February 7, 2007 2:59 PM PST

Two flaws found in Firefox

A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks.

Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox's pop-up blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow Web sites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them.

A possible scenario for such an attack would involve the user clicking on a malicious link that would furtively plant a target file equipped with an exploit code on the computer's hard drive. Then it would display a prompt asking the user to allow a pop-up to appear in order to play a video file or download. The attacker-supplied file would then be loaded thanks to the browser flaw, which could give the attacker local file read privileges.

It appears that this flaw may only apply to older versions of Firefox, prior to the current 2.0 release, but Beyond Security was unavailable for comment on the matter.

The second flaw, announced by SecuriTeam on Wednesday, concerns Firefox's phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its Web site.

The phishing flaw does appear to apply to the current 2.0.0.1 version of Firefox.

Mozilla was unavailable for comment on Wednesday.

See more CNET content tagged:
flaw, phishing, Firefox, pop-up blocker, attack

25 comments

Join the conversation!
Add your comment
Firefox users should upgrade to vista+ie7
whether you use Windows 3.1/95/98/Me/NT/2000/XP or non-Windows platforms.
Changes are that you're more secure in IE7 protected mode under Windows Vista.
Posted by leonardyu (1 comment )
Reply Link Flag
Or...
You could just update Firefox to the latest release
Posted by pmc8 (6 comments )
Link Flag
You must be joking.
I have yet to see a review of IE7 from a reputable company that says IE7 is more secure than Firefox. Microsoft's last browser was labeled swiss cheese by security experts for a very good reason. Granted IE7 is for more secure than IE6 but Microsoft has yet to prove that they will patch security flaws in a timely manner so that their users are always protected. As of now I don't know of a single critical flaw that has been found in the latest version of Firefox. Why trust Microsoft now? They hung their users out to dry for years until competition suddenly forced them into action.
Posted by thellar (5 comments )
Link Flag
Firefox users should upgrade to vista+ie7
You mean Downgrade to Vista+IE7. Why bother when Firefox still blows the doors off of Internet Exploder, without even trying!
Mozilla will patch those puny flaws within hours, whereas Microslop takes months to think about how to develop patches for their flawed products and they seldom if ever work!
Posted by Midnight (5 comments )
Link Flag
Firefox users should upgrade to vista+ie7
To find out how insecure Windows Vista and IE7 are , read this!

Windows 'fails' active virus test

<a class="jive-link-external" href="http://news.bbc.co.uk/2/hi/technology/6331959.stm" target="_newWindow">http://news.bbc.co.uk/2/hi/technology/6331959.stm</a>

When Vista was launched on 30 January, Microsoft chairman Bill Gates claimed that it was "dramatically more secure" than other operating systems.

He lied again, of course. Force of habit with Billy boy!!
Posted by Midnight (5 comments )
Link Flag
You're clueless!
&lt;eom&gt;
Posted by anarchyreigns (299 comments )
Link Flag
Must be new around here...
Cnet's advertisers don't appreciate positive comments about Microsoft. Please get with the program.
Posted by Betty Roper (121 comments )
Link Flag
Please re-read the article
I'm gonna give Vista a try this weekend on a new laptop...But IE7 hasn't shown me anything at all worth switching from Firefox...I'm running Firefox 2.01 which according to the report I just read appears to be secure at the moment...There are so many choices with Firefox...And some people refuse to update if it means losing one of their extensions...They are the ones on the firing line for these flaws...Not those using 2.01...When there is a flaw found for Firefox...The updates come out ASAP...Not on some once a month scheduled update dump...I'm willing to be on Vista...I like XP...But IE7 is too slow...clunky and limited for me.
Posted by dburr13 (117 comments )
Link Flag
protected mode
I find it interesting that although IE7 is available on the XP platform the protected mode you mention is only available on the vista platform. Is Microsoft using this as a way to encourage users to upgrade?
Posted by thedreaming (573 comments )
Link Flag
switch to vista + IE&?
Gosh, it sure must be nice for you to have enough faith in historically flawed MS to switch to a basically up-proven platform &#38; browser, as well as having the several $ hundred spare change necessary to upgrade hardware &#38; software. Most of us have more smarts &#38; less money for this.

