Firefox flaw found

[minkyrra]

sorry if someone has put this up before

Firefox flaw found

January 06 2005

by Ingrid Marson

May allow phishers in...



A vulnerability in Firefox could make users of the open source browser more likely to fall for phishing scams.

The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a website. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.


Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.

To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed website and then download malware from the site, which would appear to be downloaded from a legitimate site.

Secunia gave this flaw a severity rating of two out of a possible five.

David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.

"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."

This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 per cent of browsers in November 2004, up five per cent from May.

The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.

The Secunia advisory and Mozilla bug report are available online.


Ingrid Marson writes for ZDNet UK

[rainbowcraft]

That Title is a mouthful...tongue twister...

[minkyrra]

*laughs*

yep

[slinkyri]

Hi Minky and Rainbow xx

Am wondering whether to tell Ad although I'm thinking he will know what I mean is I don't wanna look stooopid...lol

He'll already know won't he yeah I'm sure he will...

cya later you two......

[minkyrra]

hi ri



hope you are feeling better.

you are right, adam is already aware of the flaw.

[cmc_entertainment]

people are just stupid if they click on any emails from there banks ect, asking for personal details, its just common sense not to do it!

and also people dont check where the email has come from - ie in Outlook - the properties of the email ect.

just arrrg to people who actually do full for them; but then if they do, it aint my or your problem - well at the start anyway eg Cause and Effect sort of thing.