Firefox And IE Confront A New Flaw
Mozilla's Firefox 2 and Microsoft's Internet Explorer 7 are susceptible to a flaw that could enable attackers to steal confidential information.
The vulnerability called 'Reverse Cross-Site Request', or RCSR by its discoverer, Robert Chapin, president of 'Chapin Information Services' allows hackers to capture users' usernames and passwords by displaying a fake login form. The form will make 'Firefox Password Manager' to automatically enter saved passwords and usernames.
The attack works by creating HTML (Hypertext Markup Language) forms on the website. HTML forms are allowed on 'blogging' and 'social networking' sites. According to Chapin, those who browse 'blogs' and web site forums that require the addition of user-contributed HTML code are particularly in danger.
Chapin believes RCSR attacks are also aiming Microsoft Internet Explorer although the attack is much more likely to succeed in Firefox due to a flaw. Chapin, therefore, cautions users of both Firefox and Internet Explorer to be wary of information stolen this way when they visit blogs and forum websites even at trusted addresses.
The RCSR attack was performed through a 'phishing' attack in 'MySpace' in late October. There, 'phishers' registered a MySpace account named login_home_index_html and through it, presented a fake login page that took advantage of the flaw.
Talking about the bug, 'Mozilla' developer Daniel Veditz said that as the bug was one 'in the world' attacks, the company was not hiding any details. Veditz added that browser creators were concentrating on 'user convenience' till now and assumed sites with valuable passwords would be better designed. But the bugs they had were similar to Mozilla bugs, so Mozilla has to be more defensive.
Microsoft's Internet Explorer is also vulnerable to this attack because, like Firefox, it does not make sure that the password info reaches the same server that asks for it. But tricking Internet Explorer is more difficult as it is more careful in checking the source of the login form before it automatically submits password and username.
Mozilla and Microsoft are familiar with the existence of this problem. They strongly recommend their users to disable the 'Password Manager' to prevent unwanted submission of login information till a fix is available.
» SPAMfighter News - 27-11-2006