Firefox flaw raises phishing fears

A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned.

The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, could allow hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hypponen, director of antivirus research at software maker F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," he said.

To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.

This flaw was given a severity rating of two out of a possible five by Secunia.

David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said that phishers aren't likely to take advantage of this flaw in Firefox, because Microsoft's Internet Explorer still dominates the browser market.

"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," Emm said. "After all, Firefox has a much, much smaller install base than IE, and it's likely that hackers will continue to pay more attention to (IE) instead."

This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based software, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.

The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers are expected to fix this bug in an upcoming version of the product.

The Secunia advisory and Mozilla bug report are available online.

Ingrid Marson of ZDNet UK reported from London.

GASP! A flaw ... in MOZILLA!!!

Wow, can you believe it? A security issue in an OPEN SOURCE software product?

I can't believe CNET actually ran this story.

Nobody claimed it was perfect

There are flaws in every piece of software. Some are due to crappy programming, some are just subtle errors that are nearly impossible to completely eliminate. Also not all flaws are equal. Some are easily exploitable and some are very hard. The difficulty level has to do with the security of the OS as well as the type of flaw. There are some programs that run in linux that have flaws that would be as serious as can be if it ran in windows, but since linux is inherently more secure, those flaws are hardly worth mentioning. It still doesn't excuse bad programming like buffer overflows, memory leaks and not checking the type of input that is coming in your program. Those are inexcusable lapses of competance, and easily avoided. wether or not the bugs are a security problem or not is irrelevant. MS are the kings of these kind of amatuer mistakes.

Firefox is MORE secure then IE, not perfectly secure. How hard is that to grasp? The fact that a flaw showed up in FF is news. When IE flaws show up, that just signifies that it is a different day but same crap as yesterday.

[elpcmaster]

Firefox is better is still better.

Firefox is still a better choice. IE is a big window to your PC for hackers and spyware. It seems everyone automatically installs software on your PC when using IE. It silently allows everyone to clutter your PC with junk software. STAY away from IE. I have been using Mozilla browsers for years now and have yet to be taken advantage by those spyware companies.

[snharden]

What? A hole in the Fox..............

Well you knew it had to happen sooner or later. Theres just no safe haven from all the script kiddies out there. And as this proves no secure or safe browser either........This is all starting to get really old really fast............

[Lucky Bob]

As long as humans design web browsers...

...then I guess no web browser is really safe...

[ben_myers]

Phishing anywhere any time

No matter which browser you use, phishers can operate even thru web mail. So what's the problem with Foxfire again? ... Ben Myers

[j1cumbee]

And why exactly are we loosing it over Firefox?

I've downloaded and tested out the brand new Firefox 1.0 for about 2 months. The result: dumping it in the same way I left IE. Lets face it, Internet Explorer was bad. Security holes were so rampant if it were an object IE would probably resemble Swiss Cheese. However, Firefox has its own brand of problems. My experience has led me to the following conclusions:
~Firefox takes almost double the time IE takes to open
~Firefox doesn't load pages as fast as IE as well as slower picture loading.
~Firefox has a tendency to replace the current page your using with a different page when you click on a link outside of the browser instead of just opening up a new window.

So I left Firefox. I had two choices:

The cheese with the holes that tasted really good
VS
The cheese that was whole but didn't taste good.

And personally, I prefer Swiss.

JC

[Geoham]

Firefox flaw

I always use my GetRight for dowloads, have installed the Firefox utility, and all dowloads GetRight always asks me If I want to dowload the program, so in my understading no dowloaded program could be installed without my permission.

[cayble]

Firefox Just Hitting The First Few Yards of a Long Journey

I have always found it so hard to understand why people have thought that Firefox was a long term answer to IE security issues. Lets be serious here...Bill Gates and Microsoft have a lot of money to hire the best anyone can afford to plug holes in any internet browser they choose to promote.
The argument seems to imply that Microsoft has created a web browser analogous to a piece of swiss cheese that any competent programmer would never create and Firefox has been designed by sensible programmers who actually know how to do their job. Why would Bill Gates not take whatever share of his wealth he needed to and hire these wonder persons away to work for him to secure the cash flow of browsing the internet that is the very life blood of Microsoft? I struggle to find a solution to that question each time I see someone claiming that Firefox is a better/more secure web browser then IE. Why Bill!? Why do you not hire geniuses such as these to design IE!?
The answer is not all that difficult to find. First off, the programmers who developed Firefox are not better in general, and likely not as good in general. The question then becomes if this is the case, why does Firefox currently seem to be a more secure web browser? The answer to this is also relatively simple. Getting past any competent web browsers security is not a task that is easily done by anyone without an expertise in such things and takes a great deal of time and effort to accomplish. The fact is that for a very very long time, in terms of the life of the internet and web browsers, the only significant or worthwhile target has been IE, and as such has faced virtually the full brunt of interested hackers who are looking to leave a mark.
As Firefox, or any other browser for that matter, gains popularity the hackers will take an interest, and you can rest assured that their attention will reveal flaws as significant or even more so in these new entries to the browser market. Will they have the team/time/money/drive as significant that Microsoft currently has to plug these holes that will inevitably show up? Will these flaws yet to be revealed get attention as quickly or slower then IE security flaws have had, or will weeks, or months go by before they are updated and cured? Will the cures actually work? Will there come a day when hackers who have not been able to KILL IE, decide to turn their full attention to a lesser browser that hasnt had ten years of security development to keep it up and running, to try for a virtual death blow to one of the under developed newcomers? Do you want to be using that browser on that day?
Firefox has just started down a very long road. Lets wait and see if it can stay on the road at the first corner before we declare it has won the race.

[Al Johnsons]

IE security issues

<a class="jive-link-external" href="http://www.analogstereo.com/nakamichi/nakamichi_rx202_service_manual.htm" target="_newWindow">http://www.analogstereo.com/nakamichi/nakamichi_rx202_service_manual.htm</a>

[Lucky Bob]

Advice For C|Net

The more you promote Firefox, it's more likely people will switch over from IE. Then, hackers would be more likely to try and hack Firefox, even though it is very secure. So let's just keep Firefox our little secret, hmm? ;)

User Failure

The only security flaw involved in Phishing is with users themselves...anyone stupid enough to fall for these e-mail shouldn't be worried about their browser security...they probably leave the car running and unlocked with the diamond ring sitting on the dash