|
> From: Ingvaldson, Scott > > I don't know that it's documented anywhere, but I saw it with my own > eyes. My mother's PC was having problems so I updated her anti-virus > (AVG Free on WinXP) and ran a full system virus scan. It cleaned most > of the virus' the first time but one kept coming back no matter what I > did. I finally tracked it to the IE cache. Opened IE, Tools > Internet > Options > Delete Files... > Delete all offline content. Then ran the > full system virus scan again and finally it was clean. Come on, people, let's keep it real. IE is NOT the only known vector for virus proliferation. Firefox/Mozilla have plenty of exploits as well. Obviously they get better with each release, but here's a list from July of 2005, with release 1.0.4 (not that old of a release): http://www.frsirt.com/english/advisories/2005/1075 Twelve vulnerabilities were identified in Mozilla Suite and Firefox, which may be exploited by malicious web sites to execute arbitrary commands or conduct spoofing and cross site scripting attacks. - An improper cloning of base objects could allow web content scripts to walk up the prototype chain to get to a privileged object, which could be exploited by attackers to execute arbitrary code. - An input validation error in the processing of XHTML documents containing fake <IMG> elements could be exploited by malicious web sites to execute scripting code with elevated "chrome" privileges. - JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site. See : FrSIRT/ADV-2005-0820 - An input validation error in the processing of javascript URLs opened by media players could be exploited by attackers to execute arbitrary code. - An error in the processing of "top.focus()" calls could be exploited by attackers to conduct spoofing and/or cross site scripting attacks. - A regression error could be exploited by attackers to inject arbitrary JavaScript code from one page into the frameset of another site. - An input validation error in the "InstallVersion.compareTo()" function when handling specially crafted objects could be exploited by attackers to run arbitrary code or conduct denial of service attacks. - An input validation error in the processing of "data:" URLs could be exploited by attackers to conduct cross site scripting attacks. - An error in the "InstallTrigger.install()" method could be exploited to conduct cross site scripting attacks. - An error when handling Wallpapers could be exploited by attackers to run arbitary code on a vulnerable system by convincing a user to use the "Set As Wallpaper" context menu item on a specially crafted image. - Scripts in XBL controls from web content are run even when Javascript was disabled. - An error in the browser UI when handling user/synthetic events could be exploited by attackers to execute arbitrary code. ------------ Sure it's an older release, but those are some pretty nasty flaws. Joe
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
