It’s an old story: Browser flaws make it easier for
malicious users to trick people into falling for phishing schemes. However,
this time around, there’s a new twist—the threat affects most browsers, not
just Microsoft’s Internet Explorer.


A JavaScript
has emerged in a number of Web browsers. Fortunately, this is
a relatively low-level threat.

However, because it’s so widespread and publicly known, I
think it’s worth noting. The best fix is to update browser versions as soon as
patches are available.

The biggest danger with these vulnerabilities is that phishers
may more easily trick users into divulging confidential information because the
browser won’t properly display what’s actually happening at the remote Web

Charles McAuley posted
the original advisory
about both Internet Explorer and Firefox on Full-Disclosure.
According to his post, “The problem is that in both IE and Firefox you can
filter the keystrokes entered in a form and ‘bounce’ the input over to the file
input box, and then bounce back to previous text entry, making it appear as if
nothing has happened. Yes this is minor, but a conceivable avenue of attack.”

Let’s take a look at the various affected browsers.

Firefox 1.x

Secunia Advisory
lists the vulnerability as CVE-2006-2894. Researchers have confirmed that this flaw exists
in Firefox, but it may also affect earlier versions. This is a
JavaScript problem so disabling JavaScript will block potential attacks until
you update Firefox.

Mozilla 1.7.x

This is yet another JavaScript-related threat, which you can
also block by disabling JavaScript support. According to Secunia Advisory SA20467, researchers
have confirmed the flaw in Mozilla 1.7.13, but it may also affect other
versions. This vulnerability doesn’t yet have a CVE reference. It also affects Mozilla
SeaMonkey 1.x, and the temporary fix is the same.

Netscape 8.x

Yet another Secunia advisory (SA20470) confirms that the
JavaScript vulnerability is also present in Netscape 8.1. Again, this likely
affects other versions as well, and the temporary fix is to disable JavaScript

Microsoft Internet Explorer 6.x

According to Secunia
Advisory SA20449
, researchers have confirmed this Active Scripting threat on
a fully patched system with the latest release of IE 6.0 and Microsoft Windows
XP Service Pack 2. Other versions are likely vulnerable. As a temporary fix,
disable support for Active Scripting.

Other Microsoft security news

Don’t forget that there’s still an unpatched,
extremely critical vulnerability found in Microsoft Word
. This malformed
object vulnerability is a couple of weeks old. For more information, see Microsoft
Security Advisory 919637
, last updated on June 2.

Expect an update
on June 13, Microsoft’s Patch Tuesday for the month. In the meantime, you can
avoid the threat by refusing .doc file format documents. (Again, I always
recommend that companies use .rtf as their default document setting.) In
addition, open Office documents in Safe Mode, and avoid opening any Word documents
embedded in other Office applications, such as Excel or PowerPoint.

Final word

Continuing to take center stage in the security arena is the
Department of Veterans Affairs’ incredible security breach, which has grown and
grown. The agency has fired the database clerk responsible for the data theft; the
clerk will apparently receive his full pension and benefits.

The VA continues to release more information about the
stolen data—but very slowly. The latest revelations include the fact that
confidential information about most active-duty
military personnel was also on the stolen computer equipment. When it comes to
the theft of personal information about military actually serving in a war zone,
the national security implications are obvious.

At first, the VA said the theft only (ONLY!) involved about 50,000
active-duty personnel records. The agency later disclosed that as many as 1.1
million active-duty, 430,000 National Guard, and 645,000 Reserve records were
on the stolen equipment.

Since it gets worse every week, who knows how bad it will be
in a few more days? Is it any wonder that the VA keeps getting failing grades
for IT security? To stay on top of the latest information in this scandal, bookmark my TechRepublic

Incredibly, it appears that the responsible employee did
nothing outside the existing VA security rules for handling this kind of
sensitive data. So what’s your company’s policy on taking home confidential
employee or client data to work on it? Do you have a policy? Do you enforce it?
What’s the punishment for breaking the policy? Post your comments in this
article’s discussion.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.