New Zero-Day Bugs Crop up in IE, Firefox

A noted security researcher Monday disclosed four new zero-day vulnerabilities in Microsoft Corp. and Mozilla Corp.'s browsers, including a critical flaw in Internet Explorer (IE) and a "major" bug in Firefox. Michael Zalewski, who regularly publishes browser flaw findings, posted details on the Full-disclosure mailing list for cookie-stealing, keystroke-snooping, malicious downloading and site-spoofing bugs.

The most serious of the four, said Zalewski, is an IE6 and IE7 flaw he rated "critical." Dubbing it a "bait-and-switch" vulnerability, he said that the Microsoft browser gives hackers a window of opportunity to run malicious JavaScript to hijack the PC. "The entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks," Zalewski claimed in notes that accompanied a demonstration of the IE bug. Up-to-date IE6 and IE7 are both at risk, he said, although Firefox is not.

View: Full Story
News source: PC World

Report a problem with article
Previous Story

Cheaper Blu-ray Player Sparks Speculation of PS3 Price Cuts

Next Story

HTC Reveals "Touch" as Possible iPhone Competitor

7 Comments

Commenting is disabled on this article.

Perhaps you should go back to school as well IE fanboy.
Full quote:

Zalewski posted information about two other bugs, both rated "medium." A Firefox vulnerability could lead to unauthorized downloads, while IE6 is open to yet another address bar-spoofing flaw. "IE7 is not affected because of certain high-level changes in the browser," Zalewski said of the fourth vulnerability.

mrbester said,
Full quote:

So tell me please how to transform that quote to this:
Up-to-date IE6 and IE7 are both at risk, he said, although Firefox is not.

That was referring to the the IE6 and IE7 flaw he rated "critical". You mixed up the "critical" flaw that affects IE and not Firefox (the bait-and-switch) with a "medium" flaw that doesn't affect IE7 but does affect IE6 (the address spoofing). Clearer now?