Home > Privacy, Security > Firefox Phishing FlawFirefox Phishing Flaw Submitted by Matt 2005-01-09 Privacy, Security 25 Comments“A vulnerability in Firefox could expose users of the open-source browser to the risk of phishing scams, security experts have warned. ” In a related note, security firm Secunia has discovered three very critical security flaws in IE.About The Author David AdamsFollow me on Twitter @david_adams 25 Comments 2005-01-09 11:55 pm “David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said that phishers aren’t likely to take advantage of this flaw in Firefox, because Microsoft’s Internet Explorer still dominates the browser market.”I think that scammers aren’t like to exploit it rather for other reason.With FF development model this flaw to be fixed “tomorrow”.Like most of Linux “vulnerabilities”. 2005-01-09 11:57 pm Fedora Core 1 with Firefox 1.0. The exploit doesn’t work. 2005-01-10 12:01 am https://bugzilla.mozilla.org/show_bug.cgi?id=262887Part of it was already fixed, and the nightly build is available. Not recomended though, since many bugs resulting from the aviary branch landing are still there. 2005-01-10 12:10 am It does work on linux (Gentoo), with the latest stable build of Firefox (1.0-r3). However I can see the full URL if I make the download box bigger, so it isn’t much of an exploit. 2005-01-10 12:37 am I think that scammers aren’t like to exploit it rather for other reason.With FF development model this flaw to be fixed “tomorrow”. Which doesn’t help all the people that don’t update much, does it ? 2005-01-10 12:42 am I don’t know if you’ve noticed, but every time firefox starts up, it checks for updates and prompts the user to download them (little green arrow above the search bar). It’s simple, and in their face, so they will be likely to install it.I don’t think that will be much of a problem. 2005-01-10 12:43 am “Which doesn’t help all the people that don’t update much, does it ?”how is that specific to firefox. did you actually use and try out what the flaw is ?whats your point? 2005-01-10 1:12 am Which doesn’t help all the people that don’t update much, does it ?Well, it’s still better than the reported IE flaws, which affect even users of XP SP2… 2005-01-10 1:27 am The article states: “…No solution is available at present, but Mozilla developers are expected to fix this bug in an upcoming version of the product.”So we have to wait for the next release? They won’t patch it, huh? If OSS can respond to bug fixes quicker and better than commercial software, then why must we wait until the next version? 2005-01-10 1:30 am I don’t know if you’ve noticed, but every time firefox starts up, it checks for updates and prompts the user to download them (little green arrow above the search bar). It’s simple, and in their face, so they will be likely to install it.Unfortunately It’s not yet available via that mechanism (and won’t be for a day or two I’d imagine).I don’t think that will be much of a problem.I think you vastly underestimate the average user’s ability to ignore things. 2005-01-10 1:33 am how is that specific to firefox.I never said it was.did you actually use and try out what the flaw is ?Yes, not that it really matters.whats your point?The in the OSS zealot’s mind, a “security problem” ceases being a problem as soon as the fix enters CVS (or is posted to a mailing list), which is far, far from reality. 2005-01-10 1:36 am Well, it’s still better than the reported IE flaws, which affect even users of XP SP2…Not really. The practical difference between a (partial) fix only available from CVS or obscure (and buggy) daily builds and nothing on Windows Update is vanishingly small. 2005-01-10 1:40 am So we have to wait for the next release? They won’t patch it, huh? If OSS can respond to bug fixes quicker and better than commercial software, then why must we wait until the next version? Keep in mind they didn’t mention a source for that.Also its quite possible that it could be both fixed in the next released AND a patch be released before that.I think you vastly underestimate the average user’s ability to ignore things.Ignore what? What site they are dowloading from, perhapsSecunia rated it 2 out of 5. This seems pretty minor to me…How many people are saved from running a tainted file by looking at the full URI in the dowload window? 2005-01-10 1:47 am Not really. The practical difference between a (partial) fix only available from CVS or obscure (and buggy) daily builds and nothing on Windows Update is vanishingly small.So you have conveniently chosen to ignore the severity of the bugs? That makes a lot of sense…. 2005-01-10 2:08 am Ignore what?“In your face” prompts to update their software. Most of them are far more interested in how to get rid of the “in your face” prompts than doing the things those prompts recommend.What site they are dowloading from, perhapsSecunia rated it 2 out of 5. This seems pretty minor to me…You’re missing the point of my comment, I fear. The severity of the exploit is not relevant to the typical end user’s poor record with regard to installing software patches.So you have conveniently chosen to ignore the severity of the bugs? That makes a lot of sense….I was under the impression the topic of discussion at that point was primarily the promptness & availability of patches.You are correct, however, the IE exploit is more severe. We’ll have to wait and see how long it takes Microsoft to respond.Interestingly, the IE exploit doesn’t work on my Win2k3 machine. 2005-01-10 2:10 am “In your face” prompts to update their software. Most of them are far more interested in how to get rid of the “in your face” prompts than doing the things those prompts recommendWell said! 2005-01-10 2:17 am I know how you feel, but you have to get over this. The English language changes. Gay didn’t used to mean homosexual.The people who call “cracker” hackers aren’t going to change, so just get used to it.There’s a difference. Homosexual ppl are fine with calling them “gay” (AFAIK), but hackers are definitely not fine with being associated with such malicious/criminal actions.Victor. 