Posted: 26 February 2005 at 11:26am | IP Logged
bug and IE revisited
Bill Gates last week announced a beta for a new IE 7
browser that may ship later this year. But that still means we have a lot of
unpatched items on Secunia's . Unfortunately, IE isn't the only browser
that can have security holes.
The Firefox and Mozilla browsers are
affected by attacks involving internationalized domain names (IDN), as I
described in this space . A hacker using IDN can make a hacking site appear to be any other Web
address, such as paypal.com, in these browsers' Address
What to do: The workaround I gave then for these "homograph"
attacks — i.e., change network.enableIDN to false in Firefox's
about:config settings — has been as a temporary measure. A forthcoming 1.0.1 release of Firefox
will set this option to false by default. A better solution that doesn't totally
eliminate support for IDN is expected to be included in Firefox 1.1.
different workaround to eliminate the security hole is to close FireFox, then
open the compreg.dat file from the user profile, using a text editor.
Look for the entries for IDN and idn and set a quote mark (") at
the beginning of those lines. This will disable Firefox's ability to visit sites
that use IDN notation, but hopefully this will be only temporary. IE, of course,
isn't vulnerable to this problem because it never offered support for the new
IDN sites at all.