Comments on: Oops! This Firefox security exploit is a doozy

By: Joe. N.

Joe. N. — Wed, 03 May 2006 09:00:43 +0000

Firefox has a new version available for download. According to this site, Firefox users should upgrade to version 1.5.0.3

A recent Mozilla Security Bulletin explains that a possible exploit exists in Firefox version 1.5.0.2 that can cause browser crashes and run malicious code.

To obtain the latest version of Firefox visit:
http://www.mozilla.com/firefox/

[Edited to make links clickable - EB]

By: Rob

Rob — Wed, 31 Dec 1969 17:00:00 +0000

Did I miss something? When did Safari and Opera get to be Mozilla-based?!

Last I checked, Safari was KHTML-based (like Konqueror) and Opera was, well Opera-based.

By: Rob

Rob — Wed, 31 Dec 1969 17:00:00 +0000

“you�re vulnerable if you use most Mozilla-based browsers, including Firefox 1.0, or Safari 1.2.5 or Opera 7.54″

Or perhaps I just mis-parsed that sentence. It IS a bit ambiguous, now that I look closer.

Perhaps something like this would work better:
“most Mozilla-based browsers (including Firefox), as well as Safari and Opera”

By: Ed Bott

Ed Bott — Wed, 31 Dec 1969 17:00:00 +0000

I did not say that Safari or Opera are Mozilla based. The original item read:

“Mozilla-based browsers, including Firefox 1.0, or Safari 1.2.5 or Opera 7.54.”

The list of Mozilla-based browsers includes a number of products, but the best known one is Firefox. This vulnerability affects ALL Mozilla-based browsers AND Safari AND Opera.

Sorry you were confused, and thanks for pointing out the possible ambiguity. I’ve edited the sentence to help other readers avoid making the same mistake.

By: Wes

Wes — Wed, 31 Dec 1969 17:00:00 +0000

Looking at the responses, it makes me not want to use Opera:
http://www.shmoo.com/idn/homograph.txt
Vendor Response:
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear
workaround for disabling IDN. (That workaround for the technically minded is at the URL above)

By: Jared

Jared — Wed, 31 Dec 1969 17:00:00 +0000

So, where’s the media coverage on this security vulnerability? Interesting that anytime IE has a major problem the media has to give it full attention and drag MS down for it.

By: Wes

Wes — Wed, 31 Dec 1969 17:00:00 +0000

Where’s the coverage? Right here

As described in the article, it seems to be more of a security flaw in the structure of the new international domain name system itself.

Quote:The advisory demonstrates the attack using the domain for PayPal, but using an alternate Unicode character for the first “a.” That gives an address that looks like “http://www.p�ypal.com,” but with a smaller “a.”

By: Juha-Matti

Juha-Matti — Wed, 31 Dec 1969 17:00:00 +0000

And this was published very soon after security advisories were available from Secunia, X-Force, K-OTiK Security etc. yesterday: http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/

By: Wes

Wes — Wed, 31 Dec 1969 17:00:00 +0000

I’d still like to note that the flaw is less with the browser than with the domain system. The only reason IE is unaffected is because it doesn’t understand internationalized domains. This is like someone registering the name paypal.com (but with one or both a’s having an umulat on top) and calling it a browser security exploit.

I think the fix in this case is obvious… Paypal goes to ICANN and ask that the domains with the look-alike letters be taken down.

By: Ed Bott

Ed Bott — Wed, 31 Dec 1969 17:00:00 +0000

I’m really not sure I understand the distinction, Wes. The IDN is designed to provide a way for browsers to *recognize* names that contain characters from alternate character sets. If the domain name contains an accented letter A from another character set, it shouldn’t be recognized as a regular unaccented A from the Latin character set. That’s the bug in Firefox, and the fact that they’ve already checked in a fix for it suggests that they agree the problem is theirs.

As for ICANN… Phishers are hit-and-run artists. They do their work with domains they know are going to expire within 48 hours. PayPal is reporting them to legal authorities and getting the sites taken down as fast as they can. Do you think ICANN would get to them any faster?

By: franCk

franCk — Wed, 31 Dec 1969 17:00:00 +0000

Well, ICANN allowing the domain registration *is* the problem here – they don’t do their job properly.
Otherwise what is the purpose of domain registration? Why do we need an authority if it’s not to ‘protect’ users? If they don’t do any screening of domain, then we don’t need them at all and they should disappear – at least the situation will be clearer and the ball will be clearly set in the browser hand (and Opera would probably do something about it .
Thus, I think this phishing shows that ICANN should die, they are useless.

In the other hand why IE won’t claim loud that they have no problem with it, is just because it will be too easy to remark that the phishing does not work with IE because they don’t support IDN at all… a very bad publicity in the ever growing international world (remember than the English web is now less than half the web:-)

By: Guy MS

Guy MS — Wed, 31 Dec 1969 17:00:00 +0000

Maybe the people at MS have the ability to think ahead and thus have not implemented the IDN for a reason they foresaw.. duh. Oh yeah- they also have companies running mission critical software, not just geeks in their parents basements (myself included! HAHA). Anyway- everyone thinks firefox is the greatest thing now- funny no one mentions Netscape..