FireFox Exploit

lsw-x

I enjoy my Fire Fox, really.

Chris said something to me a few weeks ago. He says that the reason that FireFox is deemed to be so secure, over and above IE, is because it hasn’t gained the popularity and user base as IE has. He says that as soon as FireFox’s user base gets larger and larger and you start to see a bigger percentage of internet browsers using it as their browser of choice – – all those fun little hackers will begin to pay more attention and start to find more and more ways to exploit security holes in Fire Fox. They’ll spend more and more time on the product, as they currently do the browser that 90% of the surfing population uses, IE.

Simply put – – the hackers didn’t see FireFox’s user base to be broad enough to bother exploiting. Things appear to be changing.

He sent me an article today. He just had one thing to say: “And So It Begins” :

All Browsers But IE At Risk To New Spoofing Scheme

A newly uncovered vulnerability in most browsers can allow hackers to spoof the URL displayed in the address bar and the SSL certificate, a security firm warned Monday. The one exception? Microsoft’s Internet Explorer.
Danish security company Secunia posted an alert describing the vulnerability — which affects Mozilla, Firefox, Safari, Opera, and Konqueror — as a “moderately critical” problem.

The vulnerability impacts every browser built atop the open-source Geko browser kernel — nearly all except IE — because of a flaw in handling International Domain Names (IDN). Hackers can register domain names with certain international characters that resemble other commonly-used characters, said Secunia, to spoof the address and trick the user into thinking they’re at a legitimate site and/or it’s secured by SSL.

Such spoofing vulnerabilities are typically exploited by phishers who try to dupe users into divulging financial information at bogus Web sites that resemble real-life banking, credit card, or retail sites.

The vulnerability has been confirmed in the latest version of Firefox, v. 1.0, as well as in Mozilla 1.7.5, Opera 7.54u1, Opera 7.54u2, Safari 1.2.4, Konqueror 3.2.2, and Netscape 7.2. Other editions of these browsers, however, may also be at risk, said Secunia, which posted an online test on its Web site.

Currently, none of the vendors have provided fixes for the flaw.

And so it begins, indeed.

I think we’ll start to see more and more exploit vulnerability as these browsers gain more and more popularity. It will be interesting to see if FireFox is the tight browser choice that some die hard FF’ers have always claimed it to be.

–Update–
You can disable IDN support in mozilla products by setting ‘network.enableIDN’ to false. There is no workaround known for Opera or Safari.

via schmoo.com – Thanks for the tip, Vin. 🙂

Posted in

32 thoughts on “FireFox Exploit”

  1. I agree with both you and Chris. FireFox blows IE away, but as more people learn about it more people will attack it. For now, though, I’ll enjoy how well FireFox works, continue to consider replacing Outlook Express with Thunderbird (or whatever it’s called), and have a little more Hot Corn Dip with tortilla chips and a glass of Diet Sprite Zero. :mrgreen:

  2. As a previous Moz and current FF user I agree – with the exception about why it is safer. To over-simplify the reason that IE is not safe goes to the fact that IE is based on longtime OLD MS code – a new version was never built from scratch as FF was. Microsoft developers are not the brighest and lack the imagination of what might be possible from an outsider (hacker). FF was made with current and future knowledge of vulnerabilities and thus has a big edge.

    Another plus is FF does not send back url info to the Microsoft people as IE does. Yeah – if you’re still using IE Billie boy knows where you’ve been!

  3. “Hackers can register domain names with certain international characters that resemble other commonly-used characters, said Secunia, to spoof the address and trick the user into thinking they’re at a legitimate site and/or it’s secured by SSL.”

    Sounds to me that this is less a “browser vulnerability” than a “user needs to be more aware of the sites she goes to” issue. (Using “she” as an all-purpose pronoun, of course. :smile:)

  4. Microsoft stated once, “There’s a lot of Virus under our platform because we’re famous. Linux users don’t create Virus because there’s just not much users under them”. With the recent exploits on other browsers and IE being safe, it really seems like IE’s just losing popularity. It’s good news I believe 🙂

  5. Oh, I totally agree and think that the fact that the recent exploits are a testimony to the gaining popularity of these ‘alternate to IE’ platforms. Definately good news.

    The difference here is going to be – how long will it take the developers of these products to respond and provide patches?

    We all know Microsoft’s track record.

  6. … FWIW, I read somewhere that disabling IDN didn’t fully resolve/avoid the issue … and wouldn’t you know that is one page I didn’t link to, dangit.

    /TJ

  7. I still don’t know what the big deal about FireFox is. I downloaded it and used it, it IS a nice browser, but it doesn’t improve upon IE so much that I feel that it’s necessary to switch over. In fact, ASP forms don’t show up as well in FireFox as they do in IE. So that’s already one strike against it, for me.


