Posted on 01/05/2005 10:21:20 AM PST by ShadowAce
A newly discovered flaw in Firefox could allow cybercriminals to take advantage of Web surfers
A vulnerability in Firefox could make users of the open source browser more likely to fall for phishing scams.
The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.
Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.
To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.
This flaw was given a severity rating of two out of a possible five by Secunia.
David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.
"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."
This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.
The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.
The Secunia advisory and Mozilla bug report are available online.
Firefox tech ping!
It's a sure sign of Firefox's popularity, now it is a target for hackers. We'll see just how secure it is.
Bad news to hear, but being open source it will be fixed right away I'm sure.
Woops.
I don't get it; I have never had any issues with IE or MS "holes" or the like in the 10 years I have used MS products.
The more popular you are, the bigger of a target is painted on your back.
If FireFox was THE browser of the web, the same freaks who live and die to hate Microsoft right now would be slamming Firefox.
Its just the natural order of things.
As Firefox becomes increasingly popular, we'll probably see more of these vulnerabilities found and exploited.
Of course the Microsoft haters claim that a software's popularity has nothing to do with it being a target for hackers.
Found, perhaps. "Exploited" is still much less likely.
Good post - thanks for the update, ShadowAce
< grin >. Nah. Firefox is still better than IE.
I agree...
Wonder if these hackers received any compensation from MS?
I agree.
I love Microsoft and God Bless Bill Gates.
:)
No, but the lesson is nobody is completely 100% on the interenet, regardless of your browswer/OS of choice.
To go along with the download box spoof reported in bug SA12712 Jakob Balle submits a demonstration to make the download dialog more convincing by obscuring the software source. The demo takes advantage of the default length truncation (similar to truncation of the filename in bug 258601). While the dialog /can/ be resized to see the whole url, most people won't think to do that or even know it's possible.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.