Comments on: Spoofing flaw resurfaces in Mozilla browsers

A 7-year-old security hole comes back to haunt the most recent version of Firefox and other Mozilla software.

[hion2000]

Requires both windows to be open....

...how "easy" is it to trick someone to do that?

very easily

a malicious web site can create the second window linking to a common bank site or easily cash in on the spelling mistakes of domain names. Only takes someone gullible enough to think they must have accidently opened there banking site.

eg. register www.bankk.com, then when someone misspells it launch a second window with www.bank.com. using common spelling errors in domain names is a very common method for adware and would work here to exploit this vulnerability.

[System Tyrant]

IE 6 does the same thing.

Just for fun I tried the test located here

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

on Firefox 1.0.4 and IE 6. They both did the exact same thing. So I suppose it is a flaw with both IE and Firefox.

Well hopefully Mozilla and Microsoft will get it fixed. I am willing to be though that Firefox will see a patch before IE 7 does.

no

MS had this vulnerability some time ago and it has been fixed for over a year.

Opera's safe from this one.

Yet again.

Tried it in IE6, Firefox and Opera.

oops

I take that back, seems MS had the same issue reoccur again as well lol.