Firefox fix plugs security holes

[SDK]

The Mozilla Foundation on Thursday released an update to the Firefox Web browser to fix several vulnerabilities, including one that would allow domain spoofing.

The open-source project released Firefox 1.0.1 to fix, among other bugs, a vulnerability in the Internationalized Domain Names (IDN), a standard for handling special character sets in domain names that could let an attacker spoof Web sites on non-Microsoft browsers. The standard allows companies to register domain names that appear to be the same in different languages.

That encoding scheme could enable an attacker to create a fake Web site for a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process.

The updated browser will display the IDN Punycode in the address bar, preventing URL spoofing. Punycode is the encoding of Unicode strings into the limited character set supported by the Domain Name System and IDN.

"Regular security updates are essential for maintaining a safe browsing experience for our users," Chris Hofmann, director of engineering for the Mozilla Foundation, said in a statement.

...

Source : http://news.zdnet.com/2100-1009_22-5589693.html

[kyrios]

hmmm... in my firefox browser, i go to Tools > Options > then select the Advanced button > scroll down to Software updates, and it doesn't have any availlable updates... Im still at version 1.0, i guess it hasnt been released yet?

[zencoder]

I tried to force it a few times. If you download the whole package its 1.0.1. Looks like they haven't pushed the package via the update service yet. If you've got to have bleeding edge, you'll have to get it yourself...I didn't see any announcements on when it would be available via update.