[H-GEN] Open source firm releases patch for IE spoofing flaw
David Starkoff
dbs at uq.net.au
Sat Dec 20 01:39:31 EST 2003
At 2003-12-20T12:05+1000, Sandra Milne wrote:
> Jason Parker-Burlingham wrote:
>
> >For what it's worth, the bug affects Mozilla 1.5 also. I've tested
> >this with Netscape 7. See http://www.intertwingly.net/blog/1673.html,
>
> OK I tried this with firebird 0.7 and it correctly displayed
> slashdot.org in the location bar..... does this mean that firebird
> has fixed the 'bug' and mozilla is waiting for 1.6 release candidate
> to fix it?
No; the bug affects Firebird. The bug isn't where the URL goes to,
it's what's displayed in the status line when you hover over the link.
Although the link is to Slashdot (it's just a variant of the "@"
fake-site hacks which are *so* 2000 or so), Firebird, Mozilla, and IE
(but not, interestingly, Safari) display "http://www.yahoo.com" in the
status bar.
The inconvenient thing is that this works even if you have JavaScript
disabled.
Also, for completeness (since it's scrolled off the Slashdot main
page--<http://slashdot.org/article.pl?sid=03/12/19/0135211>), the
patch authors have been a little less than forthright. See
<http://lists.netsys.com/pipermail/full-disclosure/2003-December/014933.html>.
Which is, of course, one of the features of an open market--working
out whom to trust. One would hope that this little stunt emphasises
that security is more than just downloading a purported patch from an
untrusted source.
David.
More information about the General
mailing list