[Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
Tyop?
tyoptyop at gmail.com
Tue Feb 13 04:44:54 GMT 2007
On 2/12/07, Ruud H.G. van Tol <rvtol at isolution.nl> wrote:
> Michal Zalewski wrote:
> > 2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
> > which in turn was a rediscovery of a problem known to Mozilla since
> > 2000 (!); attempts to fix it in official releases failed because the
> > problem was repeatedly marked as a duplicate of a too narrowly
> > defined issue with control hiding. A broader redesign probably
> > eliminated the issue in development branches, but it still affects
> > Firefox 1.5 and 2.0.
> >
> > This can be considered an independent rediscovery and a more
> > practical demonstration of a previously reported vulnerability.
> > The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html
>
> Without JavaScript on, this doesn't work. See http://noscript.net/
Without a browser too, this doesn't work. See http://netcat.sourceforge.net/
--
Guasconi Vincent
French Student.
http://altmylife.blogspot.com [Fr]
Full-Disclosure is hosted and sponsored by Secunia.