Firefox Quickies 245
First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.
What OS (Score:3, Interesting)
Granted if it's a bug it needs fixed regardless, but I would be more shocked if it said "allows a person to gain remote access on ALL systems running said software".
Re:What OS (Score:4, Interesting)
Is it. Most exploits that would work on XP wouldn't work on Vista in protected mode.
Re:What OS (Score:3, Interesting)
Are we *sure* this is a bug, not a "feature"?
Right now, somewhere in Remdond, someone is planning a press release...
[1] By extension, if you are one of the 97.46% of desktop users worldwide with Windows installed.
Re:Opera (Score:3, Interesting)
As for Opera on Feisty--it looks ok to me. The font is different from that in Windows but nothing "whacked up."
Firefox's Fault? (Score:4, Interesting)
I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?
If Windows/IE were to filter what can and cannot happen through URI handlers, I could see developers crying foul for preventing access and locking out competition.
Further, is the onus now on Microsoft to fix a hole created by Firefox? And once they fix it, and legit things break because of it, who's fault will that be?
Highlighting phishing sites is nice, but weak (Score:5, Interesting)
Just highlighting domains of phishing sites isn't going to be enough. Here's today's list of domains that "sort of look like Paypal". These are after subdomain truncation.u i.ork.pl"
"paypal-checker.com"
"paypal-contact.net"
"paypal-customize.com"
"paypal-erreur2.com"
"paypal-security.com"
"paypal-web-dll-scrnupdateaccount.ici.st"
"paypal-web-scrn-dll-pl-dai-pl-webscrndllfs-werty
"paypal.powered.at"
"paypal.q.fm"
"paypalaccverify.com"
"paypalcomcgibinwebscrcmd.by.ru"
"paypalcomcgibinwebscrcmm.by.ru"
"paypalcomcgibinwebscre.by.ru"
"paypalconstomers.com"
"paypalct.com"
"paypall.ro"
"paypalmd.com"
"paypalobjects.us"
"paypalsecuritycenter.org"
"paypalverification.org"
"paypel-acc-5.com"
"paypilpal.com"
"paypll-wscr.com"
"paypluspl.com"
These are from PhishTank, which blacklists at the URL level based on manual reports. For SiteTruth" [sitetruth.com], we're in the process of converting to blacklisting phishing sites by the entire base domain. That's because we now see hundreds of entries like "session-624333.nationalcity.com.userpro.tw", which has to be treated as a bad indicator for all of "userpro.tw".
There's collateral damage. There are days when "tinyurl.com" and "notlong.com" get blacklisted, because phishing sites use them. MSN gets complaints about this. [msdn.com] Today, anybody running something like "tinyurl" needs to continually check the phishing databases for attempts to abuse their service, or their own reputation is toast.
Re:Firefox's Fault? (NO, BOTH's Fault - Read on) (Score:1, Interesting)
Thor Larholm, the researcher who discovered the flaw, insists that the blame falls on the back of Internet Explorer. "Firefox is the current attack vector but Internet Explorer is to blame for not escaping quote characters when passing on the input to the command line." He also notes that Internet Explorer behaves similarly with other handlers. "Internet Explorer doesn't filter the input for the irc:// or aim:// URL protocol handlers either. The exploitability on those depend on what arguments each application accepts."
The director of Symantec's Security Response Center, Oliver Friedrichs, believes that both browsers should share the heat. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."
Whats the fuss about? (Score:3, Interesting)
Re:What OS (Score:2, Interesting)
Opera is perfectly capable of escaping characters that have meaning to the shell before passing the string to the shell to build the command line. Whether it does so is another matter. I don't have a windows machine on which to try. If it doesn't, then it's an Opera bug as well as an IE bug.
Re:Laughing? A less happy feeling (Score:3, Interesting)