Firefox Vulnerability

Discussion in 'Networking and Computer Security' started by Anti-Trend, Feb 8, 2005.

  1. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    A vulnerability was discovered today in all Gecko-based browsers, such as Firefox, Mozilla and Netscape. It allows the possibility of website spoofing, in which case you'd actually see a small popup-style graphic which would cover the address bar and contain the spoofed URL. This would likely be fairly noticable for technically aware users, as the spoofed address text would likely be a few pixels too high/low on many skins, and the font would likely seem a bit 'off'.

    Until a proper patch is released, there is a simple workaround. Enter the address about:config in your address bar, and change the value network.enableIDN to False. Once the fix is available, you can re-enable it using the same method.

    This vulnerability does not apply to any version of IE, unless you've manually added IDN support. IE does not support IDN natively. ...ironic, isn't it? Microsoft's refusal to accept international browser standards actually spared IE a vulnerability instead of spawning another one! :p
     
  2. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    I've just been made aware that although the bug is fairly obvious to spot in Firefox or Mozilla, it's virtually undetectable on Opera. I recommend using the above mentioned workaround ASAP.

    For Safari browsers, there's no quick fix. Only the Microsoft Method (input all URLs by hand), at least until a patch is made available.
     
  3. ninja fetus

    ninja fetus I'm a thugged out gangsta

    Likes Received:
    65
    Trophy Points:
    48
  4. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    Unfortunately, the fix isn't quite as simple as I anticipated. To make the fix stick, you have to manually edit a config file. The following is from the official Mozilla support forums:
    I recommend using a text editor with search capabilites and looking for IDN. In my case, I only had to comment out one line.

    -AT
     

Share This Page