I read about this yesterday and already did the about:config fix in about 3 seconds.
Compare that to Microsoft, there would be 2 weeks of denial, followed by an announcement that a patch would be available in three weeks.
Once the patch is released, there would be 3 new security holes opened by the new patch.
Hot on the heels of Monday's disclosure of spoofing vulnerabilities in most non-Internet Explorer browsers, a security researcher Tuesday unveiled another trio of bugs in Firefox and its Mozilla cousin.
The flaws, all of which involve some user action, can be used by hackers to drop code onto a PC, muck with the about:config element of the browser, or steal cookies that, for instance, provide instant access to protected Web sites.
"If you create a hybrid of a .gif image and a batch file you can trick Firefox," claimed the German researcher identified only as "mikx" by Danish security firm Secunia, in his original warning of one of the bugs.
"Since the hybrid renders as a valid image, Firefox tries to copy the image to the desktop when dropped. By creating the image dynamically and forcing the content type image/gif, the file can be of any extension (e.g. image.bat or image.exe). Since Windows hides known file extensions by default, a user can only tell that something went wrong by looking at the file icon, which is different of course. If the user does not care or know what this different icon means, a double click to view or edit the "image" he just dropped executes the batch file instead."
The vulnerabilities have been confirmed in Firefox 1.0 and Mozilla 1.7.5, the most current editions of the open-source browser and browser suite, respectively.
While Mozilla Foundation developers have implemented fixes, they haven't been rolled into a patch or a new version that can be downloaded and used without recompiling the code.
FireFox supports IDN by default, but users can disable it by typing "about:config" into the browser's address bar, locating the network.enableIDN option and double-clicking on it to set it to "false."
Pretty predictable: as other browsers become more popular, it becomes more worthwhile to invent viruses to exploit them.
interesting but not really virulent or dangerous. If someone wanted to
pretend to be C1tybank or Paypa1 then it would be a problem I guess, but
you'd have to be in idiot to respond to an email link to get to your bank or
other password locked accounts. And the only way they can get you to go to
these fake sites is to send you a fake site URL in the mail. The moral is
don't click on any links in emails, ever, unless its from someone you know.
-g
I laugh at this. Safari & Firefox are working as they're supposed to and automatically supporting foreign alphabets.
Because IE is so brain-dead and multi-lingual hostile, the legitimate characters probably show up as junk. Does anyone know if IE that is "immune" includes IE for Mac OS X? I'd hazard a guess that it does not.
Thank you for this tip for Firefox.