The Mozilla Foundation has issued patches for a flaw in its browsers that could allow an attacker to execute existing applications on a Windows XP machine. Researchers have also discovered a bug in Opera Software ASA's browser that could be exploited to make users falsely believe they are visiting a trusted website, such as a banking site.
The bugs in Mozilla and Opera, which together account for about five percent of browser users, follow on the heels of a string of Internet Explorer attacks that appear to be convincing many users to explore IE's alternatives.
After some security vendors suggested switching browsers as one form of protection from the latest bugs, Mozilla and Opera have experienced a huge jump in downloads, the vendors say. Security experts caution that non-IE browsers are subject to some of the same vulnerabilities as Microsoft's browser, but concede that the alternatives probably are safer.
A database collating advisories from various sources, has collected 54 vulnerability advisories for IE 6.x during 2003 and 2004, 42 percent of which were "highly critical " or "extremely critical", and 32 percent of which granted system access. Opera 7.x had 26 bugs, 17 percent of which were highly or extremely critical, and Mozilla 1.3 and later had a total of 12 advisories, none of which were more than moderately critical.
"While other browsers also have problems, it seems evident that vulnerabilities are a bit more frequent and serious in IE," said Secunia's Kristensen.
The Mozilla flaw was publicised on public security mailing list Full Disclosure on Wednesday, along with a link to Mozilla's fix. The group released updated versions of the Mozilla Application Suite, Firefox and Thunderbird fixing the problem, and on Thursday released a small download that eliminates the bug by reconfiguring the affected software.
"We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users," Mozilla said in its advisory, which also contains instructions on patching affected systems.
The Opera bug, publicised by security firms on Thursday, could allow the browser to appear to be displaying a trusted site while actually displaying a malicious one, in order for example to trick a user out of his bank login information.