Vulnerability researcher Michael Zalewski has published details of four new zero-day flaws in Firefox and Internet Explorer (IE) that could be exploited to log keystrokes, download malware and steal cookies.
Zalewski published his findings on Full Disclosure, a mailing list hosted by Danish vulnerability clearinghouse Secunia.
Firefox also contains a flaw that could be exploited on certain confirmation dialogs. "A sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user's knowledge or consent," Zalewski wrote.
The fourth flaw affects IE 6 and allows malicious Web sites to spoof URL bar data. IE7 is not affected because of certain high-level changes in the browser, the researcher noted.
The issues are serious enough that the Bethesda, Md.-based SANS Internet Storm Center (ISC) issued an alert on its Web site.
The new flaws come less than a week after Mozilla updated Firefox to fix a number of other security flaws. Mozilla warned attackers could exploit those flaws to access sensitive information, cause a denial of service or run malicious code on targeted machines.