We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Firefox 2 & IE7 open to new threat

Browsers offer 'false sense of security'

Although Mozilla patched one more Firefox bug last week than first reported, the researcher whose work has plagued the open-source browser for weeks has released details about another flaw.

Firefox does not properly handle JavaScript "onUnload" events and can be tricked into taking the user to an unintended destination, said security researcher Michal Zalewski. "This flaw allows the attacker to track your footsteps and either redirect you to the URL you wanted to visit, which wouldn't be noticed at all, or to a similarly named phishing website when you choose to visit a target of some significance," Zalewski said.

The bug affects the just-released Firefox 2.0.0.2 and 1.5.0.10 updates, as well as Microsoft's Internet Explorer 7. JavaScript can be disabled in the browsers to block such redirects.

"The big difference in the two browsers is that Firefox 2.0.0.2 displays the correct address for the redirected site in the address bar," Symantec said in a warning. "IE7, however, continues to display the URL that the user typed into the address bar, leading to a false sense of security."

Mozilla fixed 15 flaws last week in Firefox 2.0.0.2 and 1.5.0.10, as opposed to the 14 that were first reported. An overlooked security update in the revised browsers patches another Zalewski vulnerability, Mozilla said yesterday.

"Firefox 2.0.0.2 update includes fixes for the bugs that researcher Michael Zalewski reported last week, including the hostname vulnerability, cookie issue, and memory corruption issue," said Window Snyder, Mozilla's chief security executive.

"It was just a mistake," a Mozilla spokesman said regarding why Friday's list of patched bugs had originally omitted the 15th fixed flaw. The list has since been changed to reflect all the included patches.

www.computerworld.com


IDG UK Sites

Samsung Galaxy S6 release date, features and specs rumours: When will the Galaxy S6 come out?

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...