There is a funny vulnerability in Microsoft Internet Explorer versions 6 and 7.

In short, when Javascript code instructs MSIE to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: read or set victim.document.cookie, arbitrarily alter document DOM, including changing form submission URLs, injecting code, or even crashing the browser due to memory corruption while reading and writing not fully initialized data structures.

In other words, the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks; and local system compromise is not out of question, either.

The following harmless demo will attempt to snatch a coookie from google.pl and display it for you. It is somewhat dependent on network timing and similar factors, and you obviously need Javascript to proceed, and you need to accept Google cookies. Tested on most recent MSIE 6 & 7, as of this writing that is (June 3, 2007). No, Firefox is not vulnerable. No, I have no clue about Opera, Safari, Konqueror and whatnot.

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.