Pick a blog category Uncategorized Patch Watch Hackers Zero-day attacks Apple Microsoft Windows Vista Browsers Oracle Cisco Rootkits Vulnerability research Punditocracy Responsible disclosure Spam and Phishing Spyware and Adware Botnets Exploit code Black Hat Viruses and Worms Piracy Data theft Open source Pen testing Digital rights management Mozilla

Details on both vulnerabilities have already been posted to the Full Disclosure mailing list by Polish researcher Michal Zalewski. SecurityFocus provides coverage of the issue, which dates back to 2006.

According to Zalewski, a well-known hacker credited with several major flaw discoveries, there are two very different issues affecting Firefox and IE 7.

First up is a brand-new IE 7 bug that could be used to divert keystrokes from Web-based games, blog entries and comment forms, online chats. In certain scenarios, an attacker could exploit the flaw to read sensitive local files on a computer. “Some user interaction is required, but only to an extent commonly expected on some popular Web site. XSS attacks make it far worse,” Zalewski said.

Click here for an online demonstration of the IE 7 (and prior) vulnerability.

Firefox 1.5 and 2.0 users can test for the flaw here.

Separately, Zalewski also warned about a new bug in the way Firefox handles writes to the ‘location.hostname’ DOM property. The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy, according to a note on the F-Secure blog.

Click here for a demo of the Firefox 2.0.01 bug, which requires JavaScript. Mozilla’s security response team is already working on a patch.

I have a query in to Microsoft for a comment on the IE 7 issue. Will update as necessary.