February 7, 2007 2:59 PM PST
Two flaws found in Firefox
- Related Stories
-
Super Bowl stadium site packed Trojan horse
February 2, 2007 -
Acrobat flaw could spawn Web attacks
January 3, 2007 -
Year in review: Zero-day mania
December 28, 2006 -
Mozilla issues security updates
December 20, 2006 -
Worm uses QuickTime to spread on MySpace
December 4, 2006
Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox's pop-up blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow Web sites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them.
A possible scenario for such an attack would involve the user clicking on a malicious link that would furtively plant a target file equipped with an exploit code on the computer's hard drive. Then it would display a prompt asking the user to allow a pop-up to appear in order to play a video file or download. The attacker-supplied file would then be loaded thanks to the browser flaw, which could give the attacker local file read privileges.
It appears that this flaw may only apply to older versions of Firefox, prior to the current 2.0 release, but Beyond Security was unavailable for comment on the matter.
The second flaw, announced by SecuriTeam on Wednesday, concerns Firefox's phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its Web site.
The phishing flaw does appear to apply to the current 2.0.0.1 version of Firefox.
Mozilla was unavailable for comment on Wednesday.
See more CNET content tagged:
Firefox,
flaw,
pop-up blocker,
phishing,
Mozilla Corp.







Changes are that you're more secure in IE7 protected mode under Windows Vista.
- Let's All Have TWO Broken Browsers On Our Systems
-
by pmchefalo
February 10, 2007 12:52 PM PST
- Everyone who has a clue knows that you really can't remove IE from Windows. Everyone with a clue knows that the IE features that allow security risks are also used by other programs (for instance the View-in-IE extension for Firefox, AOL Explorer, Microsoft Office, some of the AutoCAD tools, etc., etc.)
-
Reply to this comment
View
all 2 replies
-
-
See all 25 Comments >>This article just puts the exclamation point on the risks of adding another browser to the Windows environment. Despite all the OpenSource promises of impervious security because of "many eyes" examining the code, Firefox has been patched again and again, proving that it increases the attack profile on your PCs. Firefox has its own share of problems that must be patched regularly. Installing and using it just makes your security problems GREATER, because you have to worry about its flaws, and flaws in it's myriad, god-knows-what-source extensions.
There are a series of security steps one can take (besides having a clue) to make IE just as broken as Firefox (by eliminating the ability to run AvtiveX components and disabling ActiveScripting.) So if you can't avoid risky sites, and clicking on OK when you shouldn't, then just make IE as clueless as Firefox.
Just don't drink the Koolaid and install another security risk like Firefox on your PC.