Posted:
Firefox IDN bug and IE revisited
Bill Gates last week announced a beta for a new IE 7 browser that may ship later this year. But that still means we have a lot of unpatched items on Secunia's . Unfortunately, IE isn't the only browser that can have security holes.
The Firefox and Mozilla browsers are affected by attacks involving internationalized domain names (IDN), as I described in this space . A hacker using IDN can make a hacking site appear to be any other Web address, such as paypal.com, in these browsers' Address Bar.
What to do: The workaround I gave then for these "homograph" attacks — i.e., change network.enableIDN to false in Firefox's about:config settings — has been as a temporary measure. A forthcoming 1.0.1 release of Firefox will set this option to false by default. A better solution that doesn't totally eliminate support for IDN is expected to be included in Firefox 1.1.
A different workaround to eliminate the security hole is to close FireFox, then open the compreg.dat file from the user profile, using a text editor. Look for the entries for IDN and idn and set a quote mark (") at the beginning of those lines. This will disable Firefox's ability to visit sites that use IDN notation, but hopefully this will be only temporary. IE, of course, isn't vulnerable to this problem because it never offered support for the new IDN sites at all.
Bill Gates last week announced a beta for a new IE 7 browser that may ship later this year. But that still means we have a lot of unpatched items on Secunia's . Unfortunately, IE isn't the only browser that can have security holes.
The Firefox and Mozilla browsers are affected by attacks involving internationalized domain names (IDN), as I described in this space . A hacker using IDN can make a hacking site appear to be any other Web address, such as paypal.com, in these browsers' Address Bar.
What to do: The workaround I gave then for these "homograph" attacks — i.e., change network.enableIDN to false in Firefox's about:config settings — has been as a temporary measure. A forthcoming 1.0.1 release of Firefox will set this option to false by default. A better solution that doesn't totally eliminate support for IDN is expected to be included in Firefox 1.1.
A different workaround to eliminate the security hole is to close FireFox, then open the compreg.dat file from the user profile, using a text editor. Look for the entries for IDN and idn and set a quote mark (") at the beginning of those lines. This will disable Firefox's ability to visit sites that use IDN notation, but hopefully this will be only temporary. IE, of course, isn't vulnerable to this problem because it never offered support for the new IDN sites at all.
Yeh Rishta Kya Kehlata Hai
Kabhi Neem Neem Kabhi Shahad Shahad
Love Friendship Dating and Relationships
Tum Se Tum Tak
Financial markets and global economy
Kyunki Saas Bhi Kabhi Bahu Thi 2
Bollywood
