In the past, malware authors have often relied on users accidentally approving dangerous actions in browser security dialogs simply because these dialogs appeared just miliseconds before an unrelated mouse click or keystroke, or because they emerged from underneath a scriptually closed window, not giving the operator an adequate chance to react.

Today, all modern browsers seem to implement a delay timer that makes it impossible to select certain options within the first moments after a prompt of any significance to security is displayed. In Firefox, this is implemented by intercepting dialog blur event to disable (gray out) chosen controls; and intercepting dialog focus event to set up an asynchronous timer that enables these controls after a defined interval.

The problem is, in some scenarios, the re-enable timer is not cleared if focus is removed again before the aforementioned interval had passed. In such a case, the control will be disabled twice (which really has no effect), then re-enabled while the dialog is hidden - so that it will emerge instantly clickable when exposed in the future.

Below is a quick demonstration for Firefox 2.0 on Windows. It will download and open a HTML page without your explicit consent, rendering it in the context of file:// URI scheme. Among other security-related side effects, such a page will be able to access other files on your local disk and transmit that data over the Internet. In this particular case, you will be presented a directory index of C:\ (Windows only).

Technical notes: the demo will prompt you to hit RETURN repeatedly for reliability, but this is not a prerequisite for exploitation - a single mouse click or keystroke is enough. Actions will be carried at a fairly slow pace, but this is intentional, so that you get a chance to see what is actually happening, and so that network hiccups have a lesser impact.

Requires Firefox to be your default browser!

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.