Wednesday June 08, 2005 
Wednesday June 08, 2005
New Mozilla Firefox vulnerability found
"A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.
Basically, the flaw means that if you are viewing a trusted site in one window (eg paypal or your bank) and open a site belonging to a spoofer in another window, the spoofer can insert code in the window showing the trusted site.
This is a theoretical vulnerability, there have been no actual examples of anyone doing it. It affects Firefox 1.0.4 and Deer Park Alpha.
To protect yourself, close all other windows/tabs before accessing a site where you routinely put in a secure password (eg your bank or paypal account), or your bank or credit card details (eg Amazon), or other sensitive data. If you use one of the tabbed browsing extensions and can set it to always open links in new tabs, never in a new window, this also prevents the vulnerability from being exploited.
- Well, expect Firefox 1.0.5 soon. The patch has already been checked in.
(2005-06-08 09:41:05 SGT)
[Tech]
Permalink
Comments [2]
Post a Comment:
Comments are closed for this entry.
Most popular blog postings on lowem.log :
1. Singapore MRT rail network length to double by 2020
2. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
3. Live spot gold price quotes chart on COMEX
4. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
5. AVG Anti-Virus Free Edition 2011 direct download link
6. Real-time live gold and silver price quotes chart on COMEX
7. Singapore electric vehicles : Government agencies EMA and LTA to study EV introduction
8. Book review : Shut Down by William Flynn
Featured articles on lowem.log :
1. Book review : Shut Down by William Flynn
2. Singapore electric cars testing starts with 9 electric vehicles
3. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
4. 2010 Honda Civic Hybrid preliminary specifications released
5. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
6. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
7. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
8. Singapore : Nuclear power not ruled out
| search |
|
|
| sponsored links |
|
|
| bookmarks |
|
about
blogroll
sites
quotes
charts
historical |
| navigation |
| decals |
|
| powered by |
|
| hosted by |
|
Hooray for tabbed browsing. I have tried so hard to convince my friends that tabbed browsing is a much, much better form of navigation, but they're just so used to IE...
Posted by gwunwai on June 09, 2005 at 03:49 PM SGT #
But the regression of an old bug is saying bad things about the open source project's management.
Bet the guy who fixed the old bug didn't comment his code :D
Posted by mocax on June 09, 2005 at 09:47 PM SGT #