After some research, I can offer this clarification:
1) The MSIE 7 attack vector I described is a distinctive, new
vulnerability that differs from the attack reported by Charles
McAuley and Bart van Arnhem. Attacks described by them were
fixed in MSIE7 (although MSIE6 is still exposed to the original
flaw).
My vulnerability attacks the same form control, but in a different
manner. Again, the demo for this vulnerability is here:
http://lcamtuf.coredump.cx/focusbug/ieversion.html
2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
which in turn was a rediscovery of a problem known to Mozilla since
2000 (!); attempts to fix it in official releases failed because the
problem was repeatedly marked as a duplicate of a too narrowly
defined issue with control hiding. A broader redesign probably
eliminated the issue in development branches, but it still affects
Firefox 1.5 and 2.0.
This can be considered an independent rediscovery and a more
practical demonstration of a previously reported vulnerability.
The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html
Regards,
/mz
