Firefox flaw raises phishing fears

ZDNET ^ | 1/7/2005 | Ingrid Marson

[KwasiOwusu]

A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned.

The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hypponen, director of antivirus research at software maker F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," he said.

To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.

[KwasiOwusu]

So much for the much touted "security" of Firefox. :)
Isn't life just wonderful?

SHADENFREUD.

[kingu]

Yup, just have to use firefox to access a web based e-mail system that a) doesn't watch for scams, and b) ignore the text on the status line that tells you were you're downloading from.

Why anyone would go to that effort when you just have to create a bogus link for Microsoft IE users, I don't know.

[JRandomFreeper]

More FUD.

Welcome to FreeRepublic.

/john

[Clara Lou]

Already posted.

[FastCoyote]

"So much for the much touted "security" of Firefox. :)
Isn't life just wonderful?"

[To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.]

Ooooh, that's some scary security flaw compared to the lolapaloozers in I.E.
I sure know I for one am always clicking on download links in untrusted emails I get through Firefox. Happens every day.

[postaldave]

everyone talks about how bad Microsoft is and how "safe" other browsers are, LOL. now that foxfire is becoming a bigger target just watch the security problems start.

[Siegfried]

To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail...

And right there is the origin of the vulnerability!

NEVER EVER CLICK A LINK OR HOT BUTTON IN AN EMAIL!

Even an email you're sure came from a friend. Always use your own bookmarks, or type in the link on the URL bar at the top.

[mlbford2]

In my office we had 8 computer terminals on IE and 3 on Firefox. Because of the persistant problems that plagued IE, we have switched all browsers so Firefox. We have not had 1 problem in 8 months. Before we had to get all IE computers cleaned every 4wks. So,,, good luck.

[ScottM1968]

I use both, but I prefer Firefox 1.0+ (pre-release install of the next version).

Without a doubt, Internet Explorer with its Active X access is extremely dangerous. For those who do not understand, Active X is a set of routines that virtually allows full control of the Windows operating system (Microsoft made this to reduce download/upload transmission time for more complicated web-based applications). Active X and .NET share distant similarities, but Active X is the bigger threat.

IE should be relegated for occasional use only.

[KwasiOwusu]

"Already posted"

Apologies.
Just couldn't resist getting the Firefox evangelists' backs up.
Temptation to wind them up just proved too much.
I really am enjoying myself hugely, after all the ribbing that Microsoft supporters have taken from the Firefox fanatics over the past few months.:)

[KwasiOwusu]

"everyone talks about how bad Microsoft is and how "safe" other browsers are, LOL. now that foxfire is becoming a bigger target just watch the security problems start."

Its already started.
And its going to get worse.
Much, much worse.
Welcome to Firefox HELL!
So why am I smiling broadly?

[JoJo Gunn]

SHADENFREUD (sic)

Just how old are you, Little Precious?

[Arkinsaw]

Pretty much the only people that you are going to scare are the people who haven't yet switched. I'm not scared because I have quite a few months experience with Firefox and several years with IE6. I have my own experience to judge your statements by.

Personally, I could care less if everybody but me uses IE6. But you certainly won't see me using it again.

[goldstategop]

They'll create a fix for it since Firefox's code is open source. Any way, its one bug compared to the thousands documented in Internet Explorer - which is based on a proprietary, closed source software code - and Microsoft hasn't even pledged to make its browser more secure.

[KwasiOwusu]

"Just how old are you, Little Precious?"

Oh no.
Not that same old BS again.

As for all this talk of "Precious"..um... you wouldn't be the guy in this story now would you?

http://www.freerepublic.com/focus/f-news/1315894/posts

[Arkinsaw]

So why am I smiling broadly?

I don't know. But I bet its not this CERT advisory. I personally would advise everyone to listen to CERT before they listen to Kwasi

Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

[rube]

Love Firefox, but I have noticed that certain web pages do not fully load graphics, and flash demos don't work.

Tried to get a straight answer from Mozilla i.e. in terms a lay person could understand, but got no satisfaction.

Any ideas? And, yes, I've uninstalled and reinstalled the latest version of flash.

[JoJo Gunn]

I rest my case.

[frog_jerk_2004]

I guess that makes the ratio about 1000-to-1 Microsoft IE flaws to Firefox flaws...

[davetex]

So what's your beef with Firefox? I'm very satisfied with it.
Use it at home and work, and I don't have the problems that IE users have.