2005-01-10 2:20 am That little green arrow? You mean the little green arrow, that’s what, all of 16×16 pixels? The one that hides at the top?Oh…that little one.I can see how it’s in your face and begs to be clicked on. =) 2005-01-10 3:10 am Not really much of an exploit. I said the same thing when it was IE in the hotseat for a similar issue, and I still stand by it. The idea that any average user is actually checking URLs is a fallacy, and a grave one at that. Most average users still eagerly open email attachments from “firstname.lastname@example.org” which promise to reveal why their functioning email addy has been shut down hard. Hell, the average user can’t figure out when their keyboard is unplugged. Calling this a security issue is akin to saying that all email clients are riddled with security holes because they can be used to send and receive messages from Rwandan princes who need $10k cash, fast. 2005-01-10 4:07 am Folks … just because an exploit has a patch available doesn’t mean that users will download and apply that patch. Crackers routinely take advantage of the latency between the availability and application of a patch. Most users are idiots. Seriously. Not in terms of intelligence but, rather, in terms of the way that they use their computers. They don’t like to read. To them, “In your face” actually means “Here’s an annoying prompt that you’re going to try to bypass through the most expedient means possible without reading”. So don’t kid yourselves. Many users NEVER download patches. NEVER. They just don’t care. They don’t realize how much of a risk they’re faced with — and they don’t care.Patching needs to be automatic in order to be useful. And, in such a world, you need to give an account sufficient privileges to do the updating. If Microsoft were to try to do this automatically, many of you (although you won’t admit it) would start spewing conspiracy theories about how MS is trying to install spyware or DRMware or some new feature without your authorization. You can’t have it both ways. Either it happens automatically — in which case the user grants the updating agent unmitigated access to do the updating — or you dump the responsibility for monitoring the updating on the user’s shoulders. I can tell you, based on my experience, that the vast majority of users are not going to want to (nor will they be able to) understand the implications of installing or not installing a particular update.OS software needs to tread the line between usability and security. While many of you will disagree with how MS is doing in this regard, the fact remains that Linux would have the same problems (usability versus security) if it were to gain any kind of prominence on the desktop. You can’t have both. Usability requires tradeoffs of security — and vice-versa. 2005-01-10 4:50 am It is… Although, there are too many reasons to get into to explain why. Goggle and learn (if you need to).I do agree however with your point cause I think you have a good one.After reading this, on the surface, users could get the wrong impression of Mozilla and Firefox (having to wait until the next version is released to get the fix?).To keep users trust and faith, problems must be solved quickly without ANY excuse or delay! Explanation of the issue is important, but “joe blow” won’t care… “A problem?” “Where’s the fix?” is all he will ask.Firefox should have an easier way to receive security fixes and updates. Something such as an interface to an update database of bugs and security flaws that users can connect to through Firefox, read about each bug and patch or install what they choose to. Windows update like, but geared toward education and good practice for users. Also, secure and easy to use (not Win update in this way as far as secure goes).Bottom line… security exploit must = fix ASAP.By the way, I can’t stand Windows. I’m an OSS fan. But, I won’t criticize or praise Windows unless it is deserved. The same goes for OSS. Nothing is perfect.But, the Moz team is on the right track. 2005-01-10 6:20 am If I may quote the articles and their related links……http://www.earthtimes.org/articles/show/1150.html“The company has also said that Microsoft has been aware of this flaw for at least two months now but they have not yet come up with a security patch. The exploit code for one of the three vulnerabilities, a flaw in an HTML Help control, was already published on the Internet on Dec. 21.”http://secunia.com/secunia_research/2004-15/advisory/”24/11/2004 – Vulnerability reported to vendor.20/12/2004 – The vendor published a public Bugzilla report regarding this vulnerability.04/01/2005 – Public disclosure.”https://bugzilla.mozilla.org/attachment.cgi?id=168913Firefox partial fix: 12/16/04IE fix for bug around same time: ????? 2005-01-10 12:39 pm firefox has an easy to use interface for updates.something in cvs will be in the next point release. if it is a big enough deal, there will be a patch. regardless, theres a difference between knowing a minor issue is taken care of, as oppesed to nothing from ms on three big ones.usability and security are not tradeoffs in 99% of cases. this is one of the vast majority, where usability has nothing to do with anything.OSS doesnt make inherantly more stable code. it is not magic pixie dust to sprinkle on a project to make it good. oss allows for stuff like a quick response to security holes, the quality of the code is still dependant on the guy whowrites it.and as for automatic updating, when your updates have a history of breaking stuff, admins will get very upset if updates happen without their authorization. 2005-01-10 3:42 pm Not really much of an exploit.I agree. This is so much of a non-issue I can’t believe they even bothered to patch it. Granted if it was a status-bar spoofing vulnerability that would be more serious. Totally ridiculous. 2005-01-10 11:05 pm I am sorry but most of the arguments about FF here have been pretty dumb. The problem with users updating exsists with every program that exsists. In that part F/OSS and Closed Source are exactly the same. If you have a specific problem with the way firefox does it? Great! File a bugreport eith your suggestion.The difference between F/OSS and Closed Sorce is specifically from the time the exploit goes public till the time the fix hits CVS. With F/OSS you can see what progress is going on, and you can have many more participants (including yourself) working on fixing the exploit (and if it is a high-risk one you can bet your arse that companies are going to be sure there will be more participants!).Another difference in in the exsistance of bugs in the first place and in the severity of the bugs.It isn’t really fair, though, to take IE and Windows as an example onto the rest of the Closed Source world. There are many Closed Source companies that have very secure products (some even more secure then thier F/OSS counterparts), such as Opera and Solaris.Still the reason I like F/OSS was proven to me from the whole backdoor scandle with Cisco.