Monday blues: Firefox phishing flaw; Microsoft's anti-phishing patent

Monday blues: Firefox phishing flaw; Microsoft's anti-phishing patent

Summary: Mozilla's Firefox browser suffers from a design flaw that puts casual surfers at risk of phishing attacks; Microsoft applies for a patent covering the discovery and notification of browser-based phishing attempts.

SHARE:
TOPICS: Security, Browser, Legal
3
It's been a tough week for Firefox on the security front.

Just days after unpatched cookie manipulation and data hijack bugs are flagged in the open-source browser, a security researcher is warning that Firefox suffers from a design flaw that puts casual surfers at risk of phishing attacks.

Here are three demos of the vulnerability, which was publicly disclosed by Polish hacker Michal Zalewski. The weakness is confirmed in Firefox 2.0.0.1.

In the tests, Zalewski shows how it is possible for a script to open an 'about:blank' URL in a new tab with a blank address bar. The script can then interact with this document as if it were a page in the same domain, including the ability to inject custom HTML.

"Having text displayed in a window that has an empty URL bar can confuse the user as to the origin of the displayed data or security prompts, as if they were internal browser messages; an empty address bar is considerably less suspicious than a shady host name or a panic-inducing data: URL scheme," Zalewski explained in a note posted to BugTraq.

The attack scenario only works when new windows are opened to tabs.

Mozilla's security response folks are already discussing possible fixes.

* * * * * 

Meanwhile, Microsoft has filed a patent application for technology to handle the detection, prevention and notification of browser-based phishing attacks.

Redmond's filing (see document here) explains the invention:

In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

 Techdirt is not impressed:

If they truly came up with an innovative way to stop phishing attacks, that would be interesting. Instead, it appears that the patent is for looking at the URLs found in an email or visited by a website, comparing them to a known list of phishing sites -- and then alerting you that the link might be fraudulent. In other words, it's the most obvious anti-phishing system around (and one that's proven to not be all that effective). If someone were to describe to you the problem of phishing, and ask you how to stop it, this would be nearly everyone's first attempt. It's hard to see how something so obvious deserves patent protection -- but the way our system works these days, the whole "non-obvious" requirement has been pretty much tossed out.

NOTE: This is simply an application for a patent that has not (yet?) been granted.

Topics: Security, Browser, Legal

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Apple wins the dumb patent award

    http://blogs.zdnet.com/Apple/?p=347
    [i]The patent goes on to discuss the potential of a dedicated power button on the iPod which would be a first for the product line.[/i]

    I don't think anything could possibly be more obvious than that!!
    NonZealot
    • And...

      I guess you get the prize for the least obvious tangential response to the article that a first poster could come up with.
      zkiwi
  • Patents should not be issued for software

    I can see patents for software that drives or controls physical devices, but patenting ideas about how software might work is harmful to the software industry in the United States. Microsoft has stated that they have a goal of filing 1000 new software patents per year - within a couple of years just about any idea that you can come up with will have already been vaguely patented by MS, IBM or Sun. The US is on its way to becoming a fully patented technological backwater.
    WiredGuy