A vulnerability in Mozilla’s open-source Firefox browser could be exploited, security experts have warned. Despite the hoopla about the superior security of Firefox, Secunia Research reported that the browser could be used by malicious people, know as phishers, to spoof the source URL displayed in the browser’s “Download Dialog” box.
“The problem is that long sub-domains and paths aren’t displayed correctly, which therefore can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box,” said the Secunia advisory.
Secunia rated the flaw “less critical” and has confirmed the vulnerability in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. It added that “other versions may also be affected.”
“Currently, no solution is available. However, the vendor reports that this vulnerability will be fixed in upcoming versions of the affected products,” Secunia stated in its advisory. The company urged users not to follow download links from untrusted sources.
Mozilla officials could not immediately be reached for comment. However, mozillaZine, the Web log that allows its members to post their thoughts and reactions to the company products and news, offers some insight into this hot debate over browser security.
A blogger that calls himself “mlefevre” writes, “Actually there are probably a bunch of security issues that are due to be disclosed, now that Mozilla 1.7.5 and the aviary 1.0s are out.”
Meanwhile, “Charles” posted a response to the clamor earlier this morning, writing, “There are always going to be security issues, with all browsers, specifically with Gecko-based browsers, and increasingly so as they become more popular.”
Response Time Critical
Jupiter Research analyst Joe Wilcox agreed with the bloggers that security problems with any browser are no surprise. But he told LinuxInsider that the real test is responsiveness.
“Microsoft’s argument is that a commercial developer that has sole access to the source code can respond quicker to flaws than open source counterparts,” Wilcox said. “The open source community argues that the “all-eyes” approach diminishes the number of exploits and makes responsiveness quicker than commercial vendors. Who can really respond to flaws the quickest? That’s the real question.”
Wilcox sees no irony in the fact that Firefox has been touted by many as a more secure alternative to Internet Explorer. Secunia released an advisory about multiple “extremely critical” vulnerabilities in Microsoft’s IE 6 earlier today. Those “extremely critical” flaws compare to Secunia’s “less critical” rating of the Mozilla flaws. Again, Wilcox said, security flaws will happen. The test is who can respond the fastest.
Chink in Firefox Armor
Microsoft aside, could this be the end of the beginning for Firefox? Wilcox doesn’t think so, but he said it could be a good opportunity for Microsoft to get a little pay back for the finger pointing that Mozilla has done about the software giant’s security flaws.
“Finger-pointing can be a very effective marketing tool in high-tech,” Wilcox said. “Mozilla has used the tactic against Microsoft and it has proved to be very effective. There’s no reason why Microsoft shouldn’t turn that around here. That could impact Firefox because people have to make a conscious decision to switch browsers and this news could cause them to wait or decide not to migrate.”
Let us first try something like SPOOFSTICK for knowing exactly where you are; it is available for both Microsoft and Mozilla browsers.
Next let’s try common sense? Don’t download without knowing exactly what you are downloading and why! Firefox won’t let you auto open an executable file, Internet Explorer will. I like how Firefox approaches the download of an executable, it saves the file, and then you can run a real virus scan on it. Internet Explorer, unless you have download scan on your third party virus software enabled, you are out of luck when you press Open.
Is this a security problem? Not really. It’s more of an uneducated user population problem. Luckily Firefox has a user base that educates each other.
Nice try at instilling fear and panic. Just because I see a seven line URL in Internet Explorer and not in Firefox doesn’t mean I’m going to make a switch. If I can’t determine the source of what I AM downloading is legitimate, then chances are it’s not, and I won’t download it.
Common sense defeats this so called "Security Problem."
I AM still AM azed at the number of people who still don’t get it. Microsoft lackeys who still like the idea of their Internet browser being in bed with their OS. They dont get it – they fail to grasp the concept.
Every time Firefox has a new bug found, they predict and suggest the end for the new browser. The media uses its might to turn users off from the product. Why? Because Microsoft buys full page ads in their magazines and banner ads on their sites. No Microsoft means lots of ad revenue lost for the media.
Since we are keeping score now between FireFox and IE, let us count up all the security problems Internet Explorer has had. The number is certainly in the hundreds by now. And that is only counting the ones that Microsoft acknowledges. There are 100s of undiscovered flaws in that worthless code and 100s more that are known about but Microsoft refuses to acknowledge. At least Firefox fixes its products and admits to its mistakes.
There is no comparison to be made between IE and FireFox. FireFox is so far ahead of Microsoft it isnt even funny. All that and they dont even charge for the software. Isnt open source a great thing?