Bugs for Firefox, something old and something new

Subject: General Tech | February 8, 2007 - 09:28 AM |
Tagged:

CNET reports on 2 vulnerabilities found in Firefox.  The first is found in Firefox version 1.5.0.9 but fixed by 2.0, it uses a combination of the built in pop-up blocker and XMLHttpRequest to relay info about the system to a remote server.  You can find the full description of the flaw by following the link to SecuriTeam on CNet.

The second flaw is a vulnerability in the phishing filter.  By adding a second "/" after the domain, the phishing filter will not catch it.  So www.pcper.com/evil would be caught  and www.pcper.com//evil would not.  I would suggest getting spoofstick and upping the maxversion value to be compatible with Firefox 2. 

If you are unsure how to ... download the Firefox version of Spoofstick with Internet Explorer so you get an .XPI file.  Open that .XPI file with your favorite compression software.  View the install.rdf with Notepad and look for the "<em:maxVersion>1.6a2</em:maxVersion>" line.  Bump the value up to 2.0.0.1 or 3.0 or whatever version takes your fancy, as long as it is at least as high as your version of Firefox.  Close the file archive, saving changes and the updating the archive.

Now you are running Spoofstick again.  Although this method will work with every extension, I can't guarantee it won't break them or Firefox ... except this one, as I have been using it for months with no issue.

"A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to

outside attacks.

Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox's pop-up

blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow Web sites to access files

that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has

turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal

information that might be stored in them."

Here is some more Tech News from around the web:

Tech Talk


No comments posted yet.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.