Is this the month of Firefox bugs?

Is this the month of Firefox bugs?

Summary: It looks like Michal Zalewski is turning February into the MOFFB (month of Firefox bugs).

TOPICS: Browser, Google
It looks like Michal Zalewski is turning February into the MOFFB (month of Firefox bugs).

The polish hacker's ongoing audit of the open-source browser's design has turned up another potentially serious vulnerability that could allow the theft of user credentials from commonly used startup pages.

Zalewski said the flaw exists in the way Mozilla's flagship browser handles bookmarks. In certain scenarios, an attacker can exploit the bug to steal authentication cookies. Since Google is the default startup page on Firefox, this could lead to the exposure of GMail or Google Adsense authentication cookies.

"The problem: it is relatively easy to trick a casual user into bookmarking a window that does not point to any physical location, but rather, is an inline data: URL scheme. When such a link is later retrieved, Javascript code placed therein will execute in the context of a currently visited webpage. The destination page can then continue to load without the user noticing," Zalewski said in a note posted to the Full Disclosure mailing list.

Although the severity risk is low, Zalewski warned that social engineering tactics can be used to silently launch attacks against Google, MSN, AOL or credentials. "In an unlikely case, the victim is browsing local files or special URLs before following a poisoned bookmark, system compromise is possible," he added.

A step-by-step demo highlights the issue. Mozilla's security response team is working on a fix.

The latest warning comes at a very sensitive time for Mozilla. The company has already delayed the release of Firefox to fix the location.hostname vulnerability exposed by Zalewski last Thursday. (See demo, which requires JavaScript).

Mozilla security chief Window Snyder confirmed the next scheduled browser refresh will include a fix for that flaw, which could be exploited to make the browser appear as if were connecting to a bank, when in fact it would instead be receiving data from an online criminal. "We have not heard of any reported exploits. However, we're working to address the issue as quickly as possible to minimize the window of risk," Snyder said.

Firefox is expected to ship on Thursday, February 22.

Topics: Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Gather 'round all ye nay-sayers and Firefox bashers

    No doubt all the MS-Fanboys and shill are looking forward to a month of Firefox exploits.

    As a Firefox user, so am I.

    Anything which exposes vulnerabilities in the browser so that the Firefox team can fix them and repair them is a good thing IMHO. At the end of the month Firefox will be on its way to even higher quality and that can only be good.
    • When you say FireFox team

      Don't forget to mention the financial backing from Google making it all possible. And the engineering Google as provided to get 2.0 created. The ad block thank you.
      If Google gets a big head (I know, what do I mean "if") Mozilla might end up renaming their crown jewel. Firefox G edition or G-Browser or something.
      couldn't resist cause I love the double standard. Microsoft IE has bugs, it's a bug ridden vulnerable POS. FF gets MORE bugs and the Linux zealots hail it as a time for Firefox to make it even more secure. Oh the irony, the double talk, the BS.
      (esp. now that IE on vista is in protected mode and far safer than FF, what subject will the Linux faithful turn to. I suppose they could seamlessly just move to a new smear tactic. Smear campaigns are the only way these religious zealots know since they can't simply roll out superior technology)
      • Yeah, well...

        The reason is, that FF actually fixes its bugs. M$ leaves half of their holes there for another 2 years. And not to mention even longer for non-security issues such as lack of compliance to standards. They just aren't quick to fix things. Whereas OSS projects tend to be fast to do so. As a case in point, we'll just wait and see how long before a patch is ready for this one. I'm betting within a week.
        • Yeah, well

          since IE7 on Vista doesn't yet have any security issues to date, I guess MS doesn't have to worry about a patch schedule. As for FF, well with it's bug rate they'd have to patch weekly just to keep up!
          • since you brought up Linux

            Since Firefox in Linux doesn't have any security issues to date, I guess Linux users don't have to worry about a patch schedule. As for IE (or Windows), well, with its bug rate they'd have to patch daily just to keep up.

            See how easy it is to change a few words and make about as much sense?
          • Yes you can

            change words sometimes, but not when it changes reality, like in your silly example. FF would be nothing if it only ran on Linux, but since you word it that, it would be fine with me if they only did make it for Linux. Why do they ride on Winblows when they have the greatest OS ever to run on? Nobody is stopping them. Until that day, your change of words does not fit reality. <br>
            therefore, IE is more secure than FF in reality. In other words, when it's actually in use.
          • Firefox runs on Windows because...

            ....people WANT it to run on Windows (not Winblows as you put it). Windows IS the most popular OS, Firefox runs on it. Your argument that it would be nowhere without Windows is a ridiculous one.

            That's like saying Office would be nowehere without Windows or Photoshop would be nowhere without Windows. Of course they'd be nowhere without Windows!!
          • Make up your mind please

            Is FF safe on linux or on Windows? I was the one that assumed it just ran on Windows and mentioned the bug rate. you then diverted from the truth and went on about how it's clean on Linux. what did that have to do with reality was my point, and thanks for making for me. Of course they run on Windows...agreed, so therefore FF, by choice running on Windows, if full of vulnerabilities. <br>
            Long way to go for that wasn't it?
          • Wrong headed assumptions

            You should have said [i]"since IE7 on Vista doesn't yet have any [b]known[/b] security issues to date,"[/i]. For all you know there is a hundred undiscovered exploits in IE7.