Firefox 2.0 has been available free for months &#38; has not been shown to have these flaws. Or to put it another way, I switched to Firefox full time initially due to several, consecutive flaws I experienced in IE, &#38; discovered it was a much faster, superior browser along the way. It is also interesting to note that Spybot's immunization feature protects against IE flaws, specifically. I think I will stay with what I know is working.
Posted by Bob H in NPR (39 comments )
Link Flag
thanks leonardyu
Many thanks leonardyu, that was really funny. I needed a good
laugh this morning!
Posted by Dalkorian (3000 comments )
Link Flag
See more comment replies
That's maybe why they updated it!
Run the latest version - it's free!
Posted by robbtuck (132 comments )
Reply Link Flag
Don't forget the better option than IE/FF
Opera has the best security record of all browsers, and just has far more features readily available that just integrate a whole lot better than relying on a bunch of add-ons, extensions for the wonderful functionality that Opera offers out-of-the box. And, yes, Opera is free.
Posted by treego (9 comments )
Reply Link Flag
Opera who?
That's because no one uses it, dude. Under the scrutiny of being IE's number one enemy, any open-source app like FF is going to come up with a few bugs. Opera has rendering problems anyway. Stick with the big guns. FF'll be fine.
Posted by Soupir (24 comments )
Link Flag
Opera's nice, but...
1) there are plenty of solid alternatives to IE that cost $0.00. The
ad-free version Opera costs something like $35 IIRC (unless
that's changed - has it?), else you're stuck w/ valuable desktop
space being eaten by ad banners on the free version.

2) I actually use Safari when I'm on the Mac (it's a modified fork
of Konquerer, and works very, very well IMHO).

/P
Posted by Penguinisto (5042 comments )
Link Flag
Let's All Have TWO Broken Browsers On Our Systems
Everyone who has a clue knows that you really can't remove IE from Windows. Everyone with a clue knows that the IE features that allow security risks are also used by other programs (for instance the View-in-IE extension for Firefox, AOL Explorer, Microsoft Office, some of the AutoCAD tools, etc., etc.)

This article just puts the exclamation point on the risks of adding another browser to the Windows environment. Despite all the OpenSource promises of impervious security because of "many eyes" examining the code, Firefox has been patched again and again, proving that it increases the attack profile on your PCs. Firefox has its own share of problems that must be patched regularly. Installing and using it just makes your security problems GREATER, because you have to worry about its flaws, and flaws in it's myriad, god-knows-what-source extensions.

There are a series of security steps one can take (besides having a clue) to make IE just as broken as Firefox (by eliminating the ability to run AvtiveX components and disabling ActiveScripting.) So if you can't avoid risky sites, and clicking on OK when you shouldn't, then just make IE as clueless as Firefox.

Just don't drink the Koolaid and install another security risk like Firefox on your PC.
Posted by pmchefalo (135 comments )
Reply Link Flag
Let's try to use our brains for a moment, shall we?
1) Old version only are affected... versions from last year
sometime.

2) By your logic, why do you even bother using A/V software?
MSFT already has one... that doesn't work so well (just like most
other brands). Why do you bother installing any nice games...
you have Freecell and Solitare in there, do you not? Why bother
with Photoshop... you've got MS Paint.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Actually, its a matter of -Threat-Level...
The... "all software has flaws" argument, is nothing more than a very-tired smoke-screen.

The sad fact is that using "IE" to access Web-sites has been proven to be far, FAR, more DANGEROUS to the basic security of both, Windows, and the users-computer, than using "Firefox" (or, almost ANY, other non-MS applications). Yes, even, despite the FAR SMALLER INCIDENCE of "security risks" that have, occasionally, been discovered in various "Open-Source software" packages.

In short, as many security-experts (and even National security-advisories) have repeatedly pointed out, Microsoft software DOES tend to have "...the largest number of serious-flaws", therefore, using software OTHER than "Microsoft Windows" (and its "integrated" components, and applications), ...DOES VASTLY IMPROVE BASIC SECURITY.

So, using non-Microsoft software DOES NOT make a computer less secure. But, rather, it CAN help mitigate the numerous, more-serious, "flaws", and "security threats" that Microsofts fundamental product-philosophies has been shown to have created.

Besides... this particular threat can, apparently, be easily eliminated, simply by updating the "free" browser.

In short... the REAL "Kool-Aid" drinkers, would be those people who, very-foolishly, ONLY used Microsoft-products.
Posted by Gayle Edwards (262 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.