Mozilla Firefox Download Dialog Source Spoofing

[SDK]

Secunia Advisory: SA13599
Release Date: 2005-01-04
Critical: Less critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched

Software: Mozilla 1.7.x and Mozilla Firefox 1.x

Description:
Secunia Research has discovered a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the source displayed in the Download Dialog box.

The problem is that long sub-domains and paths aren't displayed correctly, which therefore can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box.

The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected.

Solution:
Do not follow download links from untrusted sources

Link : http://secunia.com/advisories/13599/

[moxnix]

A possible solution while using Firefox is the spoof stick extension. (see attachment)

[dayneman1]

Thanks for the heads up. I just started using firefox with windows and this raises the question is firefox more secure than internet explorer.

[SDK]

My personal point of view is that you'll start seeing more security Advisory about Firefox now that peoples start using it a lot.

[dmorgan]

I agree with SDK, but there is still way more vulnerabilities in IE than firefox. I think there will continue to be more attacks on IE, b/c the average layman doesn't know how often they get attacked and they stick with Ie despite all the warnings. Nontheless, we will continue to see new vulnerabilities in both, just not at the same rate. That's just my opinion.

[Double//Cut]

Originally posted here by SDK
My personal point of view is that you'll start seeing more security Advisory about Firefox now that peoples start using it a lot.

the question is, when will the next major sploit be for the mozilla series. And even if you could gain complete control over the computer ... IE exploits were never mass damaging, only to m$ reputation