Michal Zalewski, a white-hat hacker, disclosed today a couple of Firefox vulnerabilities affecting Firefox 2.0.0.4:

The first one, affects internal frames behavior and could help a malicious web site to spoof another one or capture key presses. In a test case also published by Zalewski, a pop under is opened at the same time as cnn.com homepage. The pop under is promptly closed but from then on, all keys pressed while at cnn.com are captured by the test case. This could be used to gain access to email accounts or other financial and personal information web sites. Best protection is to access these web sites directly and don’t follow third party links.

The second vulnerability, overrides the timeout Firefox sets for installing extensions and downloading files and could lead to a user inadvertently downloading a malicious file or program.

In the test case, a web page that mimics a game ad, asks the user to press Enter every time a certain word appears to earn a prize. In the background, those key presses are used to exploit the vulnerability and prevent the time out. At some point a download window is presented with the Save button already enabled (without waiting for the timeout), and the next Enter pressed is used to accept the download of a malicious web page.

In the test case, the web page lists the contents of the user’s C: drive. In practice, it could be used to get any kind of information on the users computer and send it to any other site.

According to the vulnerability description, it may not be necessary so many key presses and a single click could be enough to deactivate the timeout but another kind of social engineering tactic might be necessary to trick the user to download the unrequested file. I find it harder to defend from this kind of attacks. Just try to be alert on what windows and dialogs you are prompted.

The vulnerabilities were first informed to Mozilla in May 30 and April 4 respectively, and are currently being investigated by Mozilla though private bugs, a usual procedure for security related issues.

Hopefully we’ll see patches for these vulnerabilities soon. In the meantime, users are advised to act cautiously as suggested above.