Is this the month of Firefox bugs?

Summary:It looks like Michal Zalewski is turning February into the MOFFB (month of Firefox bugs).

It looks like Michal Zalewski is turning February into the MOFFB (month of Firefox bugs).

The polish hacker's ongoing audit of the open-source browser's design has turned up another potentially serious vulnerability that could allow the theft of user credentials from commonly used startup pages.

Zalewski said the flaw exists in the way Mozilla's flagship browser handles bookmarks. In certain scenarios, an attacker can exploit the bug to steal authentication cookies. Since Google is the default startup page on Firefox, this could lead to the exposure of GMail or Google Adsense authentication cookies.

"The problem: it is relatively easy to trick a casual user into bookmarking a window that does not point to any physical location, but rather, is an inline data: URL scheme. When such a link is later retrieved, Javascript code placed therein will execute in the context of a currently visited webpage. The destination page can then continue to load without the user noticing," Zalewski said in a note posted to the Full Disclosure mailing list.

Although the severity risk is low, Zalewski warned that social engineering tactics can be used to silently launch attacks against Google, MSN, AOL or credentials. "In an unlikely case, the victim is browsing local files or special URLs before following a poisoned bookmark, system compromise is possible," he added.

A step-by-step demo highlights the issue. Mozilla's security response team is working on a fix.

The latest warning comes at a very sensitive time for Mozilla. The company has already delayed the release of Firefox 2.0.0.2 to fix the location.hostname vulnerability exposed by Zalewski last Thursday. (See demo, which requires JavaScript).

Mozilla security chief Window Snyder confirmed the next scheduled browser refresh will include a fix for that flaw, which could be exploited to make the browser appear as if were connecting to a bank, when in fact it would instead be receiving data from an online criminal. "We have not heard of any reported exploits. However, we're working to address the issue as quickly as possible to minimize the window of risk," Snyder said.

Firefox 2.0.0.2 is expected to ship on Thursday, February 22.

Topics: Browser, Google

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.