Attack code published for 'critical' IE flaw; Patch your browser now
Summary: Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.
[ 'State-sponsored attackers' using IE zero-day to hijack GMail accounts ]
The vulnerability (CVE-2012-1875) is a remote code execution flaw in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
According to McAfee, the live attacks started as far back at June 1, 2012:
The exploit works across all major Windows platforms, including Windows Vista and Windows 7.
https://blogs.mcafee.com/mcafee-labs/active-zero-day-exploit-targets-internet-explorer-flaw
The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash
http://www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/
Firefox 'new tab' feature exposes users' secured info: Fix promised
Unlucky version 13 not ideal, Mozilla admits
Privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content".
Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.
"This content is behind a secure login for a reason," Chris added.
Firefox 13 was released on 5 June, adding new features including updated new tab and home tab pages. The updated new tab page feature is broadly akin to the Speed Dial feature already present in other browsers and displays cached copies of a user's most visited websites.