Firefox fix plugs security holes

By Steven Musil
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Firefox reaches 25 million downloads
February 17, 2005; Phishing flaw a danger to alternative browsers
February 7, 2005; Netscape readies antiphishing browser
January 31, 2005; Firefox: When is a flaw not a flaw?
January 7, 2005

The Mozilla Foundation released on Thursday an update to the Firefox Web browser to fix several vulnerabilities, including one that would allow domain spoofing.

The open-source project released Firefox 1.0.1 to fix, among other bugs, a vulnerability in the Internationalized Domain Names (IDN), a standard for handling special character sets in domain names that lets companies register domain names that appear to be the same in different languages.

The IDN vulnerability allowed an attacker to create a fake Web site on a non-Microsoft browser in order to pull off a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process.

The updated browser will display the IDN Punycode in the address bar, preventing URL spoofing. Punycode is the encoding of Unicode strings into the limited character set supported by the Domain Name System and IDN.

"Regular security updates are essential for maintaining a safe browsing experience for our users," Chris Hofmann, director of engineering for the Mozilla Foundation, said in a statement.

Phishing attacks, which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and e-mail messages, have become a central security concern recently. While vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws.

The update is available for Windows, Mac OS X and Linux at Mozilla.org.

Firefox recently surpassed 25 million downloads, achieving that mark in 100 days. Mozilla, which released the free 1.0 program in November, said an average of 250,000 people download Firefox every day and more than half a million Web sites feature Firefox promotions.

Mozilla, an open-source software foundation formed by Netscape, was spun off from Time Warner in 2003.

See more CNET content tagged:
Mozilla Corp., Firefox, domain name, vulnerability, phishing

Add a Comment (Log in or register) 17 comments

Wha Wha What????
by February 25, 2005 6:27 AM PST: I thought the almighty Firefox was flawless in its security. What gives Firefox. Don't talk the talk if you can't walk the walk.; Reply to this comment View all 4 replies
Processing

100% safe software doesn't exist
by feranick February 25, 2005 6:55 AM PST: No software is 100% secure by definition. It's basically impossible to develop an application that is bug free. But this is not the point. While it took months Microsoft to produce an update on IE6, and other monts will pass before we can all benefits from further fixing, the mozilla foundation spent about two months for this. Also the IDN sucurity problem is not limited to Firefox. All non-microsoft browser are affected by it by virtue of the plugin they use. IE6 is not affected because it doesn't have such plugin.; Reply to this comment View reply
Processing

This "hole" was fixed already
by TomTester February 25, 2005 8:18 AM PST: This "hole" (correct implementation of a standard abused by people with less than honest intentions) was fixed the same day, see http://tinyurl.com/5lq69

Feel free to continue use of IExplorer... I know I sleep much better since I stopped doing so.; Reply to this comment View reply
Processing

yay!
by Dibbs February 25, 2005 9:35 AM PST: you know what? i'm glad FF just fessed up and fixed this instead
of hiding it for months. i wish MS and Apple would do the same.
at least Apple has fewer problems.; Reply to this comment

No plugin problems or theme issues
by sanenazok February 25, 2005 10:08 PM PST: I just wanted to let people know that I had no theme/extension issues after upgrading. I know pre 1.0 FF would run into compatiblity whenever you upgraded.; Reply to this comment

firefox 1 check for updates fails
by AndiC1977 February 26, 2005 2:56 AM PST: firefox 1 for win32 (not checked other ports) check for updates, to say firefox is out of date and 1.0.1 is there to download, ... fails.

anyone else noticed this?; Reply to this comment

hhhmmm...
by Prndll February 26, 2005 3:19 PM PST: What is the differance between:
A) Two websites sharing nearly identical domain names - one being legit and the other not so legit

and...

B) Two versions of a song - one in CDA on a cd bought at Walmart and the nearly identical version in MP3 downloaded from the net

I see no differance at all. Though, B is looked at as criminal and A is looked at as nothing more than a nuisance. They are pretty much the same kind of thing though. Why are the owners of the legit sites NOT submitting lawsuits? Why are the fake sites allowed to exist? A song has a copy right and so does a trade mark...in this case, part of the trade mark is the website.

but seriously....
There are too many people using Firefox under the assumption they are safer. LOL... Sounds to me like this situation has actually helped to create a bug for Windows users (as if they needed any help). Ok, so it was takin care of fairly quickly. I'll give'm that. But, the fact remains, you still can't seperate IE from windows (even though MS says they now can). If you using Windows, your using IE. The use of Firefox makes no differance. You just end up with a differant GUI and maybe a few more bells and whistles.

As far as standards go...
These so called standards are alot of the problem too. In many cases these "standards" are helping to make problems worse.

So much of this is the fact that these browsers are processing the code on the websites that really need to be ignored. That, and people really need to start actually learning something about how and why computers do what they do. The will of the end user to learn would go along way to either solving this or destroying it.; Reply to this comment

It really tweakin up now
by Willy Wonker February 26, 2005 5:41 PM PST: This update is must. It like 10 times better than 1.0 FF. It getting closer to being beyond IE.; Reply to this comment

Latest tech news headlines

IBM invests in business partners' training
Posted in News - Business Tech by Colin Barker

October 11, 2008 5:01 PM PDT
Navy charters kite-powered cargo ship to deliver equipment
Posted in Military Tech by Mark Rutherford

October 11, 2008 11:03 AM PDT
FCC report negates free Internet interference claims
Posted in News - Wireless by Michelle Meyers

October 11, 2008 10:41 AM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
IBM invests in business partners' training
A business development fund aims to encourage its largest partners to take up more skills training around data centers.
Gallery
Photos: Top 10 reviews of the week
Military Tech
Navy charters kite-powered cargo ship to deliver equipment
The use of this new breed of sailing ship could reduce fuel costs by 20 to 30 percent, according to the ship's owners.
Coop's Corner
Ellison's mantra: Spend, baby, spend
It may be hell out there, but Oracle's chief tells shareholders the company still intends to shop for more acquisitions.
Video
Sprint launches Xohm WiMax
News - Wireless
FCC report negates free Internet interference claims
Report from commission engineers boosts plan to auction spectrum for free wireless Internet by dismissing concerns it would interfere with existing providers' signals.
Video
Talking with Newt Gingrich on tech, bailout
News - Politics and Law
President signs broadband data collection bill
The Broadband Data Act encourages wider collection of information regarding nationwide access to broadband.
News - Cutting Edge
Academics sink teeth into Yahoo search service
Yahoo hopes its Build Your Own Search Service program has piqued the interest of academic researchers. Next stop: start-ups.
Gallery
Photos: Cracking open Apple's revamped iPod Nano
Crossfade
The Streets, 'The Escapist': Free MP3 of the Day
Download a free MP3 of "The Escapist" courtesy of CNET Download Music.
Green Tech
Urban wind power inspired by ancient Persia
The shape of urban wind power continues to morph. The latest twist come from Windation, a company with a design inspired by centuries-old "wind catchers."