But exploiting the flaw requires so much user interaction that Microsoft and Mozilla don't think it poses much of a danger. The companies do. Instead, both plan to address the bug in of their browsers, representatives said, but did not specify which update or when it might arrive.
"This vulnerability does not allow a malicious attacker to execute code against a user's machine but rather requires significant user interaction that could result in information disclosure," a Microsoft representative said in an e-mailed statement. "Microsoft plans to address this vulnerability in a future version of Internet Explorer."
Mike Schroepfer, vice president of engineering at Mozilla, made similar comments. "This is a relatively low severity issue, because it requires a specific set of user actions and does not pose a remote code execution risk," he said in a statement. "That said, we take every issue seriously and are working on a fix for a future release of Firefox."
For an attack to be successful, victims have to type the full path of files the attacker wants to download. "This may require substantial typing from targeted users," security company Symantec said. Attackers will likely use Web pages such as keyboard-based games or blogs to exploit this issue, it added.
Microsoft noted that it has not seen any malicious code that attempts to exploit the vulnerability.
The security flaw is unusual because it deemed the problem "less critical," its second-lowest of five possible ratings., but hits all current versions of Firefox, Mozilla SeaMonkey, Mozilla Suite, Netscape and Microsoft Internet Explorer, Secunia said. The security monitoring company
Mozilla's browsers are vulnerable on multiple operating systems.appears unaffected by this problem.