Firefox flaw raises phishing fears

ZDNET ^ | 1/7/2005 | Ingrid Marson

[KwasiOwusu]

A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned.

The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hypponen, director of antivirus research at software maker F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," he said.

To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.

[JoJo Gunn]

I have that trouble here on Freep pages. Sometimes all images won't fully load. I haven't done anything out of the ordinary either. I have the Image Toolbar extension, but uninstalled it as an experiment, and it wasn't the culprit.

There's been so many of the same type complaints here:

http://forums.mozillazine.org/index.php?sid=08a3e019a773279eadb9ced6cb6ad613

[frog_jerk_2004]

Open source is the key to solving the problem. Without peer review of IE code, Microsoft will just keep doing what they always do, deny, stall and then admit there is a problem. Then they will "fix" the problem and open another can of worms.

Firefox does not share this problem as it is not "married" to the operating system. Peer review of the open source code remedies security fixes and product enhancement faster and more efficiently.

[papasmurf]

Bad administrator. The tools for securing your box, network AND users are out for the taking, you just need an admin who knows how.

:O)

W

More people DIE in Ford Explorers and F-150's than any other pickup truck currently on the market.

...and that's Bill Gate's fault, too, right?

[Arkinsaw]

I have that trouble here on Freep pages. Sometimes all images won't fully load. I haven't done anything out of the ordinary either. I have the Image Toolbar extension, but uninstalled it as an experiment, and it wasn't the culprit.

I must be lucky. I spend most of my time here and have never had a problem like that with Firefox. I'm Windows XP Home, without SP2. Strange.

[Pablo64]

No offense if you love your HP, but I used to have a Pavillion running ME as well, and thankfully I forgot to re-route the phone line through the surge protector one day (after moving it for some other reasons) and a lightning strike toasted it. I say thankfully, because I had nothing but trouble with it. I heard later from someone who has forgotten more about computers than I will ever know (which is probably most people on this forum!) that HP did some kind of funky partitioning or something on the Pavillions and it caused some very unique kinds of problems. I know when I tried to clean up my in-law's computer over Christmas I could not get through a complete removal of quarrantined items after running Ad-Aware. They are both in their mid 60's and no than a GED between them, but decided to get into this "computer thing" a couple of years ago (when I had the HP) and so they didn't know what kind of crap can land on your hard drive just from surfing the web (heck, I wasn't even aware of the full extent until fairly recently). I think the problem we were having is that HP (at least on the Pavillions) writes a copy of everything to a recovery file or something like that (other FReepers probably know exactly) and when you try and clean out crap with a program like Ad-Aware, it hangs the computer because you're not supposed to be able to touch that part of the C: drive.

I don't know if that's it, but I know I will never, ever, get another HP for my home computer (my iPAQ seems to work just fine, so...??). Glad yours is working for you. Maybe if I had know about Firefox sooner.

[KwasiOwusu]

"Is this site still running on an apache 'open source' server, perl and mysql? Are we still on freeBSD or openBSD? You know, all of those evil commie open source programs for ignorant and rabid folks? "


So what?
You can do better than that.
President Bush's site run on Microsoft Windows. Dell runs on Windows. Its the Internet.
An operating system, language etc etc, is just that.
Do we have normal people with open source skills? You bet. beings.

My quote says:
"But yeah the open source fanatics sure are ignorant and rabid"

We are talking about open source bomb throwers and attack dogs here.

It's like trying to compare Zell Miller to Barbara Boxter because they are both in the RATS party.
Won't work.

"How many years you been programming in 'fanatic' programming languages now? "

Mow that is really pathetic.

Tell me, how many years have you spent doing life saving operations, or doing post surgery care to save people's lives?

There is world out there apart from hiding yourself in your unlit basement and crouching over a computer screen you know.

[KwasiOwusu]

"Ill just crawl off, lick my wounds, and reboot Windows 2000"

I am sure you are a very nice man, ..really.
Hey, we all choose the wrong software sometimes.
But we are not gonna hold it against you. :)

[mlbford2]

I guess you are right. I could hire a network admin for 40k yr.... or,,,, I could just use Firefox and problem solved. I'll have to think about that. Tough decision.

[recalcitrant]

"Tell me, how many years have you spent doing life saving operations, or doing post surgery care to save people's lives?"

---

uhm.. more than two decades now.
What's your point dipstick?

Here's mine:

Take your anti-open source agenda to some other site where the site owners, operators, and users haven't been plugged into it for close to a decade.

bye el dipster!

[FierceDraka]

Well, what I got from the artcle that a user must click on a link contained in a spam message.

Anyone stupid enough to do that deserves whatever they get.

As a technical guy myself, I have NO PITY, MERCY, OR REMORSE for stupid users who shouldn't be allowed to use any computational device more advanced than an abacus.

But then again, an abacus can break, and the users might choke on one of the counting beads. So I guess that's out.

