Advertisement
Promo

Security threats Toolkit

Firefox phishing vulnerability discovered

Ingrid Marson ZDNet.co.uk

Published: 05 Jan 2005 15:30 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A vulnerability in Firefox could make users of the open source browser more likely to fall for phishing scams.

The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.

To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.

This flaw was given a severity rating of two out of a possible five by Secunia.

David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.

"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."

This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.

The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.

The Secunia advisory and Mozilla bug report are available online.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
102 out of 168 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

26 comments

  1. A security vulnerability..??? this is a ridicul... Pete Molina
  2. This article by Ingrid Marson and the opinion... Abe
  3. Ooooh.. I'm frightened!! I guess I'll switch... Ossama Khayat
  4. All I Have To Say Is Firefox Is The Best... Jason
  5. I agree, Pete, that the vulnerability in Fire... Graeme Wearden
  6. Firefox without a doubt, is the best and... Webx
  7. USE FIREFOX ITS MILES AND MILES AHE... robd
  8. Microsoft is waiting for one person to be caught i... The Way
  9. Big deal! This is only one problem compared to the... Anonymous
  10. If this vulnerability had been identified in IE, t... Anonymous
  11. Ouch! 'Users are smart enough to choose their... philbert
  12. Lets face it, not everyone out there is a Web... B B
  13. I think it's important to put things in conte... Anonymous
  14. The simple solution is often the best,JU... Voodoodoctor
  15. There is no reason to believe that Firefox is actu... Anonymous
  16. Critical mass FUD is the typical reaction of... Arthur B.
  17. Firefox will always be more secure than Inter... john_t
  18. It doesn't matter at all if only a couple of... Sebastián Benítez
  19. Ok, had a quick read of some of these replies... fieldyweb
  20. I have to reply to the above comment, be... Webx
  21. can't believe it! But where's the PoC? :) Anonymous
  22. Firefox is undoubtedly a better and more secu... Seb
  23. I've used Firefox since the Phoenix days. Noone e... Killian
  24. I use both Firefox and IE, and while IE is pl... Camper
  25. Ok so there is a flaw. So what? How many flaws h... Simon Buckner
  26. Nice to see an area in IT where Microsoft doesn't... Bill

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:




Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Climate research centre compromised

One of the UK's leading climate change research centres has had a security breach. The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information,... More

1 comment

Government web-monitoring plans on hol...

Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election. The Home Office told ZDNet UK on Wednesday... More

1 comment

Watchdog reveals illegal sale of phone...

The Information Commissioner's Office is preparing a prosecution file against a mobile operator's employees who allegedly sold on thousands of customers' details to a competitor. The... More

1 comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters