The latest versions of Internet Explorer and Firefox on Windows and (in the case of Firefox) Unix systems are vulnerable to attacks that could reveal the contents of sensitive files residing on a victim's hard drives.
The vulnerability resides in the functionality that allows the browsers to upload files to a remote server. It requires a victim to visit a booby-trapped website and enter text with certain characters in a comment interface or other input field.
Demonstration exploits, one for IE and the other for Firefox, show how typing a simple string into a message box reveals a Windows user's boot.ini file. The Reg has more.
The vulnerability resides in the functionality that allows the browsers to upload files to a remote server. It requires a victim to visit a booby-trapped website and enter text with certain characters in a comment interface or other input field.
Demonstration exploits, one for IE and the other for Firefox, show how typing a simple string into a message box reveals a Windows user's boot.ini file. The Reg has more.