Firefox Flaw

[Darthshearer]

The Register Main Story

A security loophole in Mozilla and Firefox browser could be used to spoof the URL displayed in the address bar, SSL certificate and status bar. The vulnerability also affects Opera and Konqueror and stems from a flawed IDN (International Domain Name) implementation within the browsers
The bug could be exploited by registering domain names with certain international characters - which look like other commonly-used characters - in order to hoodwink users into believing they on a different, trusted site. As such, the bug creates a new wheeze for phishing attacks. For Germans to use national German characters in ".de" domains, for example, is one thing, but the use of national characters has been extended to the international domain space (.com, .net an .org) and extends the scope for confusion.
Click Here

Thomas Kristensen, CTO at Secunia told El Reg: "This issue is not a traditional vulnerability, but a serious security issue which is caused by an inappropriate implementation of IDN."

"We have all heard about the "problems" with "o" that looks like "0" or "l" and "1", allowing people to register "MlCR0S0FT.com" and abusing that to trick people. Using IDN which support Unicode characters gives the phishers and scamsters thousands of more characters to play around with, some resemble "normal" characters to the point where not even the trained and paranoid eye will spot the difference, " he said.

The bug has been confirmed in Mozilla 1.7.5, Firefox 1.0, Konqueror 3.2.2 and Opera 7.54. Other versions may also be affected, Secunia reports. Internet Explorer users are in the clear from this one, although subject to flaws that have a similar effect. You can check if your browser is affected using Secunia's test.

Secunia advises users not to follow links from untrusted sources and to manually type in the URL they wish to visit in the address bar as workaround prior to the availability of more comprehensive fixes. ®
.

 

[Will]

Test link

If the page is a Secunia page, your browser is affected.

 

[Mobius]

I'm infected! I feel so violated.
What does it all mean?!

 

[old.user4556]

My Firefox is affected, just tried IE and it's fine. I loved Firefox, but it looks like i'm going to be using IE until there is a fix/patch - anyone know if it's available?

<coup>Firefox is rubbish, start using IE!</coup>

 

[Jonty]

Hi Big G

Last time the Mozilla suite fell foul of this kind of problem, I believe it took around a week or so for an update to be issued for Firefox and co (maybe sooner in the nightlies). In all honesty, though, if you browse safely it's unlikely you'd come across this exploit anyway, so I wouldn't switch to IE just for this. I'm guessing the biggest problem will be with junk email, 'dodgy' websites or links posted by users in forums and such.

Kind Regards

 

[djsmiley]

Btw, there is an addon to I.E which effects it too.

What does it mean? Same thing it meant when it happened to I.E. = Dont trust links

No patch that i know of as yet, but at the same time, its not like any of you guys are going to be pasting fake paypal pages, and even if you do, i type paypal in.

Now, if the DNS servers got comprimised, then i WOULD get worried.

 

[Will]

Change browser to IE to omprove security?









Help me, I can't breathe...too...much...laughing...

 

[~Yuckfou~]

Funniest thread of 2005 !
I'm not a fanboi of any particular browser but I wish I could be arsed digging up all the "my browser is better than yours" threads. oh dear my stomach hurts....

 

[Clown]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lpnp2xem.default\compreg.dat

Open in Wordpad, search for 'idn', delete the lines.
I deleted two lines.

 

[Clown]

I don't know why it put a space in-between compreg.dat.

 

[Milkshake]

I've got the latest version of Firefox, and the link did *not* work for me.

 

[nath]

lpnp2xem.default may not be the same for you - and don't forget to replace User with your own username.

Rather than copy/paste the link, it's easier to browse to that folder using the link as a guideline - don't forget to enable show hidden files.

 

[djsmiley]

Was about to say that some users have managed to fix it, while others report they are still effected.


This is something which can easily be turned off by Firefox etc if they choose to release a patch to do so, but the update on such a patch, is it worth it? When surely in a week or two, there will be a patch that fixes this, rather than just creates a work around?

I doubt they will go for the first option, most people using firefox / mozilla atm are the ones who know what they are doing anyway. Plus no ones noticed many sites in the wild using this tatic.

I say, just be careful until there is a patch, you still more secure using this than I.E. (in my eyes...)

 

[Mobius]

Since I'm infected, do you think its okay for me to order some dvd's online, or will this virus like steal my debit card info? I really want to order some stuff, but don't want any trouble.

 

[nath]

If I understand the bug, I doubt you'll have a problem. If you were to order DVD's having followed a link from a site you don't know well - someone could pretend the link was to play.com when it wasn't and as such the site pretenting to be play would get your CC info. However, I think if you just go to play.com (or whatever) by typing it in manually, there's not really much danger at all.

 

[Tom]

first of many to come.....

 

[Clown]

IE has its, and still has many.
I only use Firefox because it looks nicer.

 

[Chilly]

its innevitable as firefox becomes more widely used that more security holes will appear, but for now the vast majority use IE so 99% at least of attacks (i rekon) will be aimed at that for now.

 

[kanonfodda]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lpnp2xem.default\compreg.dat

Open in Wordpad, search for 'idn', delete the lines.
I deleted two lines.

Nice one matey, worked a treat.

 

[JingleBells]

If you download the latest nightly build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-aviary1.0.1/ then the enableIDN fix will now work, as I've read that altering your profile is fine untill you add an extension when the changes are reversed again.

 

[Jonty]

Hi guys

Firefox 1.0.1 has been officially released. This is a maintenance release so expect only a few bug fixes and security updates, mostly notably the IDN fix discussed in this thread. All users are encouraged to upgrade

Kind Regards

 

[inactionman]

first of many to come.....

Guys, this isn't a flaw in firefox, it's a fundamental flaw in the IDN protocol (the protocol that supports domain names in non-english alphabets), the reason why IE isn't affected is that it doesn't support IDN! The latest fix to firefox basically disables IDN, and bundles a few other bugfixes, none of which seem to have anything to do with security.

Stick with firefox, it's better to work with an application that's been built with security in mind, than one which has a number of fundamental security flaws!

 

[Jonty]

Agreed, inactionman That said, there are a few security updates in this release, albeit minor ones, hence the urge for everyone to upgrade (Unofficial changlog).

Kind Regards

 

[Brynn]

There was an interesting interview with the creater of Firefox in this months issue of Wired.

He was saing that at the start when it was just created, all the people on the forums donated £10, and they ran a week long advert in the New York Times, spanning two pages.

After that advert, it was downloaded 1 million times a day

 

[Jonty]

I have my name in that advert

I think they may actually be referring to the recent publicity drive when Firefox 1.0 was officially released. They raised several hundred thousand dollars to publish a two page advert in the New York Times, money raised from average users and big business (see Spread Firefox). Several thousand people of which got their names published in return for donating.

Since Firefox 1.0, the browser has indeed been downloaded over 1,000,000 times in a day, but has since died down to hit 25,000,000 in 100 days (250,000 per day). Despite its successes, however, Internet Explorer still commands just under 90% of the market, and the advent of Internet Explorer 7 may see that share rise slightly by the end of the year. That shouldn't detract from Firefox's success, though, it has been a tremendous catalyst for innovation in the otherwise stagnant browser market (even if some of its developers and fans can be a bit over zealous at times ...).

Kind Regards