Firefox spoof bug returns from the dead
The Seven Year Itch
A seven year-old type of vulnerability has been inadvertently re-introduced in the latest versions of Mozilla and Firefox. The resurrected flaw could be used by hackers or potential fraudster to spoof the contents of websites, Danish security alert firm Secunia says.
The security bug - "moderately critical", Secunia says - stems from a failure to check if a target frame belongs to a particular, opened website. This allows one browser window to load content into a named frame of another window.
This frame injection vulnerability has been confirmed in Firefox 1.0.4 and Mozilla 1.7.8. Version 0.8.4 of the Camino browser for Mac OS X - but not version 0.8.3 - is also vulnerable. Other versions may also be affected. Secunia has constructed a test here. It advises surfers to avoid browsing untrusted sites while browsing trusted sites pending a fix from the Mozilla Foundation.
In July 2004, Secunia warned that a similar frame injection vulnerability affected certain flavours of IE and Opera as well as earlier versions of Mozilla. ®