Firefox and Mozilla Still at Risk for Spoofing “Frame Injection” Security Flaw

The Internet Patrol - Patrolling the Internet for You

Online security company Secunia has said this week that versions of Firefox and Mozilla, as well as the lesser known Camino, are again at risk for a frame injection security flaw which has dogged Mozilla on and off for nearly seven years.

The problem, which plagues Firefox versions 1.x, Mozilla versions 1.7.x, and Camino versions 0.x, stems from the way that the software checks (or rather doesn’t check) content displayed in frames on a website. The software should, but does not adequately, check to ensure that the content in each frame comes from the same website. Thus someone could inject their own content, from their own website, into a frame displayed on a webpage of a trusted website. For example, the login frame displayed on a financial institution’s website could actually be hosted on a hacker’s website, allowing the hacker to collect usernames and passwords of those using the affected web browsers.


In order for this attack to work, however, and for an attacker to take advantage of the frame injection security flaw, a user must have a window open to both the trusted website and to the hacker’s website, to allow the hacker to inject their content into the window displaying the user’s trusted website.

Experts are therefore advising that users using the affected browsers should close all other browser windows before visiting a website such as a bank or other institution where the user will need to provide confidential information such as their password.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

3 thoughts on “Firefox and Mozilla Still at Risk for Spoofing “Frame Injection” Security Flaw

  1. The more pertinent question is, if the ubiquitous Internet Exploiter is also vulnerable, why haven’t the “media” (ZDNet, CNet, Aunt-Spam, etc., broadcast THAT fact as well, or is this just another campaign to slow the lemmings from jumping off the MS boat?

  2. For what it is worth, my fully updated MSIE 6.0 running on WinXP SP2 failed the test, too, as did the same on a friend’s computer. Looks like Mozilla/Firefox isn’t the only risky browser in this regard. Where’s the patch?

  3. Does this flaw also apply to Netscape? Since Mozilla and Netscape have a common ancestry (i.e. as they are basically the same thing) this is not impossible.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.