            The truth is that you don't know an exploit is there until someone finds it.
          • wrong response

            I said "security issues". I didn't say the product has been proven to be 100% inpenetrable. <br>
            Issues as in, no reported bugs, patches etc etc. And let's face the facts. There are more people looking for MS bugs, trying hard to dig them up, than any other vendor out there. The ABM sentiment runs so high I would wager there are OSS organization devoted to finding and reporting flaws with MS products.
      • Oh the irony, the double talk, the BS. Place a diaper over your mouth .

        (esp. now that IE on vista is in protected mode and far safer than FF, what subject will the Linux faithful turn to. I suppose they could seamlessly just move to a new smear tactic. Smear campaigns are the only way these religious zealots know since they can't simply roll out superior technology)

        Replace everything in there with Microsoft and yourself and you will see you are the BIGGEST BSter around on these boards .
        • huh ?

          yourself and you ? Is that 2 people ? So your point is that linux faithful will be scared into using vista and thus will become the biggest 'BullSh*tter' on these boards. I'm thinking your point is clearer to you than anyone else.
      • speaking of zealots

        Is it just an NBM thing with you or a ABG(oogle) thing?

        What problem do you have with Google putting money into the Mozilla/Firefox project?

        Is it just that they have some money behind them and that's all the MS has, and maybe there'll be some competition with money?

        For some reason, it's OK, no... a good thing, that MS has money to buy themselves out of any problems, but it's not OK, nor a good thing, that an open source project receives financial backing.

        Once again, do you have any idea what open source or free software means? You seem to have some idea floating around in your head but it seems to be far from the truth.
        • I do know

          what teh business model is, but I know what the zealots have been voicing (blathering) on here for years as well. Which is it? They do operate with MS like money or they don't? <br>
          The millions per year from Google and yahoo, i might add, are just part of it. Google is as close to an internet monopoly as the world has and is obviously headed in that direction...the laws will get updated someday. Google is going after everything and have an army, a literal Army of Lawyers so they can can try to break the laws of the world and then tie things up in court for years. They've proven they don't care about any law of any nation. Why would a Linux community alighn with something like that? There is no way you can say Googles hands are cleaner than Microsoft, except for the fact they are backing Mozilla......and there you have it. Double standards. That is WHAT i'm talking about.
          • Open Source does NOT mean no money involved!!

            Ubuntu Linux, my personal favourite, is controlled by Canonical, a COMPANY making money, owned by a billionaire.

            SuSE Linux is controlled by Novell, a company.

            RedHat Linux is owned by RedHat, a company.

            Each of these companies is trying to make a profit. That does not make the OS NOT open source.

            Mozilla Corporation owns Firefox. Mozilla Corporation is trying to make a profit.

            Google invested in Mozilla/Firefox, to assist Mozilla/Firefox in COMPETING with MS/Windows/IE. Do you have a problem with competition? Does anything attempting to compete with your beloved MS scare you?

            As for Google and lawyers and breaking laws and clean hands. Yes I CAN say that Google's hands are cleaner than MS's hands. Compared to MS, Google is squeaky clean.
          • A little bit off

            "Mozilla Corporation owns Firefox. Mozilla Corporation is trying to make a profit."

            You're wrong about that. Mozilla Corporation has no investors to pay dividends to, it's a wholly-owned subsidiary of the Mozilla Foundation - which is a non-profit entity. Their only reason for trying to make money is to cover the costs of developing and distributing their products. Hiring programmers, buying more bandwidth and servers, and building themselves a nice new headquarters - that's where the Google money has been going.
          • Thanks for that...

            I don't know the ins and outs of each company. I haven't really taken much notice. I don't really care.

            The point I was trying to make was that Open Source does not mean non-profit or no money involved.

            Thanks for clarifying that a bit. I hope xuniL-z sees it.
          • I saw it.

            and all I can say is wow. That is basically what I've been trying to say and you keep pusing off the Google thing and the non profit status as BS. So I'm glad YOU read that, to see how that works. I don't stand against Google Corp. giving Mozilla financial and technical assistance to be able to compete with MS. but in turn i do mind you complaining about MS using money and technological assistance (from themselves mostly) to compete. There is nobody with entirely clean hands in any business and MS is no worse than Mozilla, Google or anyone else.
            Matter of fact, did you get my other post? Moz (slang short for Mosaic) and "illa" (slang short for killer). That is where Netscape got the name Mozilla. " Mosaic Killer" and all linux zealots love to remind about how MS wiped out netscape. I guess what comes around goes around buddy?
            Stick to the topic and quit rambling off on ABM crap that helps nobody.
          • when you stop spouting NBM I'll stop...

            ...responding to your BS.

            You go round and round in circles, talking about Linux zealots, when this topic has nothing to do with Linux. This is about MOZILLA Firefox. Nothing to do with the OS...just the browser. When you can get your head around that I'll give you the next lesson.

            You have a huge problem with Firefox gaining funding from Google. Nobody has a problem with IE gaining funding from MS. It's not that MS uses money, it's how they gain that money. From predatory monopolistic business tactics. And THAT is the problem I have with MS.
          • You have to be joking.

            Do you know where the name "Mozilla" came from? If you do, you'll understand that the fall of netscape was a matter of what comes around goes around. Thankfully MS is using the older technology that Netscape crushed and named their product mascot after in a no holds barred fashion. Yet people like you only talk about how MS squashed poor old netscape. pathetic. <br>
            Google has suppressed 1/3 of the worlds population from seeing the truth on searches and linked them to false results. Taht is the biggest bit of filth a company could ever do. Show me one incidence where MS has committed a crime against humanity. Gates is putting more money into saving humanity than Google makes in 5 years. <br>
            Squeaky clean...only through the eyes of a zealot.