The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.
Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.
To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.
This flaw was given a severity rating of two out of a possible five by Secunia.
David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.
"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."
This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.
The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.
The Secunia advisory and Mozilla bug report are available online.
Talkback
A security vulnerability..??? this is a ridiculous story..!!
"To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site."
so you "have" to be at a spoofed site already...then click a link to download files from a spoofed download area..... where is the problem... i hardly think that a spoofed site would link you to a legit download area...
This article by Ingrid Marson and the opinions of the analysts (Mikko Hyppönen, David Emm) are perfect samples of spoofing and being spoofy. Webster & Dictionary.com should use them as examples. Thanks but no thanks for the information. We still trust and love FireFox. Try harder if you can. gee!
Ooooh.. I'm frightened!! I guess I'll switch back to the M$ (and your?) favorite Internet Exploder again and wait for the spam and pop-up to get on my nerves again.
I'm sure this is a REAL problem with FireFox, especially when I read "No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.", as this is what always happened, late fixes!!
Have a look at www.spreadfirefox.com and see how they are SO scared because of this security issue.
I guess you miss typed the title after the "Massive IE phishing exploit discovered" link to the article shown down!
Try again.. :-)
Microsoft is waiting for one person to be caught in the scam to say TOLD YOU open source is more expensive, it jjust cost her 10 000 dollars because she chose firefox. Firefox, fix it quick!
Ps Firefox users are must smarter than IE users, they chose the better browser after all .
LONG LIVE the FOX.
Big deal! This is only one problem compared to the thousands IE has. FireFox is the way forward, microsoft will be whiped soon.
I agree, Pete, that the vulnerability in Firefox isn't a huge threat --- that's why we reported that Secunia gave it a severity rating of two out of a possible five.
We certainly aren't suggesting that this bug should deter people from running Firefox. But given the serious threat posed by phishing, I believe we were right to run the story.
Thanks for your interest,
Graeme
If this vulnerability had been identified in IE, the anti Microsoft community would no doubt be quick to criticise the product as insecure.
Users are smart enough to make up their own minds about which web-browser to use - and the more information that is available about all products on the market, including open source effots, the better.
Over-zealous open source fanatics should concentrate on improving their products rather than complaining about the coverage they get, and leave it to end users to determine how relevant the product really is to their needs.
Ouch! 'Users are smart enough to choose their own browser'??
Most users couldn't spell 'browser' without help. The only reason so many people use IE is because it is built-in to the operating system that was on the PC they bought, and no other reason. Since 1995 nobody has once asked me for a different browser to IE, it wouldn't even cross there minds that its possible.
Im not for/against IE, and i've only just started using FIREFOX as well as IE.
People get very defensive over these things. Just enjoy the technology! U cud b livin in a cave instead ;)
There is no reason to believe that Firefox is actually any more secure than IE. It is just [currently] less targetted for attack. Firefox may offer some "security through obscurity", but once it gets to any sort of critical mass then it will be targetted (and since the hackers have the source code their life will be that much easier (and when a patched version is released it will be easy for them to see where the vulnerability is and target older versions).
Lets face it, not everyone out there is a Web Site Administratior, Web Page Developer, Internet Security analyst or Cyber Geek.
Therefore, yes, millions of people in the world are ignorant when it comes to computing.
I would venture to guess that 99 percent of anyone you asked doesn't know what open source means, or how or why it is different from IE.
Not to mention the fact, that millions still think emails that 'look' like they are from their credit card company or other financial institution are real. Which is where the problem is. Not with techies or someone who has a clue about the reality of computing.
'We' may be protected because 'we' choose not to click a link to 'verify our financial information'. But many don't know that these are phishing scams... and previous 'advice' from internet security persons like Paypal and Citi Bank say to 'Check the URL' to verify authenticity.
For the ignorant, this is where this flaw is important, and the URL will appear real.
Thats the gist of it. So, for everyone who thinks is absurd that anyone would click a link to verify this or authenticate that, remember, not everyone is a Web Administrator etc.
