Spoofing Risk Returns to Mozilla Browsers

Mozilla's Firefox and other browsers are open to an old frame-injection vulnerability that was previously fixed, security researcher Secunia reports.

A Web browser spoofing vulnerability has returned to plague the latest version of Mozilla Firefox and other Mozilla browsers, a security researcher reported Monday.

The seven-year-old frame-injection vulnerability could allow an attacker to load malicious content in the browser window of a trusted Web site, reported Secunia, a Denmark-based security company.

The problem lies in the way the browsers handle frames, which are a mechanism by which a site can load more than one HTML document in the same browser window.

In a security alert, Secunia said it had confirmed the vulnerability in Firefox 1.0.4, Mozilla and Version 0.8.4 of the Camino browser for Mac OS X.

The frame-injection vulnerability was last reported by Secunia in July 2004, at which time the updated versions of Mozilla browsers were unaffected while many competing browsers were vulnerable.

/zimages/3/28571.gifClick here to read more about the rise of script-injection attacks, which aim to lure users into giving up sensitive information.

A spokesperson for the Mozilla Foundation said the open-source project was investigating the reported vulnerability.

Based on a bug report in Mozillas Bugzilla tracking system and postings in Mozilla support forums, the return of the frame-injection vulnerability appears to also affect the alpha version of Firefox 1.1 for developers, named Deer Park Alpha 1.

Secunia rated the vulnerability as "moderately critical" and suggests that users not browse unknown Web sites while viewing a trusted site.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.