Tuesday, June 07, 2005

Mozilla/Firefox Security Flaws

Secunia - Advisories - Mozilla / Mozilla Firefox Frame Injection Vulnerability

Another security hole has been found that exists in Mozilla-based browsers. Although not as serious as the bug that led to the 1.0.4 update, if a user clicks on a link on a specially-crafted website, the website could open a popup window that loaded the target website (ie. an online banking site) but allowed the exploiter's site to insert their own code into a frame on the target site. This means that it would be (in theory) possible to load an online banking site, but change the part that asks the user for their account details to code from another site. They would be entering their details into this other site, rather than their bank's. The address bar would still give the bank's address, and show the padlock symbol.

This flaw, when originally discovered (7 years ago!), existed in nearly all browsers, including Internet Explorer. Although they were all fixed at the time, recent modifications to Mozilla's code seem to have reopened the loophole.

In my opinion, after the initial report, the code should have been rewritten in a way that would prevent this sort of thing happening again.

Just to see it in action, follow the link to Secunia's site to see a demonstration.

Lots of people are being very negative about this new flaw, although to be fair, most of the IE code is way out of date, and IE 7 will not be available to non-XP users. I will discuss IE7 in a future post.

Other blogs:
Theme Wuhan