Yesterday Michal Zalewski posted to Full-Disclosure 4 new browser based vulnerabilities. Normally I would not post about browser based vulnerabilities but these are worth mentioning. I can see how the bad guys would use each one of these for purposes of performing fraud on our members.
- Title : MSIE page update race condition (CRITICAL) Impact : cookie stealing / setting, page hijacking, memory corruption
- Title : Firefox Cross-site IFRAME hijacking (MAJOR) Impact : keyboard snooping, content spoofing, etc
- Title : Firefox file prompt delay bypass (MEDIUM) Impact : non-consentual download or execution of files
- Title : MSIE6 URL bar spoofing (MEDIUM) Impact : mimicking an arbitrary site, possibly including SSL data
I hope i am wrong, but if the bad guys start to use these they would be able to steal many login credentials for online banking applications, e-commerce sites, etc….
This is being covered by Computerworld and by the Sans Incident handlers on duty.
