Language Selection

English French German Italian Portuguese Spanish

Spoofing flaw resurfaces in Mozilla browsers

Filed under
Security

A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned.

The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window. The applications don't check whether the frames displayed in a single window all originate from the same Web site, Secunia said in an advisory on Monday. Firefox 1.x, Mozilla 1.7.x and Camino 0.x versions are vulnerable to the flaw, the security monitoring company said.

As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue "moderately critical."

The same "frame injection" vulnerability in Mozilla's browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.

For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.

The Mozilla Foundation is investigating the Secunia report, a representative for the organization said.

The vulnerability has not been exploited, a moderator of a support forum on the Mozilla Web site wrote Monday, in response to the Secunia alert.

For protection, the moderator advises people to close all other windows and tabs before accessing a Web site such as a bank or online store that requires them to type in personal data.

With its initial release last fall, Firefox has demonstrated that the mature Web browser market dominated by Microsoft's Internet Explorer can be shaken up. IE has begun to see its market share dip slightly--a first in a number of years.

Source.

Secunia Advisory.

More in Tux Machines

Korora 25 Unleashed, Best KDE Distro, Notorious B.U.G.

Fedora-based Korora 25 was released Wednesday in 64-bit versions. Users are urged to upgrade. Elsewhere, Jack Wallen was seriously impressed by Fedora 25 and blogger DarkDuck said ROSA R8 is "near-perfect." Bruce Byfield discussed obstacles to Linux security just as a new kernel vulnerability comes to light. Dedoimedo declared the best KDE distro of 2016 and FOSSBYTES has 10 reasons to use Ubuntu. Read more

OnePlus 3T review: One of the best Android phones gets a little better

OnePlus has never been one to play by the rules. Back when it made its entrance into the crowded smartphone market with the One, it set itself apart by selling a premium handset at a mid-tier price and offering invitation-only purchases instead of the standard preorders. The 3T very much fits with this rebellious nature. Essentially a refreshed version of the 6-month-old OnePlus 3, the new phone undermines another smartphone constant: the yearly update. iPhone users are familiar with the concept of the mid-cycle model—a handset that keeps the same enclosure but beefs up features and internal components. But there’s always been a special hook with Apple’s S phones, a reason for current owners to rush out and buy the new model. The 3T could be seen as OnePlus’ attempt to mimic the success Apple has had with the formula (and in fact, the company says it picked T for the new phone’s surname simply because it’s a letter higher than S). Read more

Linux Foundation adds an open source networking specialist to the team

In recognition of the increasingly central role open source technology has played for the networking sector, the Linux Foundation today named Arpit Joshipura as its general manager for networking and orchestration. Joshipura, a veteran tech executive who has worked at Dell, Ericsson, and Nortel, among others, is considered by the organization to be a foundational contributor to open source software in general and networking in particular. Currently, he’s the chief marketing officer for Prevoty, an application security startup in Los Angeles. Read more

Apache Zeppelin open-source analytics startup reveals new name, fresh funding

The team behind the Apache Zeppelin open-source notebook for big data analytics visualization has renamed itself ZEPL and announced $4.1M in Series A funding. ZEPL, which swears a certain professional football organization had nothing to do with it ditching its former name (NFLabs), is one of numerous companies smelling blood in the water around Tableau, the $3.5 billion business intelligence and analytics software vendor that has stumbled financially in recent quarters and seen its stock price plummet accordingly. The pitch from ZEPL entering my email inbox read: "Is Open Source project eating Tableau's lunch?" Read more