Firefox, Mozilla, Opera struck by spoofing flaw

A dangerous spoofing security hole has been found in every browser on the market — except one.

Mozilla, Firefox, Safari, Opera and Netscape all suffer from the “moderately critical” vulnerability that allows the spoofing of address bar URLs and SSL certificates, but, incredibly Microsoft Corp.’s Internet Explorer gets a clean bill of health.

Publicized by security company Secunia, the flaw affect the range of browsers using the open-source Geko browser kernel. Anyone using an affected browser would be able to visit spoofed websites without being aware of it, something that would aid any crime based on setting up bogus websites, such as phishing.

The flaw arises from the way the named browsers resolve web addresses that include international characters in International Domain Name (IDN) URLs. Russian researchers Evgeniy Gabrilovich and Alex Gontmakher first outlined the potential for such a spoofing issue in 2002, in what was then a theoretical paper, The Homograph Attack. Exploiting the hole could, they reasoned, allow them to register a “homographic” variant of that included Unicode/UTF-8-defined Russian characters similar to certain ASCII characters.

They speculated that some browsers would either resolve these characters in a garbled way or would, as has turned out to be the case, present them as if the registered domain was actually the real Users could also be fooled into believing the bogus site was protected by an SSL certificate when it wasn’t.

There is no patch for the vulnerability though users can at least test browsers for it on the Secunia website.

Related Download
Five Key Issues for DNS: The Next Network Management Challenge Sponsor: F5 Networks
Five Key Issues for DNS: The Next Network Management Challenge
Download this whitepaper to learn the five issues that IT needs to think about around DNS and why, as well as how you can build a strong DNS foundation to maximize use of resources, secure DNS, and increase service management, while remaining agile.
Register Now