a blog by Rayland R. Delos Reyes - “RDJA”
If you are a fond user of Microsoft Word, then you had better be careful..Three unpatched bugs in Word have been uncovered in the last few weeks and two are already being exploited by attackers. The bugs allows attackers to create booby-trapped documents that steal information or take over a PC when they are opened.
No patch is yet available to fix these bugs.
Mozilla’s Firefox 2.0 has long been considered a safer Web browser than Microsoft’s Internet Explorer, but a flaw in the Firefox Password Manager could enable hackers steal your login data.
The problem, known as a reverse cross-site request (RCSR)was first discovered by Robert Chapin, a Microsoft Certified Systems Engineer (MCSE) and I.T, consultant. The RCSR appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.
On sites that allow users to enter code, a hacker can embed a form that tricks the user’s browser into sending its username and password information to the hacker’s computer. Because the form is embedded on a trusted Web site, the browser’s built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.
Even worse, hackers can make the deceptive form invisible, meaning users can transmit their private data without even knowing it.
Bug #360493
The Mozilla Foundation has acknowledged the problem and named it bug #360493. Microsoft has also admitted that RCSR attacks can affect Internet Explorer, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.
No patch has yet been released for the problem, but you can avoid reverse cross-site request attacks by simpy disabling your Firefox 2.0 autosave features for usernames and passwords. This feature is found in the “Options” window under the “Tools” menu.
Mozilla has indicated that it plans a fix in Firefox version 2.0.0.1 or 2.0.0.2.
