FireFox Exploit (And others, but not IE this time)

[goBigtime]

Test it here...

http://www.shmoo.com/idn/

There is a link to the advisory there too.


In firefox you can fix it yourself until they issue a new version:

Type about:config in your address bar.

Scroll down to network.enableIDN and double-click it to set it to false

IDN = International Domain Name

[goBigtime]

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5


Vendor Responses:

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear
workaround for disabling IDN.



Mozilla/Firefox first to offer a fix

[Jace]

rofl, i thought firefox was immune to this shit?

[quantum-x]

Slashdot cross poster eh?

It's not actually so much that IE isn't vulnerable, it just doesnt support the IDN standard. If you installed the plugin, it will be.

On the flip side, it's not so much FF that is vulnerable as the plugin

[e-god]

as firefox is getting more popular more exploits are being found, waiting till nerds will start to write malicious viruses and worms that will go thru firefox

[goBigtime]

Quote:

Originally Posted by quantum-x

Slashdot cross poster eh?

I don't read the forums much, usually just the headlines.

A friend IM'd me with the info a few mins before I started this thread.

[goBigtime]

Quote:

Originally Posted by e-god

as firefox is getting more popular more exploits are being found, waiting till nerds will start to write malicious viruses and worms that will go thru firefox

With firefox, If they don't write and exploit them within an hour of the exploit being released then they'll probably be too late :P