Firefox tamed by cyber criminals

The world's second most popular internet browser is carrying a design flaw that could put open source users more at risk from phishing scams.

Firefox 1.0 allows hackers to spoof the URL displayed in the download dialogue box that appears when users of the programme choose a file from a website.

The Mozilla Foundation raised the security alert earlier this week, after research from Secunia uncovered the exploit on Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows as well as Firefox version 1.0.

According to Secunia, the problem is that long sub domains and paths are not displayed correctly, which therefore become open to exploit from cyber criminals.

The firm said the threat only scores two out of five on their vulnerability scale, but admitted there is no viable solution to help the browser's 15 million users.

"How a company responds to bugs can vary from the very responsible to the downright unethical," says Carole Theriault, security consultant at Sophos.

"If Firefox, upon hearing of this security vulnerability, make a fix available and advertise it - on their website, via newsletter or alert, whichever - sufficiently, so that its users download and install the patch, then they are acting responsibly."

To actually fall victim to the scam, users must click on a link purporting to be a genuine host and then follow the connection through to a seemingly authentic site, where malware is secretly downloaded.

The security scare is not the first time the versatile Firefox has run into difficulty, following reports in July that the 'shell' scheme lets hackers insert arbitrary code to execute programmes into otherwise healthy PCs.

At the time, the Mozilla Foundation, the group behind Firefox and Blake Ross, the browser's creator, issued a patch almost immediately to protect users.

More recently, fans of the alternate browser have complained that Firefox interferes with Microsoft's Outlook and other e-mail packages.

Analysts have since applauded Firefox for posing the only real noticeable challenge to Microsoft's lion share of the e-mail application market.

For this task, the group stands proud with their Thunderbird 1.0, commended by many in the industry for its tough e-mail junk filters that actively protect and prioritise against cyber crime elements.

Market research firm WebSideStory shows Firefox made significant gains towards the end of last year, as users opted for alternate browsers because of security concerns with Internet Explorer.

The firm reports Firefox download rates in the US rose 34 per cent in November, after an increase of about 13 per cent in October.

Since IE started losing ground in June 2004, it has lost a total of 3.68 percentage points, while Firefox reached just over 4 per cent of the browser market in December.

"Firefox's gains are clearly accelerating," said Rand Schulman, WebSideStory's chief marketing officer. "Much of it has to do with the release of Firefox's version 1.0 on November 9, after several months of offering a preview version.

"Firefox's stated goal of gaining 10 percent of the market over the next year no longer seems unattainable."

Sophos told CUK the best tips to stay safe of browser vulnerabilities is to ensure users run a reputable firewall and run reputable and up-to-date anti-virus software.

"It is also a good idea to turn off all bells and whistles you don't need. By paring down the system to essential components - such as only accepting raw text via email instead of HTML-enabled - you are making it harder to take advantage of the computer."

Printer Friendly, PDF & Email

Sign up to our Weekly Newsletter

Keep up to date with everything in the world of contracting.


Contractor's Question

If you have a question about contracting please feel free to ask us!

Ask a question