United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Watch what you click (because your Web browser won't)

Yesterday, when I claimed that all Web browsers contain security flaws, I didn't expect new evidence to support me so soon. Today, in posts to security mailing-lists, different researchers described several security vulnerabilities that affect many popular Web browsers.

The most dangerous discovery affects the latest version of Internet Explorer (IE) that ships with XP SP2. A well-known IE researcher http-equiv, discovered two vulnerabilities that, combined, can allow a malicious Web site to execute code on your computer when you visit the site. More specifically, one flaw allows the malicious site to save HTML code onto your computer. The other allows the site to execute HTML code located on your computer. Microsoft hasn't released a patch for this recently disclosed flaw. However, as with many of the vulnerabilities http-equiv has found, an attack exploiting this flaw relies on Active Scripting. Disable Active Scripting in IE to mitigate not only this, but also many other, IE security vulnerabilities.

The second vulnerability affects many Web browsers that support Tabbed browsing, such as Netscape, Mozilla and Firefox. Tabbed browsing allows you to visit many different Web sites using the same window by opening each site under its own tab. This convenience makes it easy for you to visit many sites at once and switch between them. Unfortunately, Secunia discovered that the Tabbed browsing feature could lead to a spoofing vulnerability. If you visited a malicious site in one tab, the malicious site could open a dialog box pretending to come from a legitimate site you had opened in another tab. This might trick you into disclosing information to the malicious site that you intended to disclose only to the legitimate site. However, I don't feel this flaw poses a significant risk. The malicious Web site wouldn't have any way of knowing what sites you had opened in other tabs, so which of the gajillion legit Web sites out there would it impersonate? The odds make it unlikely that this kind of spoofing would succeed. -- Corey Nachreiner

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.