Phishers catch out Firefox

Phishers catch out Firefox

A security flaw in the increasingly popular Firefox browser is exposing millions of users to phishing scams, security experts have warned.

Jakob Balle, security specialist at Secunia Research, said that the vulnerability in Firefox and Mozilla allows malicious hackers to execute phishing scams by spoofing the source URL displayed in the browser's Download Dialog box.

"The problem is that long sub-domains and paths are not displayed correctly, which can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box," he said.


Firefox flaw sparks a fiery debate

TalkBack: Our article reporting the discovery of a security hole in Firefox had elicited a wide range of opinions - both from fans of the open source browser, and those who are less enamoured with it

The news that the Firefox browser contains a flaw that could help cybercriminals to carry out phishing attacks stirred up plenty of reaction and discussion among ZDNet UK readers.

Security firm F-Secure warned on Wednesday that the vulnerability, which allows the URL in a Firefox download dialog box to be spoofed, could be exploited by online fraudsters.

http://secunia.com

expect to see a fix for this to download very soon. This is the strength of open-source software.

FireFox ROX!! FireFox ROX!! FireFox ROX!! FireFox ROX!!

Sorry, but if I say it enough times it will help you remember.

What comes in their front page is (surprise, surprise) two IE vulnerabilities.

From the limited information provided by that gossip chip-on-shoulder column at zdnet... no, wait, I found the secunia advisory:

http://secunia.com/advisories/13599/

As I suspected, it is marked "less critical". And should be easy to fix. If THIS is the best the anti-free-software crowd has to offer, we're in pretty good shape indeed.

A more detailed report can be seen here:
http://secunia.com/secunia_research/2004-15/advisory

I would expect this to be fixed soon. It's something that was reported back in November, a Bugtraq filed on it in December and just made public 3 days ago.

The Bugtraq entry shows that the appropriate solution is being actively discussed.
https://bugzilla.mozilla.org/show_bug.cgi?id=275417

You'd ALMOST think they're M$-paid trolls.

as well as the spreadfirefox.com folks.

We've spent so much time (as my signature says) telling everyone that Firefox is "Safer, Faster, Better" that it creates an unreasonable expectation in the novice user's mind that all they need do is install Firefox and they'll be safe evermore. The reality is, and this should probably be stressed more, that any reasonably complex piece of software is going to have bugs. It's just a fact of life.

What matters though, is how the people or company developing a piece of software handle bugs. In the open source community, because the source code is out for anyone to insepct, it's more likely that bugs will be found and reported and (hopefully) dealt with in a much more timely manner than closed, source proprietary software ("many eyes makes all bugs shallow"). It's a double-edged sword though because since the source is freely available that it also makes it more likely that exploits will be created to take advantage of any vulnerabilities found.

Which then boils the matter down to one of trust. Who do you trust more to ensure that as many bugs and vulnerabilities are discovered and squashed before the product is released as possible? The giant, monopolistic corporation intent on the bottom line and getting the product to ship as soon as possible or the committed, free software lovin' hackers who want to get out the best possible product in as timely a manner as possible but not before it's done. I know I'm using hyperbole here on both sides, and that MS doesn't always behave in an evil way and the Mozilla Foundation doesn't always behave in the best way possible.

Also, I think in the end that most people (who aren't Steve Balmer) will agree that Firefox and Mozilla are just a better all around product offering more and better features than IE. IE hasn't been updated by Microsoft in years and even though there are some companies building better front ends for IE, you're still left with the inherent problems of IE. Just to give props where they're due, the Opera folks have been putting out a great browser for years too.

gasp!

In this instance, the term is not really used correctly. Phishing is more properly tricking users into thinking they're giving secure information to a trusted party when in fact the information is being given to someone else. http://en.wikipedia.org/wiki/Phishing

A classic example of this is receiving an e-mail that appears to be from eBay or PayPal or credit card company saying your account has "suspicious" activity and that you must log-in and update your information. There's a handy link provided in the e-mail that looks like it goes where it says it's going, but in reality goes to a page that is mocked-up to resemble the eBay or PayPal or whereever login screen. You enter your personal information and the blackhats now have what they need to access your account.

Note: Disguising the URL in this manner is not possible in the Mozilla browsers (including Firefox). They will display the correct location you are being taken to in the address bar. However, IE will happily display whatever the phishers want.

What's going on with this particular bug is that the Mozilla browsers won't display the full URL if a link you are trying to download from is too long. This could be used to trick you into thinking you're downloading (for example) the latest version of AdAware from Lavasoft when, in fact, you are downloading a rogue program that could do anything it wants with your machine (especially if you run Windows -- less so with Linux and Mac OSX).

So, technically, this isn't really phishing. IMHO, YMMV.

nt

HEY GUYS, IT WAS FIXED BEFORE THIS WAS REPORTED!!!!!!!

Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.