Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Quickies

Posted by kdawson on from the three-twisty-little-items-all-different dept.

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.

4 of 245 comments (clear)

  1. Re:What OS by suv4x4 · · Score: 3, Interesting

    But they never say what System it affects. Granted for IE it's pretty simple

    Is it. Most exploits that would work on XP wouldn't work on Vista in protected mode.

  2. Firefox's Fault? by DavidD_CA · · Score: 3, Interesting
    Here's the meat of the article:

    Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// http:/// or similar would call other applications."

    But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

    An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.


    I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?

    If Windows/IE were to filter what can and cannot happen through URI handlers, I could see developers crying foul for preventing access and locking out competition.

    Further, is the onus now on Microsoft to fix a hole created by Firefox? And once they fix it, and legit things break because of it, who's fault will that be?
    --
    -David
  3. Highlighting phishing sites is nice, but weak by Animats · · Score: 4, Interesting

    Just highlighting domains of phishing sites isn't going to be enough. Here's today's list of domains that "sort of look like Paypal". These are after subdomain truncation.
    "paypal-checker.com"
    "paypal-contact.net"
    "paypal-customize.com"
    "paypal-erreur2.com"
    "paypal-security.com"
    "paypal-web-dll-scrnupdateaccount.ici.st"
    "paypal-web-scrn-dll-pl-dai-pl-webscrndllfs-wertyu i.ork.pl"
    "paypal.powered.at"
    "paypal.q.fm"
    "paypalaccverify.com"
    "paypalcomcgibinwebscrcmd.by.ru"
    "paypalcomcgibinwebscrcmm.by.ru"
    "paypalcomcgibinwebscre.by.ru"
    "paypalconstomers.com"
    "paypalct.com"
    "paypall.ro"
    "paypalmd.com"
    "paypalobjects.us"
    "paypalsecuritycenter.org"
    "paypalverification.org"
    "paypel-acc-5.com"
    "paypilpal.com"
    "paypll-wscr.com"
    "paypluspl.com"

    These are from PhishTank, which blacklists at the URL level based on manual reports. For SiteTruth", we're in the process of converting to blacklisting phishing sites by the entire base domain. That's because we now see hundreds of entries like "session-624333.nationalcity.com.userpro.tw", which has to be treated as a bad indicator for all of "userpro.tw".

    There's collateral damage. There are days when "tinyurl.com" and "notlong.com" get blacklisted, because phishing sites use them. MSN gets complaints about this. Today, anybody running something like "tinyurl" needs to continually check the phishing databases for attempts to abuse their service, or their own reputation is toast.

  4. Whats the fuss about? by cybergen007 · · Score: 3, Interesting

    I do not get waht the fuss is all about. If firefox is started from IE that has to ring a bell. Second I get a warning from Firefox that it wants to start an external application and I can click no and nothing happens. I have never before seen that question from firefox so I have run into a website that uses this vulnerability. Beside this happens when you are surfing using IE. If you surf using IE then you are asking for problems in the first place.