Firefox and Mozilla Still at Risk for Spoofing “Frame Injection” Security Flaw - 1,693 Views, 3 Comments
|
Previous Article « Put Carmen, Anna, Yasmine, Michael, or Eminem’s Mugshot on Your Phone - Literally!
Read Next Article » A Really Stupid Idea - Encrypt Your Email to Look Like Spam with Spam Mimic
Online security company Secunia has said this week that versions of Firefox and Mozilla, as well as the lesser known Camino, are again at risk for a frame injection security flaw which has dogged Mozilla on and off for nearly seven years. The problem, which plagues Firefox versions 1.x, Mozilla versions 1.7.x, and Camino versions 0.x, stems from the way that the software checks (or rather doesn’t check) content displayed in frames on a website. The software should, but does not adequately, check to ensure that the content in each frame comes from the same website. Thus someone could inject their own content, from their own website, into a frame displayed on a webpage of a trusted website. For example, the login frame displayed on a financial institution’s website could actually be hosted on a hacker’s website, allowing the hacker to collect usernames and passwords of those using the affected web browsers. In order for this attack to work, however, and for an attacker to take advantage of the frame injection security flaw, a user must have a window open to both the trusted website and to the hacker’s website, to allow the hacker to inject their content into the window displaying the user’s trusted website.
Follow Anne on
Twitter 
Friend Anne on Facebook
Experts are therefore advising that users using the affected browsers should close all other browser windows before visiting a website such as a bank or other institution where the user will need to provide confidential information such as their password.
Firefox and Mozilla Still at Risk for Spoofing “Frame Injection” Security Flaw
Twitter Explained in Plain English
Previous Article « Put Carmen, Anna, Yasmine, Michael, or Eminem’s Mugshot on Your Phone - Literally!
Read Next Article » A Really Stupid Idea - Encrypt Your Email to Look Like Spam with Spam Mimic
Read more:
» New Security Update for Firefox Fixes High Risk Issues
» Firefox Flaw Found and Fixed (Get the Patch)
» Firefox “Lambda Replace Heap Memory” Security Flaw Reveals Sensitive User Information
» FireFox Security Holes Lead to Warning
For additional similar stories check out our archives on Everything Else, Hacking, Security, Windows
NOTE: We never, ever, ever will recommend any product or service on this site that we have not regularly used ourselves and do not wholeheartedly believe in. That said, in some cases after being very pleased with a product or service, we may enter into a relationship with the provider of that product or service such that if someone purchases that product or service based on our recommendation, we may get a small payment. Such payments go towards the upkeep of the Internet Patrol.
Does this flaw also apply to Netscape? Since Mozilla and Netscape have a common ancestry (i.e. as they are basically the same thing) this is not impossible.
Comment by Paul Gerard — 6/8/2005 @ 2:40 am
For what it is worth, my fully updated MSIE 6.0 running on WinXP SP2 failed the test, too, as did the same on a friend’s computer. Looks like Mozilla/Firefox isn’t the only risky browser in this regard. Where’s the patch?
Comment by Dave — 6/8/2005 @ 6:19 am
The more pertinent question is, if the ubiquitous Internet Exploiter is also vulnerable, why haven’t the “media” (ZDNet, CNet, Aunt-Spam, etc., broadcast THAT fact as well, or is this just another campaign to slow the lemmings from jumping off the MS boat?
Comment by David Ross — 6/8/2005 @ 11:25 am