  8. Hi all… there isn’t a permanent fix for this yet by you can find out how to make it a bit more permanent (and keep tabs on the latest) on my blog and at this entry:
    here

    All my Firefox tips are here

  9. “FireFox Blows IE out of the water”, “FF is the way to go” … “IE losing populatrity is good news” … What do you people base your opinions on? The “Blogosphere” is touted as a place where free thought and new ideas reign supreme, but lets face it. When it becomes “cool” to like something, everyone jumps on the bandwagon. This is especially true in the blogging world. Just look at FF or Ipods..

    FireFox .. more secure? LOL!! If FireFox had the market share IE has.. You wouldn’t be using it. This is true for a couple of reasons… #1 It wouldn’t be cool because everyone is using it, #2 now that it is the popular browser the scumware and spyware attacks would sky rocket… and you wouldn’t have Microsoft’s resources to fix the problems.

    Come now little sheeps… follow me.

  10. What you say is only half true. The part you missed is that Mozilla fixes bugs much faster than Microsoft. The open source model is superior for rapid bug/vulnerability fixes. That spoofing vulnerability you mentioned was fixed within 24 hours! If you install the newest release of Firefox you aren’t vulnerable anymore! Microsoft still hasn’t fixed years-old vulnerabilities and they likely won’t for a couple more years when Longhorn finally comes out.

  11. Ok, I just wrote like two paragraphs in response and didn’t put in an email so it erased my whole post so let’s try this again….I’m shortening what I originally posted.

    First off, I’m a member of an online community that is composed mostly of IT’s and tons of other people who know more about computers than the general populous and they swear by Firefox/Mozilla for the most part. While the lack of direct exploits and attacks toward Mozilla are lacking could be because of the small userbase compared to IE, spyware has nothing to do with that at all. Firefox is resistant to many forms of spyware/malware by default. It’s basically configured not to let through a ton of the stuff that IE lets through by default. Since I switched to Mozilla (Probably around when I was 12…I’ve been using Netscape forever..i’m 20 now) I haven’t had ONE problem with spyware, but while fixing other people’s systems (all who used IE by default) I’ve had instances in which I’ve found 400+ bits of spyware….that by itself should speak to anyone.

    I love it when something starts rising up outside of what is the default and people instantly blame it’s popularity on a “jump on the bandwagon” sort of thing. If that were the case, there have been TONS of browsers other than IE that people could have swarmed over….Opera, netscape, earlier versions of firefox, Avant…etc…

    Tabbed browsing, total configurability, open source plugins (which open up almost unlimited possibilities in the browser…I have the weather, winamp, and automatic ad blocking plugged in along with a bunch of others and firefox STILL takes up less processor space and memory than IE). Not to mention browsing speed…especially with enabled pipelining. (don’t jump down my throat plenty of tests have proven this).

    So in conclusion, don’t be scared away by exploits in Firefox. It’s still more secure, and overall it’s a better system. 😀

  12. Good info, Kyle – – don’t get defensive, however – – I love my FF. Prefer it over IE any day of the week. I’m not knocking the precious Mozilla – just making a mere observation on it. 😯

    I love it when FF die-hards get so defensive over minor, off the cuff comments about it’s potential vulernability 😉

  13. Hehe I really don’t care, I could go for almost any other Mozilla based browser. Some of the irritation was probably transfered over due to the fact that my first two paragraph response was deleted. My response was directed more to ThePaul anyways, I promise I was just reassuring you that Firefox is still secure. 😀

  14. i’ve been using firefox for a long while now. think it was before they even really started pushing it. i’m happy with it! 😛 IE really is a pitb with all them errors popping up. For the web designers, FF has a great plug in. holler at me if you’re interested 😉 (css looks way better on FF than they do on IE)

  15. One piece of advise: buy a Mac.
    Mac OS X is safer and more stable (not to mention easier to use) than Windows, and their web browser (Safari) is felt to be the state of the art. This high degree of safety is not solely because Mac is a “smaller target”. It’s because the operating system is Unix- based, and all the software is much better written.

  16. Yeahhhh….I can honestly say the last thing i’d be using is a mac. The whole security thing also applies to them though…they don’t have as many exploits as windows because they are attacked less, although they are safer by default by far and their browsers are second to none (the default browser Safari beat Firefox in speed and security tests)…they just don’t do everything that i’d want my computer to do. No offense. 😀

  17. Just because something doesn’t get hacked, attacked or exploited doesn’t mean it is better. A bank with no money in it is a lot less likely to be robbed than a bank with a vault full of gold.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top