Spoofing Risk Returns to Mozilla Browsers
The seven-year-old frame-injection vulnerability could allow an attacker to load malicious content in the browser window of a trusted Web site, reported Secunia, a Denmark-based security company.
The problem lies in the way the browsers handle frames, which are a mechanism by which a site can load more than one HTML document in the same browser window.
In a security alert, Secunia said it had confirmed the vulnerability in Firefox 1.0.4, Mozilla and Version 0.8.4 of the Camino browser for Mac OS X.
The frame-injection vulnerability was last reported by Secunia in July 2004, at which time the updated versions of Mozilla browsers were unaffected while many competing browsers were vulnerable.
A spokesperson for the Mozilla Foundation said the open-source project was investigating the reported vulnerability.
Based on a bug report in Mozillas Bugzilla tracking system and postings in Mozilla support forums, the return of the frame-injection vulnerability appears to also affect the alpha version of Firefox 1.1 for developers, named Deer Park Alpha 1.
Secunia rated the vulnerability as "moderately critical" and suggests that users not browse unknown Web sites while viewing a trusted site.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.