Spoofing Risk Returns to Mozilla Browsers

By Matthew Hicks  |  Posted 2005-06-06 Print this article Print

Mozilla's Firefox and other browsers are open to an old frame-injection vulnerability that was previously fixed, security researcher Secunia reports.

A Web browser spoofing vulnerability has returned to plague the latest version of Mozilla Firefox and other Mozilla browsers, a security researcher reported Monday. The seven-year-old frame-injection vulnerability could allow an attacker to load malicious content in the browser window of a trusted Web site, reported Secunia, a Denmark-based security company. The problem lies in the way the browsers handle frames, which are a mechanism by which a site can load more than one HTML document in the same browser window.
In a security alert, Secunia said it had confirmed the vulnerability in Firefox 1.0.4, Mozilla and Version 0.8.4 of the Camino browser for Mac OS X.
The frame-injection vulnerability was last reported by Secunia in July 2004, at which time the updated versions of Mozilla browsers were unaffected while many competing browsers were vulnerable. Click here to read more about the rise of script-injection attacks, which aim to lure users into giving up sensitive information. A spokesperson for the Mozilla Foundation said the open-source project was investigating the reported vulnerability. Based on a bug report in Mozillas Bugzilla tracking system and postings in Mozilla support forums, the return of the frame-injection vulnerability appears to also affect the alpha version of Firefox 1.1 for developers, named Deer Park Alpha 1. Secunia rated the vulnerability as "moderately critical" and suggests that users not browse unknown Web sites while viewing a trusted site. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Matthew Hicks As an online reporter for eWEEK.com, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for eWEEK.com. Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel