Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Firefox Flaw Could Let Attackers Change Cookies



 By: Brian Prince
2007-02-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Attackers could change the way Web sites are displayed and how they work.

A bug was recently uncovered in Firefox that could allow a malicious Web site to appear authentic.

The bug affects the way Firefox handles writing to the "location.hostname" DOM property, according to a posting by security researcher Michal Zalewski on the security mailing list Full Disclosure. The vulnerability could potentially allow a malicious Web site to manipulate the authentication cookies for a third-party Web site.

Resource Library:
By bypassing same-origin policy, attackers can possibly tamper with the way these sites are displayed or how they work. For users, this means the bug could allow for the browser to appear as if the user were connecting to a bank, when in fact the user would instead be receiving data from an attacker.

To read more about Firefox flaws, click here.

"This flaw is at the core of phishing attack[s]," said Natalie Lambert, an analyst with Forrester Research. "The ability to mask the real site a user is visiting is how phishing attacks are successful. So, the threat of this vulnerability is large."

This vulnerability was tested using Firefox 2.0.01. Though the bug was listed as resolved, Mozilla security chief Window Snyder said they will be addressing the vulnerability in the next update to Firefox, version 2.0.0.2.

"We have not heard of any reported exploits," he said. "However, were working to address the issue as quickly as possible to minimize the window of risk. Mozilla takes security vulnerabilities very seriously, and our community of users can be assured that we are working hard to resolve this."

David Frazer, director of technology services at F-Secure, urged users to make sure they have the automatic updates for Firefox set to on.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Firefox Flaw Could Let Attackers Change Cookies
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


xv6(;^+(g٦(Rw,ٖۚؖR󝳴(S$l+9^%3~UxӅ|xi'mK$P@ B?Hp4ô1f%STI}"IͽhCx`S 5rѩe軫F]̱kkH,Q tjOt0.Ps< j99ԗoˏ~e0-ڶAQ6)֐N0- P8$H.{H~, DuXqDGH;"C'x8ռi/DaO‡THUb&{Bq4%;^60k~BaU0vK]Kw@SѠ(v2%vn/@^c\ȁRh=7d9c';{$-,v2M*5fб29z uur<J@J53ҦdPt-2訑þʲf g3n]ަ[wGR.ZpT*B~d,<<<Lp|˴g&Neםwz}˯BEQB~ٻ_HQPww@ږkZT0n{'W틋y@.{A~$?Vj}&DeR)I&0h'6tt<_B^,9DFI?jnEKHOr ])2,R#wSҾoo:6OΏo:3do̲5<jUU* j vb!?ޛ:W۳kiGκ7s!+|qf!5 0\6:jZz`Kk'ޮCǩEXCyCm0Mߑjr]Rr?#3p=nI?_tNHN,O?پBd}#77#R(y#0ri4(ߖA@[@+U:o:`K70ShI3;nZK}0[#RF&\ ДaCǘذ 1"%ߩҁ>)`I* TY&嗋mQt3 . If({΀gA.r)i" 6=aLTt/\~ .΃awW9Q] K\MޢG <7ڭ)]wz]tZ0">cq4Y`A-. :*mo:J=67V)CR up[XQnl 2XjXvR7HYA^ǟgtA:)~Ҧ>RÜMCͶOCGs>hH2胆6ml-h$ ,70}HOQI 4wX(x<cOgv7_ >< )FNj$ nh-DCw 0Ieg&S yO ΃drooM~(wEnPj>X^0 jp.HpyY?@]qk3 o  ќ5҆&QcSB]jJdN˕ }*@FX mNt"AђF *4 gscX"C"'s`[X a+R .<BI(cvn<K){TKh!+K@fsfh(7i2mńx="`&Qea*0pRx5Vn/jc٦ӀII\;R JACzT"/ğ/w7n2gNP/h|WY 3EDVhdF!! = \Pȭ,T)w^;= PgaE8F2b5k%ӇfS/0}KęR48'')LasW|](u@Ӭ+XKu7RumIa]hk%\<7Bj^[a׼6FYR^RKHD,Pc/X+ezdyM2&7qеcc92s7)\TBZȔe8jAjR+J}sf8 , J; )mT.mT^φgΧމyд "s=: -`cg@~f:3?&نdp܉D80V2PaI*5E]13R%\T2.Q &ZbOF.#NWɅcًͧ Ңw^^SvԿ~5Gl2ݴۄ歰C`V9aNg43aJ |Ӛ#GOs'])=ٰR.%90Nܟo>0FxP[J?u>rȵ6gw%XY1f-10kEu/ÊT)Gs;OW*RL['ʂX VPŖ៦ vOGA.Ca&:`BTnЬ 0TgKi]twXN v|~KZhw"0wiYOT5)%U$jl|T`ZsnG<צK$Xu70-tpC)T뵢¾_[ic{)h"QkF&FdHt=Έ#6RPOT<ͯ!'8՞oF* ϛ=G$1*@7Z Sғe4* oE晛>675/íJd:|8.3oJjvQby6G3 Ⱦ L(R%G:{Jr zy@?uEU _0 d&T~#\{YRfl|g^c+w22˓FV/X37(pOMУǸ'~w3W> "[;A9db:5K9E?9dN u3U sf> W|+6,^Jf;9Qo@Homs>1 ZH${m%~F85onY(*"X5 Z i3FɁ㚺/k3O֧nu" *Ja@G2cd)ЬV#iA/{N3 a6}b;_&*|)2SG6Z|bR.3GZz+jJHJz L |5O C 7PkF]#^$G{EY,..m$mXJP/YTAtUv`i&x9Ll5Lfl'P`QxGͧzM*"L]8Tf<^ΐۋ953ק~@ f@- P5^IW:.ZWky*6n'vem"X׵I7$# ְS##f`.SkZ%,: {>kq O4 }U\qHGV%|~::m~l1z˾WU$x /`i8~D(}׆7{%%usQu᳋Y?`yAѰq^ 8+%E;"u ߽w9" .:YF>9hnÏOM1k0vhRdQfJ}X#K#fWDH]h!i3 T/Us>V\zF_kɾ,49Aϐa6Z4Z!ފ#s~uk`!1dOZ#  G@RPOh[#N;֗vZgp" BtX 1tJ1 _RJMQ=#ijIř/PEQ):*9Q{_a(kѷo%Aߐ>O1Ok7tExW(khL6bsZ;t/0?xԾ6j?"i^K_"Ts8LLàv)fTDSeoy0;Fp8@!՝R"f0u?IkuYXY[NhAR:%Iy# Uu$JRSfj*# $_2 I,v+htlAz׭ JÚ]eyjt.?6V"GX:[ .VH0_Ӹ\bwNZD XY+oxt7>CTդ g껰Ϋ؉OJ6 D Tz@0Hr吜zC=?UmOwXcyr?{'q?K8:Gw*b,_Aݞpne?jw`teNx>HАݛc-p溟9#M L_:Fa'3 ]sOA}i^wl'UFy J}~Nl/t:D(y[e{wCȊ̅Szr! >Yx2&i_%3 =ћ4/ Z V2+&[qVL=9b ="s(ı߂KCƧSӆUeYZ9qPX'(҆.?*NϠ"]o|Vu^8 (ĽeY Eqؘ!b>d xx]1:؄:iMg~]p8SL&<'gy MQ-+|xaz? SfkD~Bp?p,mjMR,)8tę=|̴)>S%=y"`z,EAɛv7*+PlN -1zq;\AR7)f# >2΀۴,PߧLa<:_)qf̋9ꄧ#[!6˭2l2A9H}g~l0d4f7p9r> d©KJ% ׏rbG,3J%vL=}Ţ5 $3|I$KxCTA oRUޮ8]k{܂J ~[*׊J9ά4{Jk1"$7dyr5j)R%rLyd} )IJ>]1`e͢^00=s+. ej!z\T3*G1p8ڼA!