Browser Security News

Security vendors have warned of a flaw that affects an unusually broad cross section of browsers—Internet Explorer, Firefox and the Mozilla suite on Windows, Linux and Mac OS X—and could be used to hoover up files from vulnerable systems.

The problem is in the way the browsers implement scripting—JavaScript in Firefox and Active Scripting in IE. Both browsers have a design error in which a script can cancel certain keystroke events when users are entering text.

The bug could be exploited into tricking users into entering text in a field that seems secure, while in fact the text is being made accessible to an attacker. "In both IE and Firefox you can filter the keystrokes entered in a form and ’bounce’ the input over to the file input box, and then bounce back to previous text entry, making it appear as if nothing has happened," said Charles McAuley, who originally discovered the flaw, in an advisory published on Monday.

Using this technique, attackers could obtain the directory path of sensitive files, which could then be uploaded to the attacker, according to several advisories. IE, Firefox Browsers Hit by Security Threat - Security Feed - Blog - CSO Magazine