Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing Flaw Resurfaces in Mozilla Browsers

Posted by Zonk on from the going-back-in-time dept.

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

6 of 258 comments (clear)

  1. Re:The exploit by /ASCII · · Score: 3, Informative

    Avoid using Windex on flat screens. It may damage the anti-glare coating. If possible, use only a damp cloth to wipe away any tape residue.

    --
    Try out fish, the friendly interactive shell.
  2. Re:what about tabs? by Punkrokkr · · Score: 5, Informative

    I tried it in tabs, spoof does not work across tabs; just seperate windows.

    --

    There's no emoticon for what I'm feeling! -- CBG, "The Computer Wore Menace Shoes"
  3. Tabbrowser Preferences by mogrify · · Score: 3, Informative

    It appears that if you have the Tabbrowser Preferences extension installed, then this exploit doesn't work.

    --
    perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
  4. Re:Exploits? by unformed · · Score: 3, Informative

    Did you even read the article?


    NOTE: Exploitation can easily be made "automatic". However, since this example only serves as a test to give users an understanding of how it works, we have chosen not to do so.

    Regardless, I don't consider this to be too big of deal. Th exploit can be used for a phishing attack, when a trusted site is using frames. A nontrusted site then replaces one of the inner pages with a fake lookalike, but the user can't tell, becasuse the address isn't shown in the address bar.

    Banks using frames for the trusted portion of their sites is extremely bad design, and I don't know of any that does that anyways.

  5. IE has this vulnerability by interJ · · Score: 5, Informative
    See here.

    The bug in IE was reported almost a year ago, and it is still unpatched.

    The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.

  6. Re:So secure by Anonymous Coward · · Score: 5, Informative

    IE has the same flaw also, so parent should not be moderated as funny, but as informative.

    http://secunia.com/advisories/11966/