Bugs bite into popular browsers

Unpatched flaws are discovered in Internet Explorer, Firefox and Safari that could cause problems for Web surfers.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

Joris Evers

April 26, 2006 6:09 a.m. PT

2 min read

Newly disclosed, unpatched flaws in three browsers could make the Web a more dangerous place to surf, security experts have warned.

Security researchers published details on the bugs in Microsoft's Internet Explorer, Apple Computer's Safari and Mozilla's Firefox to security mailing lists over the weekend. The Firefox and Safari bugs could cause the browsers to crash, while the IE hole could be exploited to hijack a vulnerable Windows computer, Secunia said in advisories on its Web site.

The security monitoring company deems the IE flaw, reported by bug hunter Michal Zalewski, "highly critical." The problem has been confirmed on version 6 of the popular software, but could also affect other versions, the company said. The vulnerability lies in the way IE processes HTML tags. An attacker could exploit the bug by crafting a malicious Web site, Secunia said.

The alerts come just days after security researcher Tom Ferris reported several unpatched holes in Apple software including Safari. Also, Microsoft earlier this month issued a patch for IE to plug 10 holes, most of which it called "critical".

Microsoft is investigating the newly disclosed vulnerability and believes it is not as serious as Secunia claims, the software maker said in an e-mailed statement Tuesday. "Our initial investigation has revealed that the issues described would most likely result in the browser closing unexpectedly or failing to respond," it said.

Symantec also said that the IE flaw could be exploited to run malicious code on a vulnerable PC. However, this has not been confirmed, the security specialist said in a note to subscribers to its DeepSight service. "Exploit attempts likely result in crashing the affected application," Symantec said.

Secunia rates the Firefox and Safari problems as "not critical." A miscreant could cause both browsers to crash by crafting a malicious Web site because of flaws, it said, noting that the programs are flawed in the way certain data is handled.

Safari version 2.0.3 has been confirmed as vulnerable, and other versions may also be affected, Secunia said. Firefox 1.5.0.2, the most recent version, is flawed and so may be earlier versions, according to Secunia's advisory. Apple and Mozilla did not immediately respond to requests for comment.

Because fixes are not available for any of the security holes, Secunia recommends not browsing untrusted Web sites to avoid the problem.