[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification

To: "Michal Zalewski" <lcamtuf@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
From: "Ruud H.G. van Tol" <rvtol@xxxxxxxxxxxx>
Date: Mon, 12 Feb 2007 23:31:56 +0100 (CET)

Michal Zalewski wrote:

>   2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
>      which in turn was a rediscovery of a problem known to Mozilla since
>      2000 (!); attempts to fix it in official releases failed because the
>      problem was repeatedly marked as a duplicate of a too narrowly
>      defined issue with control hiding. A broader redesign probably
>      eliminated the issue in development branches, but it still affects
>      Firefox 1.5 and 2.0.
>
>      This can be considered an independent rediscovery and a more
>      practical demonstration of a previously reported vulnerability.
>      The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html

Without JavaScript on, this doesn't work. See http://noscript.net/

-- 
Affijn, Ruud


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
  - From: Tyop?

References:
- [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
  - From: Michal Zalewski

Prev by Date: Re: [Full-disclosure] Solaris telnet vulnerability - how many on your network?
Next by Date: Re: [Full-disclosure] Pedophiles On YouTube (ringleader Irish282)
Previous by thread: Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
Next by thread: Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
Index(es):
- Date
- Thread