Security hole hits Internet Explorer and Firefox

Security hole hits Internet Explorer and Firefox
Tom Sanders in California, vnunet.com 07 Jun 2006

Microsoft's Internet Explorer and Mozilla's Firefox are both vulnerable to a new JavaScript flaw that could allow attackers to steal confidential information.

The flaw affects fully patched browsers on Windows, Linux and Mac systems, according to a posting on the Full Disclosure security mailing list.

The issue is caused by the 'OnKeyDown' JavaScript feature that allows websites to capture and duplicate keystrokes entered into data fields, including fields where users enter credit card information.

Security experts noted that exploiting the flaw would require the user to type a fair amount of text. Attackers would therefore most likely target online games or blogs.

for Firefox users, Noscript is an extension that allows to you optionally allow Javascript for each page you visit, and from each domain it is run from.

http://www.noscript.net/whats

No Javascript issues for me.

No surprise there. :)

I just got it, thanks!

can you tell me what we do need Javascript for? When we would have to allow it? I noticed here we need it for spell check. Is that how we find out? See what doesn't work when we have it disabled?

If you disable it, you cannot get the spell check window to pop up. Java script does a lot of interesting things that make browsers more functional. The biggest problem with it is that some sites they will abuse the ability to resize windows or switch orders and such, usually trying to pitch advertisements at you. It's more annoying than anything. In those situations you can just turn java script off in the fire fox brewers, reload, and it prevents them from resizing windows. I think Internet Explorer can disable java script too, but I'm not sure where it is, the browser is much more complex.

disable JavaScript irrespective of browser type. I suspect this exploit will affect any browser if it's based upon a JavaScript trick.

I'm on a Mac using Safari just now although I usually use Opera but I'm stll leery of JS; I rarely ever surf with JS enabled.

disables javascript, java, flash, and everything else,
except for sites you specify.

this is why I like Firefox so much. The noscript is easy to install and an icon in the lower right corner allows one to enable java selectively and temporarily for the sites that just need it enabled to work (usually I know which they are as the "clicks" don't appear to work until the java is re-enabled temporarily). I like the temporary aspect because it keeps me from enabling and then forgetting to re-disable.

www.opera.com

:loveya: Opera

n/t

if this affects Camino in the same way as it does Firefox?

if this is even a security hole in the first place. If it is -- its not critical by most standards.

The exploit this uses requires:

1) That a website is compromised by an attacker (or you visit a rogure website, beware of warez).
2) That you upload a file.
3) That the website uses javascript (vs other methods) for you to select the file to upload.
4) That in the file selection box, you type the file instead of selecting it (using the browse button).
5) In that case, the attacker get's access to the uploaded file -- but not access to your computer or anything else.

The reason for this is complex, but this is an exploit of Javascript which behaves exactly as designed. The only method of correcting this is to override the "onKeypressDown" method -- which takes a lot of functionality out of JS.

If you are correct, as long as you don't upload any files with confidential information you are ok.