Do them a favor and educate them rather than scoffing at how infathomable and unreportable this story by zdnet is!
cheers.
BB
Critical mass FUD is the typical reaction of the uninformed. If critical mass (certainly when combined with access to the source) was that important for getting succesfully attacked in large numbers then why don't we see massive and succesfull attacks on all those other Open Source products that run the Internet today in enormous numbers?
I sometimes find myself wishing that all Open Source products would stop to function for just one hour all at the same time. Perhaps then more people will start to realize how much Open Source is already part of todays life.
Another thing. Spammers, phishers, etc don't aim for a 100%, 10% or even a 1% succes rate. Since the market penetration of non-Microsoft browsers has been more then 1% for many years now. How come those poor non-Microsoft browser users haven't been slaughtered month in, month out? I mean, surely those spammers and phishers will go for the easy prey, whatever they are. And believe me, even just 1% of just 5% of the entire Internet community would be a dream come true for them.
Riddle me this. In many companies there are people using IE with very expensive security hardware and software maintained by so called experts sitting between them and the Internet and they're not amused. While at home, for those that don't use IE, there's maybe $40 of equipment between them and the Internet and they're amused. How come?
There's critical mass alright. But it's about the FUD soap box that's about to explode. Followed soon after with a critical mass of consumers and CFO's starting to ask difficult questions to there former-to-be IT salesmen, IT advisors, IT consultants and IT managers.
Basicly a whole industry used to overcharging is going to be replaced by an industry that charges fairly. And the only way to become part of that new industry is to sell something different then those products with built-in overcharging capabilities. Things are starting to get interesting.
Firefox without a doubt, is the best and most secure browser on the market today, and no matter what propaganda is spread throughout the net regarding its security in a negative way, those who actually KNOW will continue to use Firefox and wait until the patch is complete, not actually even thinking nor caring whether it is released or not while using it.
What is not mentioned however, is the simple fact Firefox running on Linux is quite a bit more secure than implementing it within oh..lets say...XP. For those window injected scripts, one can also mistakenly download forcibly malicious scripts as well, which in most cases, are going to directly affect your Windows OS, and not your Linux OS.
That would be almost ten fold if you by chance were actually using IE as example.
There are plenty of examples of hidden WIN32.exe links on web sites as well, in which IE will be more than happy to inject your very expensive Microsoft OS without even batting a eye, or at least giving you warning. But...of course, Firefox is growing in popularity, so let us bash them with one particular user induced error of ignorance instead, blaming it actually on the browser, and not the people using it (where the blame actually should be directed).
Perhaps more information regarding fact instead of fiction should be presented, rather than blaming security flaws of one of particular browser that used to have a monopoly on the market as a victim to such devious implementations of code because of popularity, rather than the simple fact it is in reality, a open window to your whole Windows operating system when proper measures are not taken to plug all of those holes, even AFTER the SP2 upgrade, which was basically billed s the 'security fix to end all security problems'.
Education toward the matter would help as well, properly documenting information in prevention to people that clicking on each and every link on the net or in your email is never a good idea. However, once again, rather than directing the story to prevention and education, it is seemingly disguised as a resentful demonstration toward stifling open source movements such as the Firefox browser glorifies.
I find it quite ironic in the same setting, that a multi-billion dollar corporation cannot provide security measures for their OS nor their in house programs, without a outside developer or software company providing that protection at a sizeable cost, while open source provides the best overall protection at no cost.
With that being said, this little "scare" is nothing more than a opportune moment to try and shed negative light upon a growing browser and growing movement known as open source, and maybe one day, this country will figure out that the only reason security is needed, is because they are somewhere they should not be in the first place.
can't believe it!
But where's the PoC? :)
Firefox is undoubtedly a better and more secure browser than IE, but any site that reports on flaws or possible flaws in IE -- and gives Firefox coverage -- should report on Firefox's flaws too.
Essentially, Firefox is better but it's not perfect, and anyone who thinks or claims it is is as bad as anyone who gets taken in by Gates' marketing spiel.