~#]Z,:H3 "*(ٍjR&7d4)n )sGC,**5P*Аs֏TU2Ko(%D=N<0E^B<`a.&&ԺR/d!b8q+A  j1O>˲ӻ ) QwJB8D ; ;WY`U~ʤ(RyGx~ut{4-DZdn埠۲U܁խt(%!LīV>ub͘HnFȮʥ"rAMO v2)G$kZa+)l mY"l62`Vmkٞz"uυR ۲kR[i#3٬4@cc/|V+j%E\ [= 0A~" TB4XqGUxNp9W;nŁ0_A͇͇͇͇}JE7W/t\T*0{CVÄ9*?>=VO:6XEG,V#\|y1g;6˫/|Fn ݜRǗ4PWRE #4X3tcET&ɏPh>h7.%;_Z\oڟ;[i)@)H4Фk{0$U ;({A%-];OR^o@-[xc%i%| ([rb9׿,k.`) ՙi&8̫:mRE ˩ 7Q]Jop:è94G>#,/ ^*27 _y_E7 ܮܖbnFJo|UdےER˙o( +=mO_k&unYmraV4K D[ڒB 7t{'?t)Ū|[L,͕5ޮ}to^o^o^o^+m{@%Ⰳ>4=,!0#4K,v&aәB ܌\sc9Q>t9rBٱ+7Ih6epY#;lK$X7`Úoh`w8M67~I,]:t{dp[Rk)iCg3^l&  M3@z3- ]k|mTD^@nD1;_rF1!53#-mKWj BUR 30զtY)Gú꒰.I}{ ![\k;"Tf>sMr<)||Ltq1t50]x 5|~5#͌ ~>!;ܾ뻚)5},`OfO뢮 f9' 67Y Fgs35uIG@syϣ{132ޕ#` +lyЫ_ አ`Y֟r[")VB/|:Α{[dp3[:f>g1Eڤ^{mYfڄ6K3")Aݶ{ŷi`Wݲ8pX'50]1{tӥU޲Xo|֊[NiΞCm̱?.;ΐ[?qCb$2["v?C* O2ūOX:l o\Lqìfo!ۿP}fɷyw1VުcY2QȏanB~/S`N] 4;8~/u#&ФC>ybugKɸ)x?)pSog\;q'H|B3 /s&}^8 :{bR=P{K 87/|T3/b##-Ѩ# >xA1K= o~{@܇r q,ގ-D||z['AU}H?Km1.+62shDl/ul\oj.~V =3C}m"Ú&45+Z 3Oqt@!'vQY 2ŋ1wKy–s\vkкlɧtC!嘭#!+A1HSTNoo"1";W'pp\`sr(@KK*2&Bs859|zLY}nOKZ&9a k(E$ c#ϙF$1шbsc^´ukfĄ9eϖX_j :`r@>w;LQXj*!b3wȣ4ϓ 4IS*E y+LL͂`Aa~L­! RJs# h_𢲙8`F"Oc8= ܕmϱ6Ns%%~6t0Q-pV#ߛjSg0Yn.غ9PMཚ=J"Q^e5DU@ :[ǬKO!~ԊKm9 g%^LW%'u>Ԣz hxD:&Ҵ U9iz47anq4ħEOW\34yD}QuxxK_o'-V.fGN 48mg?'ߟ}21?Oߟwr\sg:W5e↓/2_"s _f /}/3{ ̠%%e^^f'UW<2_ˌ0W{s!?W0~Wׅw3?]/ r qP: M^= S}~3 A[x6oیon3/9IR<[rֺƅ)qry/ 苬U:x_R+f7_+Πsk= Я!ߗdnleڹ>&R+ ]Q%=Lk[M2n@Kȣ_ ^敽I%<$xGW4<< X)rnmtaOvHu1n}ll(O6 8 ߜ:Sw߽,RK|c ,>Oa4 D -B9}34]M7nPoc D1v21Arl(UJZR[TJ= æDDݣ(BUN-U+zT,~^9Qx`26UJ` Pz!bhǬ[ɖb(wp E/Уcյ4`e"jf2nQKp^Wv,P@pTB Psoq =s ٛ([L?0} e6VI2hؐMXKlɜ]k'bB']RL*E8W!Z=&.@c d߻G!Mx eY a60gVbgHAأ_BDOvvJ;0|F+`a?94Ǟ"0ـħ%NAf2Ş_ m>Ro/TùLHd v"ѱwlPFK58_DN焽HaCvk2}jQwh}v:פX3eoM"m,?hPQ"qm(!3oǣ,hG:\-5,l$9=ASh4WϛW5EXI%9r\鱻$0\.v{ZVA{>Dn[zQڗEk%vl=HYEҎ_Ow. $Cb9G8]! MAE3`A]|eD$ug EϩfC>X읙6Eٱs1ebV!qdfӧ[7-[$@O"CZ24`)ycq*>% / ixE1xu!A]=_v{[>/'R`@/7A{J F ϱlng`wDl .3.OY& hWa!*e71KLP`O3MlB pc:"U];x[9ԋO0xeӕhOɬq;Z?Y #]Z$&+$~Il=feG,+W):OOgsZ%n"_Ho"n$ܖnFTt %`GYU`Zkv+8utvKѪ v7"60ޏYwPRـ&@6:pSz vQmQ-(N?X70(h=v{@7* <9-A  =[=܋;ɾ ^f+1ݱWRdGB Ln3m^^jti( aaX4.v>ϽϯxDh\NwLtxNvdzU Z-12Mo,gkV"K깘#gy= `5>gvC%z1waXo;.&DW6K54Ƙb>Y!ˣŬ"D0Ȯ'Z:tsh{h۟X3TBX6c?tf @ýō]Ac*a?<#/ahQ> χ"@Ԃ+"e})ID~y+)/,π/(83}E.tW>^tob34=nT Z(Ks(ӽ9mA0}us1Y/ ~s Wha<y&FϦk ED;ydMn+:cQEae=JV}01{l~r[)CEs̥D/4^JB\qrh6