JavaScript Flaw Affects Mozilla, IE

Both Microsoft and Mozilla downplayed a JavaScript bug that security researchers say poses a risk of system compromise, saying it was difficult to exploit. The bug could allow an attacker to download files, but it requires quite a bit of user interaction in order to exploit.

For that reason, neither company will offer a separate patch for the issue; instead, both plan to address the issues in a future release of their browsers. Mozilla and Microsoft pointed to the amount of user interaction and lack of a code execution risk as reasons for holding off on a fix.

According to a Secunia advisory on the issue, the vulnerability exists in JavaScript "OnKeyDown" events.

"The vulnerability is caused due to a design error where a script can cancel certain keystroke events when entering text," the advisory reads. "This can be exploited to trick a user into typing a filename in a file upload input field by changing focus and cancel the "OnKeyPress" JavaScript event on certain characters."

From there, it could cause an arbitrary file from the users system to be uploaded to a malicious Web site. However, the user must first type the text containing the characters of the file name. To date, no known exploits of the flaw have been reported.

The vulnerability is known to exist on Firefox, Mozilla, Netscape, and Internet Explorer. Opera users appear to be safe from the problem, according to security researchers.

Secunia said those concerned should either disable JavaScript support, or refrain from entering suspicious text on untrusted Web sites.