Posted on 01/05/2005 10:21:20 AM PST by ShadowAce
A newly discovered flaw in Firefox could allow cybercriminals to take advantage of Web surfers
A vulnerability in Firefox could make users of the open source browser more likely to fall for phishing scams.
The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.
Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.
To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.
This flaw was given a severity rating of two out of a possible five by Secunia.
David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.
"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."
This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.
The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.
The Secunia advisory and Mozilla bug report are available online.
Now now now...i never said I was part of the "on-bended-knee" brigade about Microsoft. I just think hypocrites are on both sides of the issue. Microsoft has some cool stuff, Linux has some cool stuff...
Windows is more useful to me and my family but thats just the nature of the beast with Linux's infancy in the home market.
I doubt my wife will ever like Linux though. I have tried Lycoris, Lindows/Linspire and Redhat and she hated them all and their software just wasnt as cool as the software I currently have (like TopStyle3... the copycats just cant perfect it like Bradbury has)
She does like SameGnome...she loves that particular game.
So much for it being more "bulletproof" than IE. Just the perks that come with popularity.
"More" is a relative term. Once it passes IE in the number and importance of vulnerabilities, then you can say that.
Microsoft is exploited because of the haters.
No, the word "more" has applied from day one, it was the leading argument for those using Firefox to convert people over from IE to Mozilla. It makes for a compelling selling point.
And it still does.
Then you shouldn't have disagreed with me in the first place.
One thing I've noticed about Firefox, is that it is not nearly as forgiving as IE when it comes to mistakes in HTML and Cascading Style Sheets, therefore a lot of sites that work with IE won't work with Firefox, because the developers assumed their HTML and stylesheets were correctly formatted.
OK--I'm confused. In post #22, it sounded like you were saying that Firefox isn't any better than IE--or perhaps worse, even.
I disagreed, stating (essentially) that Firefox has fewer vulnerabilities that IE, thus making it "more" bulletproof.
Did I misunderstand what you were saying?
I noticed that from day one when I started using Firefox, because the Google search box on my website wasn't centered with the rest of the elements on my page, but it was formatted over to the left side of the browser window. In IE, it's centered, in Firefox, it isn't (Opera as well).
No, that's NOT what I said. The overwhelming argument from the legions of FF users on FR was "FF was more this...more that...better than this...better than that...it has more...switch, you'll thank me for it". I'm just saying that with anything popular, there will always be some possible exploitation found, because of the popularity of the product.
OK. I misunderstood you. I apologize.
< evil grin > ...though FF is more this and more that...< /evil grin >
Don't be disappointed if it ever isn't.
I can't. It won't run under Linux.
Ping. Just in case you didn't see it.
LOL- I was just trying to get a "Flame Microsoft" war going - Linux geeks are as touchy bunch
Kinda like pulling your fishin' pole out of the water with no fish and no worm. lol
MS kneepadders love to bring their favorite straw man alongfor these threads. They claim the OSS community thinks its software is 100% bug free and can not be exploited. You may disagree with teh statement Firefox is engineered better than IE but you might have to back that up with something, so its easier to say were a bunch of nuts who think our ship is unsinkable and be done with it..
Please point to the post where you said that FF will have vulnerabilities, and somebody said there was no way it was unsinkable..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.