Two flaws found in Firefox

February 8, 2007 at 12:34 am Leave a comment

By Caroline McCarthy Staff writer, CNET News.com

A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks.

Click image for more details.

firefox_image2.PNG

Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox’s pop-up blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow Web sites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them.

A possible scenario for such an attack would involve the user clicking on a malicious link that would furtively plant a target file equipped with an exploit code on the computer’s hard drive. Then it would display a prompt asking the user to allow a pop-up to appear in order to play a video file or download. The attacker-supplied file would then be loaded thanks to the browser flaw, which could give the attacker local file read privileges.

It appears that this flaw may only apply to older versions of Firefox, prior to the current 2.0 release, but Beyond Security was unavailable for comment on the matter.

The second flaw, announced by SecuriTeam on Wednesday, concerns Firefox’s phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its Web site.

The phishing flaw does appear to apply to the current 2.0.0.1 version of Firefox.

Mozilla was unavailable for comment on Wednesday.

Advertisements

Entry filed under: browser, firefox, firefox.com, internet explorer, mozilla, popup, popups, privacy, security, web browser.

Interview with Bryan Kennedy, co-founder of Likebetter Crushpad custom winery completes $3.5M financing round

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


New TechAddress Launched!


%d bloggers like this: