Mozilla: Firefox Security Bug Won't Fool Users

 
 
By Brian Prince  |  Posted 2010-08-17
 
 
 

A bug in the Firefox browser that can be used to bypass an alert for obfuscated URLs is unlikely to trick users, according to Mozilla.

The flaw was uncovered by Armorize Technologies researcher Aditya K. Sood, who warned it could be used by purveyors of malware to increase the chance of leading users to malicious sites.

According to the bug report Sood filed to Bugzilla in June, Firefox implements a check when "a URL obfuscation is done in the address bar." Normally, the browser will display a warning if a user clicks on a link that contains a disguised address. However, if IFrames are used with the obfuscated URL, the alert notification is bypassed.

"On performing analysis of various malware, a bug has been noticed in all version[s] of Firefox which fails to generate an alert when [an] obfuscated URL is being placed in IFrames," Sood explained Aug. 16 in a blog post. "In certain cases, it can be used effectively in spreading malware and stealing sensitive information."

Johnathan Nightingale, Mozilla's director of Firefox development, however, said it was unlikely the bug could be effectively used by attackers to trick users. For this reason, Mozilla does not plan to issue a fix, according to the company's Security Blog.

"The concern expressed in the bug is that a page could be constructed with an embedded IFrame that uses a confusing URL," Nightingale said in a statement. "Most users don't look at the HTML source of the pages they are loading, which is the only way you'd encounter this URL. We do not anticipate this bug would cause user confusion or deception. Firefox ships with built-in phishing and malware protection that warns users if they are attempting to visit a dangerous URL."

*This story was updated to add additional comment from Mozilla.

Rocket Fuel