Language Selection

English French German Italian Portuguese Spanish

Spoofing flaw resurfaces in Mozilla browsers

Filed under
Security

A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned.

The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window. The applications don't check whether the frames displayed in a single window all originate from the same Web site, Secunia said in an advisory on Monday. Firefox 1.x, Mozilla 1.7.x and Camino 0.x versions are vulnerable to the flaw, the security monitoring company said.

As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue "moderately critical."

The same "frame injection" vulnerability in Mozilla's browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.

For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.

The Mozilla Foundation is investigating the Secunia report, a representative for the organization said.

The vulnerability has not been exploited, a moderator of a support forum on the Mozilla Web site wrote Monday, in response to the Secunia alert.

For protection, the moderator advises people to close all other windows and tabs before accessing a Web site such as a bank or online store that requires them to type in personal data.

With its initial release last fall, Firefox has demonstrated that the mature Web browser market dominated by Microsoft's Internet Explorer can be shaken up. IE has begun to see its market share dip slightly--a first in a number of years.

Source.

Secunia Advisory.

More in Tux Machines

Security: Uber, Replacing x86 Firmware, 'IoT' and Chromebook

  • Key Dem calls for FTC to investigate Uber data breach

    A key Democrat is calling on the Federal Trade Commission (FTC) to investigate a massive Uber breach that released data on 57 million people, as well as the company's delay in reporting the cyber incident.

  • Multiple states launch probes into massive Uber breach
  • Replacing x86 firmware with Linux and Go

    The problem, Minnich said, is that Linux has lost its control of the hardware. Back in the 1990s, when many of us started working with Linux, it controlled everything in the x86 platform. But today there are at least two and a half kernels between Linux and the hardware. Those kernels are proprietary and, not surprisingly, exploit friendly. They run at a higher privilege level than Linux and can manipulate both the hardware and the operating system in various ways. Worse yet, exploits can be written into the flash of the system so that they persist and are difficult or impossible to remove—shredding the motherboard is likely the only way out.

  • Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

    However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, "I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals..."

  • Chromebook exploit earns researcher second $100k bounty
    For Google’s bug bounty accountants, lightning just struck twice. In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks. Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS. By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.” More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?
  • Why microservices are a security issue
    And why is that? Well, for those of us with a systems security bent, the world is an interesting place at the moment. We're seeing a growth in distributed systems, as bandwidth is cheap and latency low. Add to this the ease of deploying to the cloud, and more architects are beginning to realise that they can break up applications, not just into multiple layers, but also into multiple components within the layer. Load balancers, of course, help with this when the various components in a layer are performing the same job, but the ability to expose different services as small components has led to a growth in the design, implementation, and deployment of microservices.

Lumina 1.4 Desktop Environment Debuts with New Theme Engine and ZFS Integrations

Lumina 1.4.0 is a major release that introduces several new core components, such as the Lumina Theme Engine to provide enhanced theming capabilities for the desktop environment and apps written in the Qt 5 application framework. The Lumina Theme Engine comes with a configuration utility and makes the previous desktop theme system obsolete, though it's possible to migrate your current settings to the new engine. "The backend of this engine is a standardized theme plugin for the Qt5 toolkit, so that all Qt5 applications will now present a unified appearance (if the application does not enforce a specific appearance/theme of it’s own)," said the developer in today's announcement. "Users of the Lumina desktop will automatically have this plugin enabled: no special action is required." Read more

today's leftovers

  • qBittorrent 4.0 Is a Massive Update of the Open-Source BitTorrent Client
    qBittorrent, the open-source and cross-platform BitTorrent client written in Qt for GNU/Linux, macOS, and Windows systems, has been updated to version 4.0, a major release adding numerous new features and improvements. qBittorrent 4.0 is the first release of the application to drop OS/2 support, as well as support for the old Qt 4 framework as Qt 5.5.1 or later is now required to run it on all supported platforms. It also brings a new logo and a new SVG-based icon theme can be easily scaled. Lots of other cosmetic changes are present in this release, and the WebGUI received multiple enhancements.
  • FFmpeg Continues Working Its "NVDEC" NVIDIA Video Decoding Into Shape
    Earlier this month the FFmpeg project landed its initial NVDEC NVIDIA video decoding support after already supporting NVENC for video encoding. These new NVIDIA APIs for encode/decode are part of the company's Video Codec SDK with CUDA and is the successor to the long-used VDPAU video decoding on NVIDIA Linux boxes. That NVDEC support has continued getting into shape.
  • Kobo firmware 4.6.10075 mega update (KSM, nickel patch, ssh, fonts)
    A new firmware for the Kobo ebook reader came out and I adjusted the mega update pack to use it. According to the comments in the firmware thread it is working faster than previous releases. The most incredible change though is the update from wpa_supplicant 0.7.1 (around 2010) to 2.7-devel (current). Wow.
  • 3.5-inch Apollo Lake SBC has dual mini-PCIe slots and triple displays
    Avalue’s Linux-friendly, 3.5-inch “ECM-APL2” SBC features Apollo Lake SoCs, 2x GbE, 4x USB 3.0, 2x mini-PCIe, triple displays, and optional -40 to 85°C. Avalue’s 3.5-inch, Apollo Lake based ECM-APL single-board computer was announced a year ago, shortly after Intel unveiled its Apollo Lake generation. Now it has followed up with an ECM-APL2 3.5-incher with a slightly different, and reduced, feature set.
  • 7 Best Android Office Apps To Meet Your Productivity Needs
    Office application is an essential suite that allows you to create powerful spreadsheets, documents, presentations, etc., on a smartphone. Moreover, Android office apps come with cloud integration so that you can directly access the reports from the cloud, edit them, or save them online. To meet the productivity need of Android users, the Play Store offers an extensive collection of Android office apps. But, we have saved you the hassle of going through each one of them and provided you a list of the best office apps for Android. The apps that we have picked are all free, although some do have Pro version or extra features available for in-app purchases. You can also refer to this list if you’re looking for Microsoft Office alternatives for your PC.

Servers and Red Hat