Firefox Bug Wriggles Back Into Code
The Mozilla Foundation acknowledged that a once-fixed bug has crept back into Firefox.
The Mozilla Foundation acknowledged that a once-fixed bug has crept back into Firefox, saying on Tuesday that changes made after version 1.0.2 of the stand-alone browser re-introduced the frame injection vulnerability.
The bug, which hails from 1998, could let attackers insert their own content into a legitimate site, to, for instance, pose as a log-in, then collect usernames and passwords to online bank accounts.
More Internet Insights
- Government Analytics: Set Goals, Drive Accountability and Improve Outcomes
- 2012 IBM Chief Information Security Officer Assessment
"While this does not present much risk by itself," said Mozilla in an online alert, "it could be used as part of a spoofing attack.
"[The bug] has cropped up several times over the last few years due to various regressions (changes unintentionally bringing the bug back)," Mozilla's warning went on. Firefox 1.0.3 and 1.0.4 sport the vulnerability, as do Mozilla 1.7.7 and 1.7.8. Earlier versions, however -- Firefox 1.0.2 and Mozilla 1.7.6 -- do not.
A fix has been made to the always-under-development browsers, but a patched edition hasn't been released. Unlike Microsoft's Internet Explorer, Firefox doesn't yet have a patching mechanism that allows relatively small bits of code to be added to an already-installed copy. Instead, Firefox users have had to download and re-install new full versions of the browser to patch flaws. Firefox 1.1, which is scheduled to roll out this summer, is to have a new patching technique.
Although Mozilla recommended a work-around -- closing all other windows and tabs before accessing a site where a critical password is entered -- developers noted that users who had installed the Tab Mix extension https://addons.mozilla.org/extensions/moreinfo.php?application=firefox&id=625 to Firefox were protected from any exploit.