The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.
Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.
To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.
This flaw was given a severity rating of two out of a possible five by Secunia.
David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.
"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."
This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.
The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.
The Secunia advisory and Mozilla bug report are available online.
ZDNet UK's Ingrid Marson reported from London. For more coverage from ZDNet UK, click here
.
The lesson and needed information here is to be sure and check the domain of anything downloaded.
While it's informative to point out possible "flaws"; the fact is, clicking the maximize icon shows the address. The knowlege to beware "phishing" of all types is needed. Never the less, this "bug" has already been fixed, no doubt. The fact is, open programs are better at bug squashing than any other. A fact missing from this warning.
Survey says! Surveys are not acurate. Sure IE is widespread, for now... but who measures the uncounted m****es who've downloaded Firefox. We might be suprised at the real user numbers.
What's worse is the uninformed implication that Firefox would suffer these "vulnerabilities" if it were dominate.
Informed and responsible reporting should include the facts (or reference) pertaining to open source and unix based systems being much more resistant to these "vulnerabilites", at any usage level. Any respectable information systems reporting would require it.
The uninformed implication that any other system would have the same problems as Microsoft is a myth based on an eventuality that can not be proved or denied until majority of users report their usage of open source software. We shall see soon.
Their are many rewards for the (not quite so)early adopters and Linux. What other early adopted technology is free and offers so many real world solutions to our new everyday computing experience.
Pop in a MEPIS live CD. Their burned and shipped for $3.89 USD (linuxcd).
http://www.mepis.com