Language Selection

English French German Italian Portuguese Spanish

Spoofing flaw resurfaces in Mozilla browsers

Filed under
Security

A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned.

The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window. The applications don't check whether the frames displayed in a single window all originate from the same Web site, Secunia said in an advisory on Monday. Firefox 1.x, Mozilla 1.7.x and Camino 0.x versions are vulnerable to the flaw, the security monitoring company said.

As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue "moderately critical."

The same "frame injection" vulnerability in Mozilla's browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.

For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.

The Mozilla Foundation is investigating the Secunia report, a representative for the organization said.

The vulnerability has not been exploited, a moderator of a support forum on the Mozilla Web site wrote Monday, in response to the Secunia alert.

For protection, the moderator advises people to close all other windows and tabs before accessing a Web site such as a bank or online store that requires them to type in personal data.

With its initial release last fall, Firefox has demonstrated that the mature Web browser market dominated by Microsoft's Internet Explorer can be shaken up. IE has begun to see its market share dip slightly--a first in a number of years.

Source.

Secunia Advisory.

More in Tux Machines

How To Build A Raspberry Pi Smartwatch — The Geekiest Watch Ever Made

In our Getting Started With Raspberry Pi series, we’ve introduced you to the basics of Pi, told you how to get everything you need, and help you boot a basic operating system. But, Raspberry Pi is much more than that. You can use it as a TOR proxy router, build your own PiPhone, and even install Windows 10 IoT. This little device comes with lots of flexibility, that allows it to be used in multiple applications. Well, did you ever think about wearing your Raspberry Pi? If your answer is NO, I won’t be surprised. If you imagine a scenario where Raspberry Pi is used to build a smartwatch, it would look too bulky. Well, that’s the thing about making geeky things that set you apart from the regular crowd, right? Read more

Ubuntu Leftovers

  • Yakkety Yak Alpha 2 Released
  • Ubuntu 16.10 "Yakkety Yak" Alpha 2 Released
    Today marks the second alpha release for Ubuntu 16.10 "Yakkety Yak" flavors participating in these early development releases. Participating in today's Yakkety Yak Alpha 2 development milestone are Lubuntu, Ubuntu MATE, and Ubuntu Kylin. No Xubuntu or Kubuntu releases to report on this morning.
  • PSA: Ubuntu 15.10 Hits End of Life Today
    It's time to wave a weary goodbye to the Wily Werewolf, as Ubuntu 15.10 support ends today.
  • Jono Bacon on Life After (and Before) GitHub
    Do you want to know what it takes to be a professional community manager? This interview will show you the kind of personality that does well at it, and how Jono Bacon, one of the world’s finest community managers, discovered Linux and later found his way into community management. Bacon is world-famous as the long-time community manager for Ubuntu. He was so good, I sometimes think his mother sang “you’ll be a community manager by and by” to him when he was a baby. In 2014 he went to XPRIZE, not a FOSS company, but important nevertheless. From there he dove back into FOSS as community manager for GitHub. Now Bacon is a freelance, self-employed community manager. One of his major clients is HackerOne, whose CEO is Bacon’s and my mutual friend Mårten Mickos. But HackerOne is far from his only client. In the interview he says he recently got back from visiting a client in China, and that he has more work then he can handle.

I've been Linuxing since before you were born

Once upon a time, there was no Linux. No, really! It did not exist. It was not like today, with Linux everywhere. There were multiple flavors of Unix, there was Apple, and there was Microsoft Windows. When it comes to Windows, the more things change, the more they stay the same. Despite adding 20+ gigabytes of gosh-knows-what, Windows is mostly the same. (Except you can't drop to a DOS prompt to get actual work done.) Hey, who remembers Gorilla.bas, the exploding banana game that came in DOS? Fun times! The Internet never forgets, and you can play a Flash version on Kongregate.com. Apple changed, evolving from a friendly system that encouraged hacking to a sleek, sealed box that you are not supposed to open, and that dictates what hardware interfaces you are allowed to use. 1998: no more floppy disk. 2012: no more optical drive. The 12-inch MacBook has only a single USB Type-C port that supplies power, Bluetooth, Wi-Fi, external storage, video output, and accessories. If you want to plug in more than one thing at a time and don't want to tote a herd of dongles and adapters around with you, too bad. Next up: The headphone jack. Yes, the one remaining non-proprietary standard hardware port in Apple-land is doomed. Read more