I've used Firefox since the Phoenix days. Noone ever asked me what/which browser I like. Oh Well. Once again not everyone's voice is heard, unless you scream. As far as a "security hole" it should be more of a User Vulnerability, as only a dumb person goes clickin links in emails from odd places, last I knew. Granted, it's nice to KNOW, but come on. Most of these "announcements" just give the Phishermen a REASON to try to exploit it. Perhaps I just have learned my lessons long ago by helping people who are dumb already. One does learn what NOT to do from listening how other people screw up their machines. Muahahaa
I use both Firefox and IE, and while IE is plauged on an ancient Egyptian scale, let's just remember that IE makes up a huge percentage of the market right now because it is shipped with Windoze. Because of that fact slimeball phishers and script-kiddies are going to focus the most attention at IE because they have a higher success rate there. People seem to think that because Firefox has no blatant (as of yet) secuirty holes that it's the browser to end all browsers and everyone else should just hang up their gloves. If the "hacker" (and I use that term loosely) community focused as much attention at Firefox as they did other browsers, you can rest assured that vulnerabilities would be found or created. Open source makes that job just that much easier. In the end it basically comes down to who can or cannot be duped. I think simply personal preference will determine the market. Peace.
Firefox will always be more secure than Internet Explorer because it isn't tightly integrated with Windows as IE is.
Using IE is risking to lose all control of the machine just by surfing even accidentally the wrong web page.
While Firefox will never download/install something without the user knowing. And being open source is as helpful for hackers as it is for programmers who make Firefox better everyday.
It doesn't matter at all if only a couple of us use Firefox/Mozilla for a better browsing. People have an option and the right to choose which software to use to make their lives easier. But eventually they will have problems related to security/virus/spies/younameit with IE (and perhaps with Firefox too), so it's not a big deal. Which one will they end using is just a matter of how much problems they had with IE to look at Firefox.
I think it's important to put things in context and this small flaw is nothing compared to the absurdly huge number of easily exploitable flaws in IE.
The average user who's running an unpatched old version of IE would be so much better off in terms of security if switching to FireFox.
Anyway, FireFox is open source and I expect a fixed release to appear soon.
Spread the word - FireFox rules
The simple solution is often the best,JUST stay off the fake sites.If you are concerned,dont download anything-i surf with NO ANTI VIRUS and an edge F / W ,apart from the consistent supply of tracking cookies that Spybot S&D software catches i get a flash now and again from a passing virus-sweep machine with the second pc after surfing and im clean and ready to go again.I also walk to the bank.Malware usually needs to be downloaded,just watch your clicks and try the long URL extension on the Mozilla site,it at least tells you what the machines site COULD be.
Ok so there is a flaw. So what? How many flaws have been reported so far? Not many. All I know is that since I've started using Firefox (and especially since I forced my girlfriend to start using it) it has made things like Adaware and Spybot: Search & Destroy almost redundant.
I think that alone speaks for itself. When Internet Explorer can sit on my machine for 2 months and I don't need to run anti spyware tools, then I might consider using it. Until then it is most definitely disabled on my system.
Nice to see an area in IT where Microsoft doesn't have a monoploy, Bugs in their Web Browser.
I'm a Firefox user but I understand that Open Source doesn't automatically mean Secure Software, oh yeah and its a web browser not a religion
Ok, had a quick read of some of these replies, and got the sorty from tech news on yahoo, and a few hings spring to mind...
1) your mum, grandad, uncle albert etc, really don't know there are "bugs" in the software, which make them vunrable, and to be honest, why should they? They will take things on the net at face value, with probably less worry than if the same scams were being run on snail mail etc... Why? because they are not computer literate.. they haven't got a clue.. And neither should they.. In this day and age, software such as web browsers really should be more secure. but there are always going to be flaws, whats needed is not a debate on whats right or wrong about security holes, but plain, english, non geek speak explainations, that, nothing is what it seems on the net, and well, common sense rules... Hey i live in thailand, and when your on the plane, they tell you not to buy gems, when you get off the plane they have signs up not to buy gems, all over tourist bars it says don't buy gems, and how many people each week, are scammed because they buy fake gems.. Lets face it some people are sometimes just plain stupid..