>:D

[JoJo Gunn]

I must be lucky. I spend most of my time here and have never had a problem like that with Firefox. I'm Windows XP Home, without SP2. Strange.

I’m running ME, for what it’s worth. This started about 3 weeks ago, out of nowhere. It’s not specific to the Freep, but just to say that it happens even here. (To my tyro senses, this site is pretty straightforward).

What I likely should try is making a new profile and see if that doesn’t straighten it out.

[dts32041]

So what do you know about Opera?

BTW do you know of anyway to dump IE 6 from the winxp or am I stuck with it forever?

[solitas]

I'm not really familiar with Firefox (am using Mozilla 1.7 here) but does it have a "Tools/Image_Manager/Manage_Image_Permissions" menu?

Maybe you're somehow blocking images from particular servers?

[KwasiOwusu]

"Open source is the key to solving the problem. Without peer review of IE code, Microsoft will just keep doing what they always do, deny, stall and then admit there is a problem"

I agree that Microsoft needs to be kept on it's toes, and the open source movement is doing an excellent job of it.

Let's face it, Microsoft hasn't really made any major upgrade to IE for years.

Firefox is going to force Microsoft out of it's complacency, which can only be good for consumers.

I am happy about that. Competition is great.

The thing that has always been getting me about this is, there are just to many "Microsoft is the Great Satan" nuts out there, which naturally brings a reaction from our side.

Has Microsoft done some "bad" things to its competitotrs before? YES
But then you could say that about almost every single corporation on the planet.
Just look at all the corporate malfeasance the New York Attorney General is uncovering against all kinds of firms right now.

Are some Microsoft products not as good as they could be? Again, YES.

But hey, even Toyota has been forced to recall thousands of vehicles more than a few times.

Recently Merck was forced to pull some drug from the market etc etc.

To err is human.
I think that the rhetoric of the open source side needs to get far less personal and just deal with the issues.

[KwasiOwusu]

"uhm.. more than two decades now"

Really?


And while you were about it, you played in the NBA, the NFL , MLB and managed to be a rocket scientist working for NASA for "more than two decades" too I take it?
We have a truly remarkable human here. :)

"Take your anti-open source agenda to some other site where the site owners, operators, and users haven't been plugged into it for close to a decade. "

It gives me am extra kick to trash open source at sites that have been "plugged into it for close to a decade"

Who knows?
They might even see the light and come back to the Microsoft fold.

Again, the fact that a site uses open source has no bearing whatsoever on what can be debated on that site.

Microsoft is trashed all the time on CNBC investment forums by open source crazies, in spite of the fact that both MSNBC and CNBC run on Microsoft Windows Servers.

[FierceDraka]

Just couldn't resist getting the Firefox evangelists' backs up.

Heh heh heh. I know how you feel. It's funny to see how passionate some people get about something silly like which web browser or OS they use.

It's always Windows vs Mac vs Linux vs OpenBSD, or IE vs Mozilla vs Opera vs Safari. It reminds me of "My dad can kick your dad's BUTT!"

Personally, I don't give a **** - they all have their good points and bad points. Just like with Ford, Chrysler, and GM vehicles, everybody's got a favorite, and thinks everybody else are idiots.

[JoJo Gunn]

Thankfully?

As far as the partitions, do you mean more recently, as with XP? HP doesn't ship recovery discs anymore, and XP is supposed to be recovered from a protected partition.

But I could be wrong. I had a problem once with a full format and recover with the HP discs. Made it all the way through the two CD's and reboot, then comes the "updating system" box, and lo and behold there was another box with "long file name backup" and "couldn't open the file to restore from". Line 6 character 2 "profile" is null or not an object".

The URL pointed to a Windows>System .dll, a really long pathname, and it asked did I still want to run scripts. I clicked "yes" and went through several screens, and got to one HTML type without something on the page, can't remember which one, but I couldn't continue from that point.

What was strange was that a recovery without a format first went fine, but I feel it's a house of cards, and anyway, a problem needed fixing.

So what was a casual computer person supposed to do? HP gave the runaround about wanting money. So I paced the floor a while, and for some reason I had the thought to format before using the CD's. It assigned a new serial number to the HD and that worked.

So maybe we're talking the same thing?

Here's that pathname, if ever anyone else has this happen:

res://c:\WINDOWS\SYSTEM\SBUtils\swebctl.dll/105

[KwasiOwusu]

"What's your point dipstick? "

BTW, Mr "done every job on the planet for more than two decades", I wouldn't be so quick spewing out mindless abuse if I were you.

A guy like you, who makes things up on the fly, is just too vulnerable to counter attack.

[shellshocked]

"and Microsoft hasn't even pledged to make its browser more secure."

Don't know much about Microsoft, do you?

[FierceDraka]

Burn 1000 copies of Knoppix and hand them out at your local mall. LOL

Bwaw haw haw! Good one!