Firefox flaw raises phishing fears

ZDNET ^ | 1/7/2005 | Ingrid Marson

[KwasiOwusu]

A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned.

The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hypponen, director of antivirus research at software maker F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," he said.

To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.

[savedbygrace]

Most times, if you right-click the graphics box and select View Image, you see see it, then go Back to see it loaded in the page.

[KwasiOwusu]

"Burn 1000 copies of Knoppix and hand them out at your local mall. LOL"

" Bwaw haw haw! Good one"

Agree. :)

[JoJo Gunn]

"from the originating site only" is unchecked. Clicking the "show image" usually brings them up. It's just not always on the first load.

A headscratcher, obviously. But it can't be as strange as this was:

http://forums.mozillazine.org/viewtopic.php?t=187972

[N3WBI3]

President Bush's site run on Microsoft Windows. Dell runs on Windows. Its the Internet.

Bwahahahahah...

Yea IE sure is the Internet. You in one sorry statement summed up how completely clueless you are. Though MS has made impressive gains in the past five years, The Internet is run on UNIX. Keep in mind the Internet does not refer to web pages, mail servers, dns servers, ftp server, ..... make up the Internet.

The DNS servers that make the Internet work run on UNIX. Sendmail still runs most big mail servers, Exchange is nice groupware but is not for high traffic sites like comcast.

[Hank Rearden]

Already yawned at.

And, it's "Schadenfreude", by the way. It means the way we feel about the poor suckers who insist on sticking with Internet Exploder and Outschnook.

[Hank Rearden]

Kweezy Omdoofie is just some kind of M$ shill; it pops up on every nail-in-M$-coffin thread, flailing helplessly.

It's fun to observe. Like watching a dinosaur thrash helplessly in a tarpit.

[Redleg Duke]

Try growing up before puberty takes you apart.

[Robert A Cook PE]

So, how do you check whether your current firefox version is update-to-date?

I don't see a "check for updates" button or inks in the [about] or [tools] menus.

[Hank Rearden]

I'm still waiting for Kweezy to cite even one instance of a user switching from Exploder to Firefox, then giving up and going back to Exploder.

That is, a user who didn't have a gun at his head. Even then, I'd have to think about it . . . . . .

[AlexW]

I don't know much about Firefox...
I am really slow to change from what I am use to.

I did download Firefox, but I asked my daughter about it.
She makes her living off of the internet.
She says that some web pages just do not work with Firefox
and told me I should not use it for now.

[Hank Rearden]

So, how do you check whether your current firefox version is update-to-date?

Easy. Tools/Options/Advanced.

It checks for updates automatically. User just acknowledges whether he wants the latest one installed.

You can also tell it to Check For Updates Now.

[Robert A Cook PE]

I switch back to IE load the bank's software/billpay. It doesn't "answer" mozzila's replies properly.

[Hank Rearden]

She says that some web pages just do not work with Firefox and told me I should not use it for now.

The very few that don't are written in nonstandard, M$-specific code. And they're coming around. You may never even run across such a broken, nonstandard site.

Install Firefox! It will copy all your bookmarks and settings automatically - you can pick up right where you left off with Exploder.

And (shudder), you don't have to stop using Exploder; Firefox will happily coexist with any/all other browsers.

Go for it; you won't go back. I've never heard of anyone voluntarily going back. Kweezy claims to have forced some minions to revert back - I'm sure they put Firefox back in place as soon as he left the room.

Internet Exploder just supersucks.

[Hank Rearden]

There's at least one FF extension that causes FF to mimic Exploder's ID; that may enable those sites to work.

If it were me, I'd bitch to the site programmers to fix their nonstandard, possibly insecure, code.

[Robert A Cook PE]

Thank you.

Tries that: Said there were no updates available, but I've only got Mozilla/5.0:

(Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

[Hank Rearden]

So what's [Kweezy's] beef with Firefox?

He's Bill Gates' indentured buttboy, apparently, given his posting history. Gotta hand it to him for perseverance, though; trying to defend such a crappy virus-transportation system is a pretty futile task.

[AlexW]

"Install Firefox! It will copy all your bookmarks and settings automatically "

I saw that option....Will the history still stay in my IE
when I copy to Firefox?
I do not want to screw up what I am use to.
Thanks

[JoJo Gunn]

Oh yeah, your IE settings will remain as they are. FF won't suck it dry, so to speak.

IF you decide to use FF, I recommend this extension, called "IE View".

http://www.extensionsmirror.nl/lofiversion/index.php/t50.html

When installed, you can right click on most any page you don't see rendered properly and it'll open IE for you. I say "most" because it might not open a window that you had to enter a password for, for instance.

I still keep IE nearbyy. For instance, NOAA weather radar loops use Java. Windows has Java, (called Virtual Machine), and for the comparable Java to work with Mozilla you have to install another program. It's around 15 or so megs, a long download for a dialup. I found that form of Java to be extremely bug ridden, and an uninstall ruined the Java that came with Windows.

That's not the fault of Mozilla but of Java's programmers, who hasn't even the sense to write code that recognizes their own stuff on someone's system and leave it alone.

Mozilla doesn't save web pages worth a nickel either. So IE isn't useless, just comparable to a screen door on a submarine.

[JoJo Gunn]

I've rebooted a little bit ago and now am running FF in "safe mode", where no extensions or themes load. Will see how it goes a couple of days concerning images.

[KwasiOwusu]

"Yea IE sure is the Internet"

IE DOES own the Internet.

"You in one sorry statement summed up how completely clueless you are. "

Umm.. its you that is clueless, dude.

I thought you'd drag out the totally meaningless Netcraft survey yet again.

Now read about what REAL Fortune 1000 companies use for their web servers, to make REAL money with.

"Microsoft is the choice of the corporate Web server market

While the well-known Netcraft Web server surveys attempt to look at the whole of the Internet, Port80’s surveys focus on a small but important pool: the 1000 largest corporations in the US. We firmly believe that this yields more reliable results and, more importantly, the Port80 survey looks to those sites that demand the most of their Web servers.

Among the Fortune 1000, Microsoft IIS commands an overall market share of 53.8%, more than double that of its nearest competitor, Apache. While overall market shares see minimal changes, IIS 6.0 continues to gain converts

Despite a great deal of industry press coverage of the strengths and weaknesses of both Microsoft IIS and Apache, at least among the Fortune 1000, Web server market share has remained remarkably constant among the major platforms."

http://www.port80software.com/surveys/top1000webservers/

Now, that is what counts.
Not some lil PC being used in some acne ridden boy's basement to show a picture of his lil cat.

Microsoft still rules. :)