Language Selection

English French German Italian Portuguese Spanish

Spoofing flaw resurfaces in Mozilla browsers

Filed under
Security

A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned.

The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window. The applications don't check whether the frames displayed in a single window all originate from the same Web site, Secunia said in an advisory on Monday. Firefox 1.x, Mozilla 1.7.x and Camino 0.x versions are vulnerable to the flaw, the security monitoring company said.

As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue "moderately critical."

The same "frame injection" vulnerability in Mozilla's browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.

For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.

The Mozilla Foundation is investigating the Secunia report, a representative for the organization said.

The vulnerability has not been exploited, a moderator of a support forum on the Mozilla Web site wrote Monday, in response to the Secunia alert.

For protection, the moderator advises people to close all other windows and tabs before accessing a Web site such as a bank or online store that requires them to type in personal data.

With its initial release last fall, Firefox has demonstrated that the mature Web browser market dominated by Microsoft's Internet Explorer can be shaken up. IE has begun to see its market share dip slightly--a first in a number of years.

Source.

Secunia Advisory.

More in Tux Machines

GNU/Linux Desktop

  • Austrian Schools
    Here it is 2017 and Austrian schools are using GNU/Linux and folks are still having problems with That Other OS in schools. I was in a similar situation back in 2000 when I first installed GNU/Linux in my classroom. TOOS didn’t work for me then and it still doesn’t work for schools today. Any time you have a monopolist telling you what you can and can’t do in your classroom, you’re going to have problems, especially if that monopolist isn’t particularly supportive of your objectives. In my case, M$ was celebrating its monopoly and didn’t even care if the software crashed hourly. I later discovered there were all kinds of evil consequences of the EULA from Hell, like limiting the size of networks without a server running their software and fat licensing fees.
  • How to build the fastest Linux PC possible on a budget
    There’s nothing more satisfying than watching a system boot up almost instantaneously when the power switch is hit. Long gone are the days of going to make yourself a brew while those spinning platters buzz and the display kicks into life, lazily dragging you into the GUI you call home. But surely that luxury of speed is reserved for those who are willing to drop £1,000+ on a new system? Fortunately, this is not the case anymore. With advancements in technology over the last six years, and Intel’s aggressive push to keep reinvigorating its chipsets each and every generation, we’re starting to see more and more affordable budget, speed-oriented components finally making it to market. The SSD has succeeded the hard drive with sub 10-second boot times and lightning quick file transfers. However, three years on and we’ve seen both the rise and fall of the SATA III bus. This was a standard that was supposed to last us until 2020, but now lies completely saturated, with only the ever enduring HDD still making good use of the connectivity.
  • How to communicate from a Linux shell: Email, instant messaging
    I get a lot of questions on how to perform various tasks from a Linux shell/terminal. In the interest of making a simple cheat sheet—something I can point people to that will help them get rolling with terminal powers—what follows are my recommendations for how to perform various types of communication from your shell. I’m talking about the normal sort of communication most people perform via a web browser (or a handful of graphical applications) nowadays: Email, instant messaging, that sort of thing. Except, you know, running them entirely in a terminal—which you can run just about anywhere: in an SSH session on a remote server, on a handheld device, or even on your Android phone/tablet.
  • 5 signs that you are a Linux geek
    Linux users are a passionate bunch, and some are downright proud of their of their geekiness. But if you’re not sure about your status, a writer at MakeUseOf has a list of 5 signs that show you are a Linux geek.

Security News

  • Security updates for Tuesday
  • Kaspersky: No whiff of Linux in our OS because we need new start to secure IoT [Ed: Kaspersky repeats the same anti-Linux rhetoric he used years ago to market itself, anti-Linux Liam Tung recycles]
    Eugene Kaspersky, CEO of Kaspersky Lab, says its new KasperskyOS for securing industrial IoT devices does not contain "even the slightest smell of Linux", differentiating it from many other IoT products that have the open-source OS at the core.
  • Reproducible Builds: week 95 in Stretch cycle
  • EU privacy watchdogs say Windows 10 settings still raise concerns
    European Union data protection watchdogs said on Monday they were still concerned about the privacy settings of Microsoft's Windows 10 operating system despite the U.S. company announcing changes to the installation process. The watchdogs, a group made up of the EU's 28 authorities responsible for enforcing data protection law, wrote to Microsoft last year expressing concerns about the default installation settings of Windows 10 and users' apparent lack of control over the company's processing of their data. The group - referred to as the Article 29 Working Party -asked for more explanation of Microsoft's processing of personal data for various purposes, including advertising.

Android Leftovers

KDE Plasma 5.8.6 Released for LTS Users with over 80 Improvements, Bug Fixes

Today, February 21, 2017, KDE announced the availability of the sixth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for Linux-based operating systems. Read more