The security of the SECUNIA of the Security Company on Wednesday (20th) published two major security issues common to web browsers, which are related to the browser folder tab. This feature is widely used in various versions of the Mozilla Foundation, Opera browser, supports Linux's Konquer Browser, and Microsoft Internet Explorer browser plug-in procedures made by two third-party software companies.
This 疵 uses the function that simultaneously opens multiple label windows, allowing the malicious website displayed in a tag window to access the user in another tag window. Another flaw allows the malicious website to turn on a dialog box, which is entered by another browser folder label.
Secunia Chief Technology Thomas Kristensen said: "I think the problem is in the consequences of opening multiple browser tab in a single application window."
Secunia recommends that when using tabed feature, you should close JavaScript, or simultaneously avoid visiting a trusted website while browsing an untrusted website in the browser tag window.
Kde Project has resolved this issue in the latest version of the Konqueror browser issued on the 19th. Chris Hoffman, Manager Mozilla Foundation, said that the Firefox 1.0 released after two weeks will resolve this issue. Opera has not responded to this issue.
Microsoft's IE browser is disturbed by two more serious flaws. The discoverer claimed to "http-equiv." Pointed out that the first flaw is expanded to use the weakness of the drag-and-droP function that has been discovered in August, which may be used to implant the malicious in the victim computer. Hypertext Language (HTML) source code.
According to Secunia's safety warning, the second more serious flaw can avoid the security protection mechanism of the Windows XP SP2 security upgrade kit, so that hackers start the HTML file on the user's computer.
If the two weaknesses are used, the malicious website can be implanted and execute source code on the passenger's computer. The above weakness is not a brand new discovery, but the old problem, new packaging.
HTTP-Equiv is written in email: "The principle is very simple, but the implementation is complicated, it must be quite difficult."
Repeated HTTP-Equivatic comments, Microsoft also said that hackers use these two flaws that are not easy.
"The initial return shows that you want to launch this kind of attack, you need users to do a lot of movements," Microsoft said: "The hacker must first induce the user to take a specific website, and make him take a series of action on the website, then restart or board Out, hackers can succeed. "Microsoft said that no users were killed because of these flaws.
Secunia's Kristensen said that the tabbed browsings is quite serious, and should be asked as soon as possible, but not allowing the entire system to hold a hacker.
HTTP-Equiv said Microsoft Windows XP SP2 enhances security measures, such as limiting the protection of external procedures in the "local zone) to prevent hackers from abuse this weaknesses. (CNET Technology Information Network / Tang Huiwen)
Source: http://www.zdnet.com.cn/
