Topic: ALERT--Firefox flaw--ALERT  (Read 2441 times)

0 Members and 1 Guest are viewing this topic.

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
ALERT--Firefox flaw--ALERT
« on: January 26, 2005, 09:17:31 am »
A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned.

The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, could allow hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hypponen, director of antivirus research at software maker F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," he said.

To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.

This flaw was given a severity rating of two out of a possible five by Secunia.

David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said that phishers aren't likely to take advantage of this flaw in Firefox, because Microsoft's Internet Explorer still dominates the browser market.

"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," Emm said. "After all, Firefox has a much, much smaller install base than IE, and it's likely that hackers will continue to pay more attention to (IE) instead."

This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based software, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.

The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers are expected to fix this bug in an upcoming version of the product.

MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: ALERT--Firefox flaw--ALERT
« Reply #1 on: January 26, 2005, 08:34:28 pm »
Now lets see how long it takes them to fix it.
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: ALERT--Firefox flaw--ALERT
« Reply #2 on: January 26, 2005, 11:42:57 pm »
Now lets see how long it takes them to fix it.
LOL...

Actually my post wasn't meant as a slam, but as a legitimate warning for those who are using Firefox.

MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: ALERT--Firefox flaw--ALERT
« Reply #3 on: January 27, 2005, 05:31:01 pm »
LOL...

Actually my post wasn't meant as a slam, but as a legitimate warning for those who are using Firefox.

There have been those who claim that the only reason open source programs like Firefox/Mozilla are "secure" is that they are not popular enough to be attacked.  I guess Firefox/Mozilla is now that popular.  Now we get to see if the open source coders can maintain that level of security by a prompt effective patch.  I'd say that this is a fair test of the the open source system of doing things.
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."