The advisory announcing the vulnerability, which could facilitate phishing and other spoofing attacks, is related to IDN (International Domain Name) support in these browsers.
IDN allows for non-English lettering in domain names. It also allows for English lettering using non-English (unicode) character sets. Thus, in the proof-of-concept provided, when linked to "http://www.pаypal.com/" the browsers display "http://www.paypal.com/". But the browsers handle it as "http://www.xn—pypal-4ve.com."
The advisory lists as vulnerable the following browsers:
- Most Mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc.)
- Safari 1.2.5
- Opera 7.54
- OmniWeb 5
Separately, a researcher has revealed that three bugs—dubbed "Firedragging," "Firetabbing" and "Fireflashing" by their discoverer—bypass security mechanisms in Firefox 1.0. All three have been fixed in current Firefox builds, but not yet in a general release.
Firedragging allows an attacker to trick Firefox into placing an executable file on the Windows desktop. Normally, Firefox will only create a link to the file on the desktop.
When presented with a hybrid file with GIF image data at the front and Windows batch file commands at the rear, Firefox will view the file as a GIF, no matter what its extension, and Windows will execute it as a batch file if it has a .BAT extension. The user still has to drag the file to the desktop and execute it from there.
According to the author, this can cause problems "from stealing session cookies to the ability to run arbitrary code on the client system, depending on the displayed site or security settings." Once again, the user must drop the link on a tab in order to invoke the problem.
Fireflashing allows the contents of the about:config window, which displays Firefox configuration parameters, in a separate window or hidden frame. The user must double-click on a particular area of the display, for which they can be induced by a game or some other prompt, at which point parameters controlling the display of about:config may be changed, as long as the number of parameters is not changed.