Firefox hands out cookies from strangers

Firefox suffers from a flaw that allows attackers to manipulate the authentication cookies of virtually any website, a vulnerability Bugzilla has deemed severe. It's the second major security lapse for the open-source browser in as many days.

The defect, which stems from the way Firefox writes to the "location.hostname" property of the document object model, can be exploited by a specially doctored script that sets variables that normally wouldn't be accepted when parsing a regular URL, according to researcher Michal Zalewski, who uncovered Monday's vulnerability as well.

View: The full story
News source: The Reg

Report a problem with article
Previous Story

Study: DRM Loses Hearts and Minds

Next Story

IBM's New eDRAM to Boost Microprocessor's Performance

31 Comments

Commenting is disabled on this article.

FF has as many holes as IE, if not more. People just have more tolerance with freeware/open source, although IE is free in the first place.

chilliadus said,
FF has as many holes as IE, if not more. People just have more tolerance with freeware/open source, although IE is free in the first place.

And you're full of ****. The list of FF vulnerabilities is a fraction of the size of the list for IE.

Mistwaver said,

And you're full of ****. The list of FF vulnerabilities is a fraction of the size of the list for IE.

So then if you compared the amount of time that both programs have been around and the number of users using each, it'd come out even right?

The patch for this bug has already been landed and will be in Firefox 1.5.0.10 and 2.0.0.2 when they're released.

Bug Filed @ 2007-02-14, 15:23 PST
Patched @ 2007-02-15, 17:14 PST

And that, is why I use Maxthon. Best browser around!

www.maxthon.com - go for it, and enjoy (without the bugs!)

Well whaddya know. They gain popularity, they get f*cked.

Good luck all you people that switched from IE7. You can be concerned with all those IE flaws that you'll rarely encounter all you want. FF just had two major ones in like what, a week?

Davo said,
Well whaddya know. They gain popularity, they get f*cked.

Good luck all you people that switched from IE7. You can be concerned with all those IE flaws that you'll rarely encounter all you want. FF just had two major ones in like what, a week?


IE7 has more outstanding unpatched vulnerabilities than Firefox has ever had, so STFU.

Croquant said,

IE7 has more outstanding unpatched vulnerabilities than Firefox has ever had, so STFU.

So, IE7 has more unpatched bugs then firefox has had in its history?

Jgamer88 said,
Firefox < Opera

Open Source < Freeware

YEP!!
I've changed to Opera from Maxthon and still can't understand the blind love for FF. Secunia has always dispelled the myth that FF is safe.

When will people learn

Yeah, i just hate it when flaws in a product are found and quickly patched, i much prefer them to be hidden and have to rely on the company to release a fix.

The_Decryptor said,
Yeah, i just hate it when flaws in a product are found and quickly patched, i much prefer them to be hidden and have to rely on the company to release a fix. :rolleyes:

Nice try but FF has had flaws for years that remain unpatched. You really should inform yourself before you try to call out someone elses post

Ver. 2


Ver. 1.X

Blaxima said,

Nice try but FF has had flaws for years that remain unpatched. You really should inform yourself before you try to call out someone elses post

Ver. 2


Ver. 1.X

i went to that site... but it looks like me personally i was only effected by one of those flaws since i have password manager DISABLED as i feel thats a security issue right there by having it on as anyone who has access to your pc can see the passwords pretty much. (assuming master password is not set which i believe there is NO master password by default for most users when they use password manager as i dont think it asks to set one.... for me though i just think it's a bad idea to have your passwords stored in ANY webbrowser in general)

also i think the other security issue... can be alot less likely to get nailed by just sticking to visiting only sites you KNOW that are legit. doing this should keep most people safe

Haha and these FireFox users reckon it's more secure than IE 7...


Haha I look forward to somebody finding some more flaws in Sh**eFox in the next couple of days...

‹-cJr-› said,
Haha and these FireFox users reckon it's more secure than IE 7...


Haha I look forward to somebody finding some more flaws in Sh**eFox in the next couple of days...

Yeah, but we get our patches handed out ASAP, not "Okay guys, when do you want to release this? Next month? May?" Besides, if you payed attention to even the slightest details, you'll notice that Microsoft has fixed some flaws in their browser as well (with a few that still needing patching). No software is perfect, flaws are always found, and yes, I do hope someone can find more flaws in Firefox, IE7, and Opera. Why? Because it will only help make these browsers safer.

Now do the world a favor and shut up.

MountainSnake said,
:blink: How can you prefer IE7 over Firefox?? Newbie? :confused:

I prefer to use Opera to both; but at uni that's not possible. I can use Firefox (without access to secure servers (https)), or IE with access to secure servers. It's to do with the **** way firefox handles my departments proxy servers.

MountainSnake said,
:blink: How can you prefer IE7 over Firefox?? Newbie? :confused:

Umm, why not? I mean, it's a matter of personal preference right? I prefer IE7 to Firefox.

Firefox has actually been driving me crazy over the last few days as I've been doing some web development work for a personal project of mine. Writing javascript for Firefox is so annoying since they don't use a normal DOM and have to do everything their own stupid way. I mean, wtf is "MozOpacity" - is the W3C one not good enough for them?

i think firefox is "overall" more secure than IE7 is due to the fact it's not nearly as known! ... that right there makes it quite a bit less likely someone will attempt to exploit firefox over IE.

but honestly i think IE improved quite a bit with IE7 when it comes to security although i think IE7's interface SUCKS compared to Firefox 2's... microsoft should have kept it similar to IE6's as that was MUCH better.

but the bottom line is it's all personal preferance.... like i say though i think ill stick with firefox 2 for sure now since i think IE7's interface sucks!

Brandon Live said,
Firefox has actually been driving me crazy over the last few days as I've been doing some web development work for a personal project of mine. Writing javascript for Firefox is so annoying since they don't use a normal DOM and have to do everything their own stupid way.

Then perhaps you should learn the W3C DOM as that is the one Firefox uses and not rely on Microsoft's proprietary crap one assuming it is The Way It Is Done [tm].
I mean, wtf is "MozOpacity" - is the W3C one not good enough for them?

Hmm. Your ignorance is showing. Again.
-moz-opacity / MozOpacity is the name that is given to the element opacity and was introduced BEFORE W3C defined what opacity actually was. Think of it like pre-N routers; 802.11n hasn't been ratified yet, but some manufacturers have an idea of what it entails and have provided proprietary support for it.

Perhaps you'd like to call Konqueror rubbish as well as that has -khtml-opacity. Or do you prefer the totally non-standard filter: crap
In any case Safari and Mozilla support opacity "properly" so you don't need to be using MozOpacity anyway: see quirksmode.org

Dakkaroth said,

Yeah, but we get our patches handed out ASAP, not "Okay guys, when do you want to release this? Next month? May?" Besides, if you payed attention to even the slightest details, you'll notice that Microsoft has fixed some flaws in their browser as well (with a few that still needing patching). No software is perfect, flaws are always found, and yes, I do hope someone can find more flaws in Firefox, IE7, and Opera. Why? Because it will only help make these browsers safer.

Now do the world a favor and shut up.

so true, what you need the patch now? you'll have to wait until patch tuesday