
information that the Web developer creates.
The alleged vulnerability
requires a user to click on an icon which then takes advantage of the
software flaw to disclose potentially confidential user information.
The second flaw involves the exploitation of the
“object.documentElement.outerHTML” property.
“The abuse of this property will allow an
attacker to retrieve remote content in the context of the web page which is
being currently viewed by the user,” according to the
SANS Internet Storm Center (ISC).
So an attacker could rip the data that a user has entered for other Web sites
that they may be logged into and steal their user credentials for whatever
malicious purpose they desire.
Though Nael’s original mailing list posting just identifies IE
as being at risk, independent analysis by SANS ISC has shown that
Firefox is vulnerable to the “object.documentElement.outerHTML” property
flaw, as well.
Both Nael and Secunia have posted public proof of
concept (PoC) code that demonstrates the flaw in action.
Microsoft Security Response Center (MSRC) staffer Adrian Stone indicated on the
MSRC blog that Microsoft was aware of the issue and is investigating.
Microsoft is currently unaware of any attacks that take advantage of the
flaw.
Mozilla is scheduled to release a Firefox 1.5.0.5 update on July 25, though
it is unclear as to whether that update will address the flaw.