IE And Firefox Sport New Zero-day Flaw

Javascript eh? Firefox users: Use the NoScript extension for your own safety.

 

Interesting.

But, it doesn't affect me: through Core Force, I already denied the browser from accessing any kind of sensible data. Even if the script works and finds the file, it won't upload it.

Still, interesting.

 

Or install Opera.

I try to have both Firefox and Opera "on hand" in both Win XP and Linux. I use NoScript for Firefox and enable Javascript for Opera on a case-by-case basis only.

bktII

 

I tend to think that if you're entering sensitive info in forms on sketchy sites you're likely to get burned one way or another, with or without javascript. This one requires so much user interaction to work that I, unfortunately, don't know that much of any software would really help if someone fell for it, unless the software identified the specific script as being malicious. This would be more of a phishing/pharming issue.

 

Am not sure that I would place a 1:1 correlation between "unfamiliar Web neighborhoods" and "sketchy sites". However, your point is well taken: "...issue requires that users manually type the full path of files that attackers wish to download..." is more than a little over the top.

An interesting recent article on "Browsers, phishing, and user interface design" here:

http://www.securityfocus.com/columnists/405


bktII