troubleshooting/tutorials/security

02/07/2005, 11:35am, EST

Monday, February 7th

Security hole threatens Safari, Firefox, others

A security hole in Firefox and Safari could enable malicious Web sites to mislead users. The exploit involves International Domain Name (IDN) handling. A proof of concept is available to demonstrate the exploit. There is currently no known workaround for Safari, and a potential fix Mozilla is questioned. Internet Explorer is not affected. Camino, however, appears to be vulnerable to the exploit.


Filed under: troubleshooting

, , 18comments, del.icio.us, slashdot, digg


18 comments
Reader Reactions (Please use <i></i> for italic text)

subscribe to comments
for this article




Expand All   Global Settings
iCab is "safe" too.
0
02/07, 12:14pm, EST
iCab seems to be immune too. I get "Not Found" errors.
ElRay
Fresh-Faced Recruit
Join Date:Dec 2003
Status:Offline
That's it...
0
02/07, 1:25pm, EST
...I'm moving over to Windows.
ThisGuy
Mac Elite
Join Date:Oct 2001
Status:Offline
Not a big deal...
0
02/07, 1:34pm, EST
We can just view the source code of every page we visit and examine each link...err..um...nevermind.
macimmortal
Fresh-Faced Recruit
Join Date:Aug 2001
Status:Offline
Workaround for Mozilla...
0
02/07, 1:35pm, EST
Workaround for Mozilla-based products (Mozilla, Firefox, etc.):

Enter about:config in the address bar and click Go or hit Enter.
Scroll down to the network.enableIDN preference and double-click so the value is says "false".

The problem is that the setting will be ignored the next time Firefox is started and will have to be reset each time the browser is launched (even if the pref says "false").
Voch
Grizzled Veteran
Join Date:Apr 2001
Status:Offline
Not a security hole
0
02/07, 1:40pm, EST
As dumb as it may sound, this is NOT a true "security hole".

This is a pure abuse and disregard of the rules set for IDN handling, where top-level registrars are supposed to be as restrictive as possible in handing out IDN coded domain names. Of course, the ICANN turns a blind eye on the .com, .net and .org TLDs, opening up a can of worms in regard to phishing. Other TLDs are supposed to stick with their alphabet only to minimise problems, but some TLDs have not honoured this ( like Poland f.ex. - they would happily register "ibm·com.pl" - see a possible conflict with "ibm.com.pl" ? :)
toti
Junior Member
Join Date:Sep 2004
Status:Offline
workaround
0
02/07, 1:43pm, EST
That Firefox workaround is potentially disastrous, because it makes you THINK you've fixed it and you haven't! (I just confirmed that the setting is lost when you restart, even if it's still set to "false." That's a plain old BUG in Firefox.)
adamschneider
Fresh-Faced Recruit
Join Date:Dec 1999
Status:Offline
Agreed...
0
02/07, 1:50pm, EST
adamschneider: Agreed. Firefox forgets to read the preference at startup or something but shows its saved value in the about:config information. I'll have to re-double-click it each time I start up. Yes...it does suck.
Voch
Grizzled Veteran
Join Date:Apr 2001
Status:Offline
manually...
0
02/07, 1:51pm, EST
i believe you can edit the file manually. everything edited with the "about:config" thing is not permanent. i cant remember where it is though right off hand. not at my mac at the moment. at work on a peecee.
dwishbone
Grizzled Veteran
Join Date:May 2002
Status:Offline
Etiquette?
0
02/07, 2:01pm, EST
Check the details at:

http://www.shmoo.com/idn/homograph.txt

Notice the timeline at the end of the document. They reported the problem to the vendors January 19, 2005, and published details of the exploit yesterday (February 6). Does security etiquette call for more time than that? I thought at least 60 days was the norm.
jimothy
Fresh-Faced Recruit
Join Date:Sep 2000
Status:Offline
prefs.js
0
02/07, 2:01pm, EST
It's stored in the prefs.js file of your profile and it looks like it's stored correctly when altered by the about:config panel. It looks like the setting is not read at startup though.
Voch
Grizzled Veteran
Join Date:Apr 2001
Status:Offline
additional comments:..1..2..Next
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member?
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.

MacNN iPodNN Electronista
top searches
1. apple
2. iphone
3. apple TV
4. ipod
5. mac
6. BBC
7. icons
8. icon
9. macbook
10. leopard
search for more ..
RSS Feeds

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.



  MacNN -all

  MacNN Reviews

  MacNN Podcasts

  iPodNN

  Electronista

  Left Lane News
Autokredit im Vergleich - Here is some car credit information for our Germany visitors.
Turn your laptop into CASH: Sell us your used laptop. Working or not. Get money FAST. Instant online quote. Shipping is FREE.

PowerBookMedic will fix any Powerbook, iBook, iPod: We offer Parts, Hard Drives, Superdrives, Ram Upgrades & Repairs all backed up w/ our 1YR Warranty!

Check Out the VIERA from Panasonic!: Enter a New Visual Era with Panasonic VIERA HDTVs. An Enhanced Experience.

Sony Entry-Level Data Projectors With HDMI!: Universally Seen As The Perfect Choice For Education & Business. Bright, Stylish, Easy To Use!

Find Computer Hardware: Local Computer Parts & Retailers - PCs, Macs, Desktops, Laptops.

Apple Cider Vinegar Diet Tabs on Sale: Apple cider vinegar promotes weight loss. The biggest drawback has always been the awful taste and smell! Now, apple cider vinegar is being offered in easy-to-swallow, tablets!

Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.