Tom Doyle :: TALK

Michal Zalewski has revealed that the latest versions of both browsers, Internet Explorer 7 and Firefox, are vunerable to a malicious attack that would allow the reading of sensitive files on your computer.

He says: “In all modern browsers, input type=”file” form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, .value parameter cannot be set or changed, and any changes to .type reset the contents of the field.

Unfortunately, there are some problems that allow user’s keyboard input in unrelated locations to be selectively, transparently redirected to these input fields, and hence affect file selection to attacker’s liking.  Even though some browsers try to prevent file field hiding, it can be be easily stowed off-screen at negative window coordinates. The script can then automatically submit the entire form, including victim’s sensitive files.

In MSIE7, unlike with previously reported focus-related attack vectors that no longer work in that version, this can be achieved by selectively removing input field focus from within a key event handler. In Firefox, this is possible by moving the focus between onKeyDown and onKeyPressed events.”

An example of the exploit can be seen here http://lcamtuf.coredump.cx/focusbug/ieversion.html