Danish security firm Secunia discovered a 7-year vulnerability in a number of browsers last year. It popped up again in Firefox and other Mozilla products. The problem is called a "frame injection" vulnerability and it can be quite annoying.


At one time, this was a pretty widespread problem affecting a number of browsers. Secunia listed on their website includes Opera, Netscape, Firefox, Firebird, Mozilla, Internet Explorer, Konqueror, Camino and Safari. The versions vary but that's still a pretty broad spectrum especially since most flaws don't hit all the browsers. All the companies involved corrected the problem. But for some insane reason, Mozilla reintroduced it in Firefox 1.0.4, Mozilla 1.7.8 and Camino 0.x.

Secunia rates the problem of the potential spoofing as moderately critical. Secunia said on their website about the issues:

"The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window."

The forum on Mozilla's website had this to say:

To protect yourself, close all other windows/tabs before accessing a site where you routinely put in a secure password (eg your bank or paypal account), or your bank or credit card details (eg Amazon), or other sensitive data. If you use one of the tabbed browsing extensions and can set it to always open links in new tabs, never in a new window, this also prevents the vulnerability from being exploited.

Secunia has developed a test on for checking if your browser has this vulnerability but the real problem would seem to be that Mozilla didn't correct the problem from previous editions. The code should've been corrected. Firefox fans can probably expect a 1.0.5 coming out sometime in the future. Mozilla certainly isn't the only one who's had old problems creep back into programs.

Why Does It Do That


On the surface, one may point to the problem being in the Gecko rendering engine as most of the browsers originally listed utilize Gecko but as IE does not, the problem must lie elsewhere. After doing a little research many assertions point to the international domain names (IDN) as the culprit. Because various other languages may have characters very similar but identical to English language characters, IDN creates problems for browsers that handle it particularly with regard to the spoofing which makes use of similar urls to get users to visit other sites.

This problem got some talk about it back in February but it seems to have crept back into existence with the new Mozilla problems. There is a particularly good write up on the problem at Panix.com's forum that explains the problem in detail.

In any event, since the problem had apparently been fixed, it means programmers were using dated code and that means that they need to work on getting rid of it out of the next version of Firefox.