Finally, a good programmer who's out there looking for bugs and not looking to crush companies.

Too bad there was no safari bugs found today; guess he was just busy.

...using IE7 and Firefox to test personal websites against spambots :)

Firefox also seems to display another bug, where it displays two number 3 items on the Full Disclosure page, instead of 3 & 4.

I shall expect full details to be posted in due course...

Seems Opera is OK here, but then it's pretty rare that Opera vunrabilities are discovered, and they are always nailed down within days...

Opera seems to be designed with security in mind, but Mozilla and IE have secuirty bolted on...

Also goes horrifically slowly if you open more than about 10 images. Its download manager (when open) locks the browser temporarily when adding downloads, it slows up when there are lots of images on the page.

It appears that the more user-friendly a piece of software gets, the more vulnerable it becomes. The Holy Grail of systems developers is to find the ultimate secure system that wipes your bottom for you in addition to looking as sexy as whoever your dream mate is. As in real life, it's not going to happen.

Preventing these and many other yet unknown exploits is just as easy as installing the NoScript firefox extension.

Letting JavaScript run on every page you visit, intentionally or not, is just dumb.

Security is all about giving away the minimum privileges to do the work, and never, NEVER to strangers.

NoScript just brings the abc of security in the browser.

IE 7 Seems to display the same bug... how wierd is that? And both browsers display two number threes in the source code view as well!!!!

Freaky! :D

...cos Opera is a lot older than most people realise, and was never designed to emulate IE in any way, thankfully.

Shame Mozilla/Netscape lost sight of such a vital "feature".

The question is, did he notify MS and Mozilla prior to post the vulns? If not he's not much better than a black hat. I've never posted without 30 days notice.

Safari (2.0.4), with "Enable JavaScript" and "Always accept cookies" selected (*NOT* my usual configuration!) returned:

"Failed to obtain cookie in 120 seconds.

"Your browser might be not vulnerable, or your

network performance deviates from what this

script expects. Try again or give up."

...Doesn't mean it's *SAFE*, but is, at least, one datum for Mr. Zalewski.

'Preventing these and many other yet unknown exploits is just as easy as installing the NoScript firefox extension.'

Have to agree, the NoScript plug-in should be installed by default. Of course it wont because it breaks a lot of sites and it requires some thought to go through the denied scripts. Joe Public isnt going to put up with the learning curve that entails.

I can't get the FF flaw to work.