2) I'm a pro Firefox user, have been for a LONG time, and ok, its going to have a few bugs, but its at release version, 1... What version is IE at?
3) Its been mentioned about the opensource code behine firefox making it vunerable, Well linux has been pensource for years, and it doesn't have as many problems as Windows in the hacking department, please not i didn't say it doesn't have any, just not as many.... From what i can make out, its not necesseraliy the opeating system thats bing targeted, its the mentality of the company who produces it?
My final point....
What ever happened to Microsoft having to supply an alternative browser option?
I have to reply to the above comment, because that is where the problems completely lie within the Internet, the computer world, and also in real life.
There was a time, when people actually educated themselves on certain aspects of what they were purchasing. Of course, that all depended on exactly what they were buying, because once it came down to technology, all bets were off.
As a example, one of the oldest clich'es known to the supposed technical world, was the flashing "12:00" on the VCR, and how in gods name could we ever get it to stop!!
The simple fix answer was: open the operators manual.
But...that was to much...Countless VCRs were on the path of the infamous "12:00 flash".
A path that was so dangerously close to injuring all that tried to cope with setting it correctly that most gave up in complete horror, and stared endlessly at its glowing numbers like that of a mangy wolf huddled on its back haunches, eyes glowing from behind the darkened night behind the bushes out front. People were scared and intimidated by this technological marvel, and that magical "12:00" haunting so much so, that reinforcements had to be called in to tame that wild beast. These experts, otherwise known as "the smart relative" would battle these square jawed beasts in front of all that dared watch. Tirelessly barking out commands allowing those who were brave enough to watch, a possible chance and glimpse to maybe learn or pick up a thing or two on taking down the massive offensive battle that this beast possessed without any help, and with a final shout of a glorious call of "You got it!!" bellowing throughout the night, all witnessed a miracle......a miracle that could of made the baby Jesus weep with tears of joy I am sure....the correct time was set...and forever a legend was created....that is, until somebody decided that the "VCR looks better over here" and it was unplugged.....only to once again begin its ferocious trauma to all that witnessed it's famous defeat.
So why at this point of time in our lives, with all the available technology and literature available to us from every medium in the wide world at our fingertips, must we become so lazy, or in simple terms, stupid to actually learning how to use something correctly?
On a daily basis, there are updates to software, hardware, virus warnings, email warnings, scam warnings, "dont pet that pit bull" warnings, "your water may be contaminated" warnings, and basic warnings to prior warnings, but they mostly go ignored, because somebody winds up doing what they were told not to do in the first place and usually wind up saying something like "I didn't know".
The statement of "it is not their fault" basically goes in theory with parents buying little 5 year old Timmy the heaviest and largest engine displaced 4 wheeler on the market without any training (because little Timmy would not look cool on something that was actually designed for his age group and size) while than allowing him to drive it up and down a gravel road 80 miles an hour jumping ditches in the process.
Than of course, once the four wheeler now in direct correlation with gravity, speed and weight and felicitated stupidity takes its toll, little Timmy's mom and dad can now turn around and sue the 4 wheeler manufacturer after it flips and crushes little Timmy, leaving the blame squarely off of their shoulders, where it truly lies to begin with.
In short, if you dont know how to use something that can cause so much damage to others, than do not use it, or at least attempt to learn how to use it.
Education is the only true way to stop spam, viruses, trojans, etc...because it is the person that does not know, that allows the spread and continual breeding ground of viruses to happen in the first place, and until that is realized, many companies will be out there exploiting ignorance for profit and nothing will ever be safe regardless of what the uneducated use.
All I Have To Say Is Firefox Is The Best Browser Around Especially For Things Like Speed, Safety And Design It Cuts Out The Crap On Webpages And IE Doesnt It Also More User Friendly And The Pages Load Quicker To IE Has More Bugs And Problems Than Firefox And Firefox Is On Version 1 And IE Is Like On Version 10... Its Stupid......
USE FIREFOX ITS MILES AND MILES AHEAD OF INTERNET EXPLORER