Firefox flaw raises phishing fears
A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned.
The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.
Mikko Hypponen, director of antivirus research at software maker F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," he said.
To fall victim to such a scam, a Firefox user would have to click on a link in an e-mail that pointed to a spoofed Web site and then download malicious software from the site, which would appear to be downloaded from a legitimate site.
This flaw was given a severity rating of two out of a possible five by Secunia.
David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox, because Microsoft's Internet Explorer still dominates the browser market.
"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," Emm said. "After all, Firefox has a much, much smaller install base than IE, and it's likely that hackers will continue to pay more attention to (IE) instead."
This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.
The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers are expected to fix this bug in an upcoming version of the product.
In other news;
Firefox: When is a flaw not a flaw?
The news that the Firefox browser contains a flaw that could help cybercriminals to carry out phishing attacks stirred up plenty of reaction and discussion among readers.
Security firm F-Secure warned on Wednesday that the vulnerability, which allows the URL in a Firefox download dialog box to be spoofed, could be exploited by online fraudsters.
Some ZDNet UK readers took issue with the experts, arguing that the flaw shouldn't be regarded as a security vulnerability, because a Firefox user would already have to have clicked on a phishing e-mail and been taken to a fake site to be at risk. "Where is the problem? I hardly think that a spoofed site would link you to a legit download area," commented Pete Molina, a PC and LAN administrator.
"As far as a 'security hole,' it should be more of a user vulnerability, as only a dumb person goes clicking links in e-mails from odd places," argued Killian, another reader. "Granted, it's nice to know, but come on. Most of these 'announcements' just give the phishermen a reason to try to exploit it."
Mozilla's Firefox browser is proving popular with surfers who want an alternative to Microsoft's Internet Explorer, which has been prone to many security problems. Some readers were adamant that Firefox is still a much safer product than IE.
"Firefox, without a doubt, is the best and most secure browser on the market today, and no matter what propaganda is spread throughout the Net regarding its security in a negative way, those who actually know will continue to use Firefox and wait until the patch is complete, not actually even thinking nor caring whether it is released or not while using it," wrote one Web developer.
Some members of the Firefox camp weren't happy about any criticism of their favourite browser. "Thanks but no thanks for the information. We still trust and love FireFox," said Abe, an engineer.
But other readers pointed out the importance of holding all software to the same standards. "Firefox is undoubtedly a better and more secure browser than IE, but any site that reports on flaws or possible flaws in IE--and gives Firefox coverage--should report on Firefox's flaws too," said Seb, an artist based in London. "Essentially, Firefox is better, but it's not perfect, and anyone who thinks or claims it, is as bad as anyone who gets taken in by Gates' marketing spiel."
A software developer from London wrote: "If this vulnerability had been identified in IE, the anti-Microsoft community would no doubt be quick to criticize the product as insecure. Users are smart enough to make up their own minds about which Web browser to use--and the more information that is available about all products on the market, including open source efforts, the better."
One reader even took issue with the claim that Firefox is inherently more secure than IE. "Firefox may offer some 'security through obscurity,' but once it gets to any sort of critical mass, then it will be targeted. Since the hackers have the source code, their lives will be that much easier, and when a patched version is released, it will be easy for them to see where the vulnerability is and target older versions," said one London-based IT worker.
Another reader suggested that Firefox may have an uphill task breaking IE's dominance."Most users couldn't spell 'browser' without help. The only reason so many people use IE is because it is built into the operating system that was on the PC they bought," said Philbert, a computer and electronics specialist.