7 Gold

UNPATCHED address-bar spoofing unerability in Firefox 3.6.4

Only a day or two after it was released...

the following has been copied/pasted ffrom http://secunia.com/advisories/40283/

Description
Michal Zalewski has discovered a [less critical] vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks.

The vulnerability is caused due to the address bar of a newly opened window displaying the URL of the requested location before the page is loaded. This can be exploited to display arbitrary content in the blank document while showing the URL of a trusted web site in the address bar, e.g. by calling "window.stop()" to abort loading the new page.

The vulnerability is confirmed in version 3.6.4. Other versions may also be affected.

Solution
UNPATCHED --- Do not rely on the address bar when untrusted web sites open new windows.

Provided and/or discovered by
Michal Zalewski

Original Advisory
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 18.7.4, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos