Firefox Phishing Vulnerability Sparks Hot Debate

A vulnerability in Mozilla's open-source Firefox browser could be exploited, security experts have warned. Despite the hoopla about the superior security of Firefox, Secunia Research reported that the browser could be used by malicious people, know as phishers, to spoof the source URL displayed in the browser's "Download Dialog" box.

"The problem is that long sub-domains and paths aren't displayed correctly, which therefore can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box," said the Secunia advisory.

Secunia rated the flaw "less critical" and has confirmed the vulnerability in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. It added that "other versions may also be affected."

"Currently, no solution is available. However, the vendor reports that this vulnerability will be fixed in upcoming versions of the affected products," Secunia stated in its advisory. The company urged users not to follow download links from untrusted sources.

Mozilla's Response

Mozilla officials could not immediately be reached for comment. However, mozillaZine, the Web log that allows its members to post their thoughts and reactions to the company products and news, offers some insight into this hot debate over browser security.

A blogger that calls himself "mlefevre" writes, "Actually there are probably a bunch of security issues that are due to be disclosed, now that Mozilla 1.7.5 and the aviary 1.0s are out."

Meanwhile, "Charles" posted a response to the clamor earlier this morning, writing, "There are always going to be security issues, with all browsers, specifically with Gecko-based browsers, and increasingly so as they become more popular."

Response Time Critical

Jupiter Research analyst Joe Wilcox agreed with the bloggers that security problems with any browser are no surprise. But he told LinuxInsider that the real test is responsiveness.

"Microsoft's argument is that a commercial developer that has sole access to the source code can respond quicker to flaws than open source counterparts," Wilcox said. "The open source community argues that the "all-eyes" approach diminishes the number of exploits and makes responsiveness quicker than commercial vendors. Who can really respond to flaws the quickest? That's the real question."

Wilcox sees no irony in the fact that Firefox has been touted by many as a more secure alternative to Internet Explorer. Secunia released an advisory about multiple "extremely critical" vulnerabilities in Microsoft's (Nasdaq: MSFT) IE 6 earlier today. Those "extremely critical" flaws compare to Secunia's "less critical" rating of the Mozilla flaws. Again, Wilcox said, security flaws will happen. The test is who can respond the fastest.

Chink in Firefox Armor

Microsoft aside, could this be the end of the beginning for Firefox? Wilcox doesn't think so, but he said it could be a good opportunity for Microsoft to get a little pay back for the finger pointing that Mozilla has done about the software giant's security flaws.

"Finger-pointing can be a very effective marketing tool in high-tech," Wilcox said. "Mozilla has used the tactic against Microsoft and it has proved to be very effective. There's no reason why Microsoft shouldn't turn that around here. That could impact Firefox because people have to make a conscious decision to switch browsers and this news could cause them to wait or decide not to migrate."