February 24, 2005 9:00 PM PST

Firefox fix plugs security holes

The Mozilla Foundation released on Thursday an update to the Firefox Web browser to fix several vulnerabilities, including one that would allow domain spoofing.

The open-source project released Firefox 1.0.1 to fix, among other bugs, a vulnerability in the Internationalized Domain Names (IDN), a standard for handling special character sets in domain names that lets companies register domain names that appear to be the same in different languages.

The IDN vulnerability allowed an attacker to create a fake Web site on a non-Microsoft browser in order to pull off a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process.

The updated browser will display the IDN Punycode in the address bar, preventing URL spoofing. Punycode is the encoding of Unicode strings into the limited character set supported by the Domain Name System and IDN.

"Regular security updates are essential for maintaining a safe browsing experience for our users," Chris Hofmann, director of engineering for the Mozilla Foundation, said in a statement.

Phishing attacks, which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and e-mail messages, have become a central security concern recently. While vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws.

The update is available for Windows, Mac OS X and Linux at Mozilla.org.

Firefox recently surpassed 25 million downloads, achieving that mark in 100 days. Mozilla, which released the free 1.0 program in November, said an average of 250,000 people download Firefox every day and more than half a million Web sites feature Firefox promotions.

Mozilla, an open-source software foundation formed by Netscape, was spun off from Time Warner in 2003.

17 comments

Join the conversation!
Add your comment
Wha Wha What????
I thought the almighty Firefox was flawless in its security. What gives Firefox. Don't talk the talk if you can't walk the walk.
Posted by (5 comments )
Reply Link Flag
Hey stick with Microsoft.
If you think Microsoft is so great then stick with them. Oh, and enjoy having to call Microsoft to get their permision to use your computer as well.

Have a nice day :).
Posted by System Tyrant (1453 comments )
Link Flag
Ignorance
"Don't talk the talk if you can't walk the walk."

Don't be a child. Mozilla didn't actually have to try and "fix" anything, seeing as how their software was not to blame for ignorant people falling for phishing scams. People have to learn to use PCs properly for all these types of things to stop all-together, until then you'll have companies like Mozilla trying to placate the masses even if they're not at fault.
Posted by (22 comments )
Link Flag
Go back to your blocks
It's nappie time anyways.
Posted by sanenazok (3449 comments )
Link Flag
almighty Firefox
<a class="jive-link-external" href="http://www.analogstereo.com/fiat_punto_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/fiat_punto_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
100% safe software doesn't exist
No software is 100% secure by definition. It's basically impossible to develop an application that is bug free. But this is not the point. While it took months Microsoft to produce an update on IE6, and other monts will pass before we can all benefits from further fixing, the mozilla foundation spent about two months for this. Also the IDN sucurity problem is not limited to Firefox. All non-microsoft browser are affected by it by virtue of the plugin they use. IE6 is not affected because it doesn't have such plugin.
Posted by feranick (212 comments )
Reply Link Flag
I'm not sure..
that it was actually a programming error. As I recall it was implimented the way the standard called for.
Posted by System Tyrant (1453 comments )
Link Flag
This "hole" was fixed already
This "hole" (correct implementation of a standard abused by people with less than honest intentions) was fixed the same day, see <a class="jive-link-external" href="http://*******.com/5lq69" target="_newWindow">http://*******.com/5lq69</a>

Feel free to continue use of IExplorer... I know I sleep much better since I stopped doing so.
Posted by TomTester (21 comments )
Reply Link Flag
This is a better fix
The "same-day" fix involved disabling IDN entirely. What FF does now is to display the raw URL in the location bar instead of the decoded URL. It'll be really obvious you're not on paypal.com when you see "xn--paypl-7ve.com" in the toolbar.

It's still a workaround, but at least legitimate IDN-based URLs and links will still *work,* even though they won't appear correctly. People who use IDNs regularly who are willing to risk this flaw can enable the proper display with a hidden preference.

The *right* solution, of course, is for domain registrars to disallow registration of domain names that look identical to existing domains. Given how hard it is to get people to agree on acceptable enforcement of trademarks, I don't see this happening anytime soon, which is why the browsers are rushing to "fix" it on their end.
Posted by Kelson (64 comments )
Link Flag
yay!
you know what? i'm glad FF just fessed up and fixed this instead
of hiding it for months. i wish MS and Apple would do the same.
at least Apple has fewer problems.
Posted by Dibbs (158 comments )
Reply Link Flag
No plugin problems or theme issues
I just wanted to let people know that I had no theme/extension issues after upgrading. I know pre 1.0 FF would run into compatiblity whenever you upgraded.
Posted by sanenazok (3449 comments )
Reply Link Flag
firefox 1 check for updates fails
firefox 1 for win32 (not checked other ports) check for updates, to say firefox is out of date and 1.0.1 is there to download, ... fails.

anyone else noticed this?
Posted by digitalgnome (228 comments )
Reply Link Flag
hhhmmm...
What is the differance between:
A) Two websites sharing nearly identical domain names - one being legit and the other not so legit

and...

B) Two versions of a song - one in CDA on a cd bought at Walmart and the nearly identical version in MP3 downloaded from the net

I see no differance at all. Though, B is looked at as criminal and A is looked at as nothing more than a nuisance. They are pretty much the same kind of thing though. Why are the owners of the legit sites NOT submitting lawsuits? Why are the fake sites allowed to exist? A song has a copy right and so does a trade mark...in this case, part of the trade mark is the website.

but seriously....
There are too many people using Firefox under the assumption they are safer. LOL... Sounds to me like this situation has actually helped to create a bug for Windows users (as if they needed any help). Ok, so it was takin care of fairly quickly. I'll give'm that. But, the fact remains, you still can't seperate IE from windows (even though MS says they now can). If you using Windows, your using IE. The use of Firefox makes no differance. You just end up with a differant GUI and maybe a few more bells and whistles.

As far as standards go...
These so called standards are alot of the problem too. In many cases these "standards" are helping to make problems worse.

So much of this is the fact that these browsers are processing the code on the websites that really need to be ignored. That, and people really need to start actually learning something about how and why computers do what they do. The will of the end user to learn would go along way to either solving this or destroying it.
Posted by Prndll (382 comments )
Reply Link Flag
It really tweakin up now
This update is must. It like 10 times better than 1.0 FF. It getting closer to being beyond IE.
Posted by Willy Wonker (73 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.