Researchers find similar unpatched flaw in IE and Firefox

By

Security researchers have discovered a rare flaw affecting both Firefox and Microsoft Internet Explorer that can allow a hacker to read sensitive files on users' computers with the use of a bit of social engineering.


Reported this week to the Full Disclosure security mailing list and Bugtraq by researcher Michal Zalewski, the vulnerability in Internet Explorer resembles a similar flaw disclosed by Charles McAuley in June 2006.

“Unfortunately, there are some problems that allow user's keyboard input in unrelated locations to be selectively, transparently redirected to these input fields, and hence affect file selection to an attacker's liking,” he wrote. “Even though some browsers try to prevent file field hiding, it can be be easily stowed off screen at negative window coordinates.”

Microsoft acknowledged the vulnerability on Thursday, explaining that it is investigating the matter.

“Microsoft’s initial investigation reveals that an attacker could gain access to user files if the location of a given file is already known. In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's webpage through social engineering,a company spokesperson said.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
andfindfirefoxflawieinresearcherssecuritysimilarunpatched

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?