Security Vulnerability in FireFox


I just came across this Phishing Vulnerability in Firefox  wherein you can spoof the source URL in the download dialog box. Just another one of the many reasons to believe that without security, no amount of progress can be made. We need to make browsers secure before they can do any fancy UI dance !  

“Secunia rated the flaw “less critical” and has confirmed the vulnerability in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. It added that “other versions may also be affected.”

it was only a matter of time before mozilla was going to attract hackers.

Comments (2)

  1. The difference is that even if the Mozilla Foundation never fixes the issue, the issue can legally still be fixed. The same cannot be said of non-open software. The issue is also generally fixed soon after it is reported or has already been fixed by the time it is reported if it goes through security@mozilla.org. There are many cases where a security issue is found in IE, but it is not fixed until significantly later or in the wrong way. For example, the issue with a null character after the username in a URL was fixed by no allowing a username without a password. However, this causes broken behavior.

  2. Ali Alvi says:

    You can never guarantee that fixing a security exploit will never result in broken behavior. There are so many applications that work around certain flaws in the product in ways such that if these flaws are fixed, these applications are left in a broken state. Now the question is whether we should fix the product to do the right thing or leave it broken or fix it in a way that the wrong use of the product is still not broken. I suppose the decision makers choose to go with the approach where they are willing to take the hit of some broken applications with the trade off that the rest of the world will be more secure.

    The username and password fix is a good example, the RFC specification never says that a user agent MUST support that syntax. This was a feature provided by IE, which was being abused by certain parties. So the first decision to fix it in a way that will keep the functionality in but make it secure resulted in breaking a lot of applications that were depending on the unsecure functionality.

    An example is that some company was using the syntax to advertise their site like http://buy@sitename.com. This is a completely wrong use of the provided feature. Therefore in recent times, the right thing has been done to eliminate the support for username and password syntax by default. While this breaks a lot of apps, it ensure that there’s no misuse or misguidance caused to the users with this feature.