Firefox File Stealing, MFSA 2008-02, and Opera

I have been refraining from commenting on any specifics regarding the Mozilla Firefox file stealing vulnerabilities discussed in MFSA 2008-02: Multiple file input focus stealing vulnerabilities, because Mozilla notified me that some of the details would be embargoed pending fixes from other browser vendors. So, I was a little surprised with Opera's announcement that:

Mozilla notified us of one security issue ( :smile: ) the day before they published their public advisory ( :worried: ). They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody ( awww ).

This was picked up by The Register and Slashdot as well as numerous personal blogs.

But as best as I can tell, Mozilla has not released details for any of the proofs-of-concept exploits that Opera may be vulnerable to. The samples for the focus shifting bugs don't appear to affect Opera. If Opera is in fact vulnerable to any of the released information, I would be very interested in finding out more about it.

In any case, once the details for Bugzilla #413135 are opened to the public, I will be posting online versions of the sample exploits.

Posted by gfleischer on 2008/02/19 at 21:53 in Vulnerabilities


RSS 2.0
Quick Links

Valid XHTML 1.0 Transitional Valid CSS!