View Full Version : Mozilla / Firefox Spoofing Security Issue 2005-02-07

9th February 2005, 12:14 AM
Just thought I would pass this info on to otheres that may or may not know about it for Mozilla 1.7.x MozillaFirefox 0.x
Mozilla Firefox 1.x
Have a look at the test!

Be carefull! ZoodayZ...

9th February 2005, 03:42 AM
Yes, however, there is a workaround. Type about:config into the browser address bar and hit the enter key.
Look for the following entry: network.enableIDN
Highlight that entry and double-click it to change the boolean value from true to false.
This will disallow a malicious webpage, that attempts to exploit this vulnerability, to load at all.
I have tried it on a test webpage and it stops the exploit from working by not allowing the exploit webpage to load :D

9th February 2005, 04:19 AM
This is a temporary workaround, because if you install a new extension, the network.enableIDN takes its old value, no matter what it writes in the about:config tab. The real solution is to edit the ~/.mozilla/firefox/xxxxxxxx.default/compreg.dat file by hand and change this string:
to this :

9th February 2005, 04:41 AM
mcg: Thank you for that tip :)

9th February 2005, 07:25 AM
Subtle! I didn't even notice the strange character in the test, and I usually notice things like that.

11th February 2005, 02:00 AM
Seems the web browser I use (Opera) is also vunerable. Any known work arounds for Opera yet?

11th February 2005, 04:08 AM
According to Digg, the 2/10/05 build of Mozilla and Firefox has corrected the security issue. Available here: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-aviary1.0.1/