[ENews message] on Wednesday, the Security Information supplier Secunia published the following information: there are two security defects related to label browsing in the browsers of the Mozilla Foundation, the Opera browser, the Konqueror browser on the Linux platform, and the third-party plug-ins that enhance the IE function.
One defect is that a malicious website opened in a tag window can access the information entered in another tag window. Another defect is that, A malicious website can open a dialog box that appears to be displayed in another tab window.
"I think the reason for this problem is that when developers develop browsers, the consequences of placing all browser labels in an application window were not taken into account. This is the crux of the problem ."
Secunia recommends that users who use the label-Based Browsing function do not use JavaScript or trusted websites to access untrusted websites when accessing untrusted websites.
On Tuesday, the KDE project team fixed these two defects in the latest Konqueror browser. Chris Hoffman, design director at the Mozilla Foundation, said the above two defects will be corrected when Firefox 1.0 was released. Currently, Opera has not heard of these two defects.
Microsoft's IE browser is also suffering-security researchers Http-equiv have discovered two more serious security defects in IE: the first defect expands the so-called "drag-and-drop defect" feature discovered in January. With this vulnerability, hackers can place HTML code on infected computers.
According to the Secunia announcement, the second and more serious security defect is the ability to bypass the security mechanism in Windows XP SP2, windows XP SP2, which was released in August this year, has enhanced the security protection for XP operating systems. Even the SP2 patch released this month cannot prevent hackers from using this vulnerability to execute HTML documents on users' computers.
If hackers use these two defects together, they can place and execute malicious code on users' computers. Http-equiv said in an email that these two defects are not new defects, but the expansion of the original defects.
Microsoft believes that it is not easy for hackers to take advantage of these two defects. It said in a statement that early reports showed that hackers need to perform a series of operations before they can launch attacks. First, hackers need to trick users into accessing a "special" malicious website. Second, they want users to perform a series of special operations on the website, and then restart the computer or stop network connections, after all this is done, hackers can succeed. Microsoft has not received any reports about attacks against customers due to these two defects.
Thomas Christenson, Technical Director of secunia, said that the defects in IE browser have a huge impact compared with other browsers, which are very serious and should be corrected in a timely manner.
From: enet