Online security company Secunia has said this week that versions of Firefox and Mozilla, as well as the lesser known Camino, are again at risk for a frame injection security flaw which has dogged Mozilla on and off for nearly seven years.
The problem, which plagues Firefox versions 1.x, Mozilla versions 1.7.x, and Camino versions 0.x, stems from the way that the software checks (or rather doesn’t check) content displayed in frames on a website. The software should, but does not adequately, check to ensure that the content in each frame comes from the same website. Thus someone could inject their own content, from their own website, into a frame displayed on a webpage of a trusted website. For example, the login frame displayed on a financial institution’s website could actually be hosted on a hacker’s website, allowing the hacker to collect usernames and passwords of those using the affected web browsers.
In order for this attack to work, however, and for an attacker to take advantage of the frame injection security flaw, a user must have a window open to both the trusted website and to the hacker’s website, to allow the hacker to inject their content into the window displaying the user’s trusted website.
Experts are therefore advising that users using the affected browsers should close all other browser windows before visiting a website such as a bank or other institution where the user will need to provide confidential information such as their password.
|No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?