Java Flaw Enables Cross-Browser Attack

In what may be the first known example of a cross-browser attack, users who made the switch to Mozilla Firefox to escape the specter of Internet Explorer's security failures may suddenly find themselves repossessed.

Vitalsecurity has uncovered a vulnerability that exploits a hole in Sun's Java Runtine Environment Environment that, when used in combination with Firefox and other alternative browsers, is capable of installing malware by invoking Internet Explorer.

According to the security bulletin, the attack can be executed through an alternative browser when even Internet Explorer's security settings are at their highest. On its own, IE blocks the malware's installation, which means another browser must be used for the attack to succeed.

In an example, when Firefox users visit a site containing an unsigned Java applet, the user will be prompted through a security dialog to run the software. If the user agrees to load the applet, their machine will be infected and an instance of Internet Explorer will load.

Details of the attack can be found at Vitalsecurity's Web site.