Online security company Secunia has said this week that versions of Firefox and Mozilla, as well as the lesser known Camino, are again at risk for a frame injection security flaw which has dogged Mozilla on and off for nearly seven years.
The problem, which plagues Firefox versions 1.x, Mozilla versions 1.7.x, and Camino versions 0.x, stems from the way that the software checks (or rather doesn’t check) content displayed in frames on a website. The software should, but does not adequately, check to ensure that the content in each frame comes from the same website. Thus someone could inject their own content, from their own website, into a frame displayed on a webpage of a trusted website. For example, the login frame displayed on a financial institution’s website could actually be hosted on a hacker’s website, allowing the hacker to collect usernames and passwords of those using the affected web browsers.
In order for this attack to work, however, and for an attacker to take advantage of the frame injection security flaw, a user must have a window open to both the trusted website and to the hacker’s website, to allow the hacker to inject their content into the window displaying the user’s trusted website.
Experts are therefore advising that users using the affected browsers should close all other browser windows before visiting a website such as a bank or other institution where the user will need to provide confidential information such as their password.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
The more pertinent question is, if the ubiquitous Internet Exploiter is also vulnerable, why haven’t the “media” (ZDNet, CNet, Aunt-Spam, etc., broadcast THAT fact as well, or is this just another campaign to slow the lemmings from jumping off the MS boat?
For what it is worth, my fully updated MSIE 6.0 running on WinXP SP2 failed the test, too, as did the same on a friend’s computer. Looks like Mozilla/Firefox isn’t the only risky browser in this regard. Where’s the patch?
Does this flaw also apply to Netscape? Since Mozilla and Netscape have a common ancestry (i.e. as they are basically the same thing) this is not impossible.