Firefox Flaw Could Let Attackers Change Cookies
A bug was recently uncovered in Firefox that could allow a malicious Web site to appear authentic.
The bug affects the way Firefox handles writing to the "location.hostname" DOM property, according to a posting by security researcher Michal Zalewski on the security mailing list Full Disclosure. The vulnerability could potentially allow a malicious Web site to manipulate the authentication cookies for a third-party Web site.
By bypassing same-origin policy, attackers can possibly tamper with the way these sites are displayed or how they work. For users, this means the bug could allow for the browser to appear as if the user were connecting to a bank, when in fact the user would instead be receiving data from an attacker.
"This flaw is at the core of phishing attack[s]," said Natalie Lambert, an analyst with Forrester Research. "The ability to mask the real site a user is visiting is how phishing attacks are successful. So, the threat of this vulnerability is large."
This vulnerability was tested using Firefox 2.0.01. Though the bug was listed as resolved, Mozilla security chief Window Snyder said they will be addressing the vulnerability in the next update to Firefox, version 2.0.0.2.
"We have not heard of any reported exploits," he said. "However, we're working to address the issue as quickly as possible to minimize the window of risk. Mozilla takes security vulnerabilities very seriously, and our community of users can be assured that we are working hard to resolve this."
David Frazer, director of technology services at F-Secure, urged users to make sure they have the automatic updates for Firefox set to on.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
:source:Source: Yahoo! News
______________________________________
For the FF fans. ;)
Re: Firefox Flaw Could Let Attackers Change Cookies
:O
Thanks, will look out for new version.
Re: Firefox Flaw Could Let Attackers Change Cookies
Soooooooo whens the patch coming out today ,tomorrow ? :D
Re: Firefox Flaw Could Let Attackers Change Cookies
Re: Firefox Flaw Could Let Attackers Change Cookies
try to get the latest version & all gonna be okay
Re: Firefox Flaw Could Let Attackers Change Cookies
Thanks for the heads up on this one Hairbautt. Here's hoping that the firefox team can release a patch soon. Does anyone know of a workaround until a new version is out?
