Mozilla and Firefox patch fixes exploit, 12 hours later

Open discussion about any topic, as long as you abide by the rules of course!
Post Reply
inphlict
Posts: 1656
Joined: Sat Jul 13, 2002 7:00 am

Mozilla and Firefox patch fixes exploit, 12 hours later

Post by inphlict »

Recent exploit is fixed in only 12 hours.

http://ftp.mozilla.org/pub/mozilla.org/ ... iary1.0.1/

More about the exploit:

Browser Exploit That Doesn't Affect IE - Shocks The World

According to a paper recently published by Eric Johanson of the Shmoo Group, users on most Mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc), Safari 1.2.5, Opera 7.54, Omniweb 5 are victim to a complex International Domain Name [IDN] spoof. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for Internet Explorer). The Smoo Group have created a proof of concept where the links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.

Proof of concept URL:

http://www.shmoo.com/idn/

Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.

The links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.

This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets.

Phishing attacks are the largest growing class of attacks on the internet today.

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5

Detection:

There are a few methods to detect that you are under a spoof attack. One easy
method is to cut & paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert, to see if it's using a punycode wrapped version of the domain starting with the string 'xn-'.

Workaround:

You can disable IDN support in mozilla products by setting 'network.enableIDN'
to false. There is no workaround known for Opera or Safari.
Top
eepberries
Posts: 1975
Joined: Mon Jan 24, 2005 10:14 pm

Post by eepberries »

So, how exactly do you set this value? I use Mozilla 1.4 and can't find this in the options.
Top
Pho
Posts: 56
Joined: Tue Feb 08, 2005 5:08 pm

Post by Pho »

eepberries wrote:So, how exactly do you set this value? I use Mozilla 1.4 and can't find this in the options.
In the address bar:

about:config

then simply find the right entry and double click it. (hint; use the filter to find it quickly)
Top
eepberries
Posts: 1975
Joined: Mon Jan 24, 2005 10:14 pm

Post by eepberries »

Pho wrote:
eepberries wrote:So, how exactly do you set this value? I use Mozilla 1.4 and can't find this in the options.
In the address bar:

about:config

then simply find the right entry and double click it. (hint; use the filter to find it quickly)
Thanks. And hmm, it's already set to false.

:paranoid:
Top
l0g1c
Posts: 1838
Joined: Tue May 07, 2002 7:00 am

Post by l0g1c »

thanks for the heads :up:
Top
dmmh
Posts: 2501
Joined: Thu Jan 04, 2001 8:00 am

Post by dmmh »

dated, to say the least
[i]And shepherds we shall be, for thee my Lord for thee, Power hath descended forth from thy hand, that our feet may swiftly carry out thy command, we shall flow a river forth to thee, and teeming with souls shall it ever be. In nomine patris, et fili, et spiritus sancti.[/i]
Top
Post Reply

Return to “General Discussion”