Internet browser users are going to have to deal with a new threat soon and it’s not related to JavaScript. There is an unusual vulnerability in some Mozilla products (including Firefox) that run on the Gecko engine. This vulnerability allows for malware writers to detect key strokes even when Javascript is disabled.

Mozilla patched this problem in Firefox 9, Thunderbird 9 and SeaMonkey 2.6 and then announced what the threat was and that it had been fixed. The real threat though may lie in the fact that it wasn’t Javascript based, so it could easily run on any machine that hits a bad site even though Javascript is turned off. Each key on the keyboard can be “bound” to a specific page of a malware website. So pressing “a” would silently send a request to http://badsite.com/?a, b = //badsite.com/?b, etc. The user would have no clue this was happening unless they were monitoring their network, which most normal users wouldn’t know how to do let alone the time to do it. The attacker would then gather the logs from his web servers and piece together what the unsuspecting person typed.

This is a huge problem due to the fact that most everything is typed in to the computer. Several security experts suggest switching up browsers for different types of browsing. Be aware of the bugs that are fixed in the browsers you are using. Also be aware of the types of browsing you are doing. It will hopefully be minimalized as browers patch their software to deal with it, but the thought of it is enough to make this user be much more aware of what is loaded on my system and running malware detectors and watching my router for bad connections. Users today have to be much more aware of the equipment they have and how to monitor it or they will find themselves giving away info they would much rather keep to themselves!

Source: CNET | The Download Blog – Download.com