Monday, November 20, 2006

IE 7 vs Firefox 2

According to reports, Mozilla Firefox 2 and Microsoft Internet Explorer 7 (IE) are both vulnerable to a bug that steals the login-id and password of users, with the help of a fake log-in page.

The bug has been dubbed as "Reverse Cross Site Request vulnerability" (RCSR) by Robert Chapin, who first discovered the flaw.

Reportedly, the attack was first carried out from a profile page using a specially crafted HTML that hides the genuine MySpace content from the page, and displays the fake login page instead. The fake page is then sent to another Web site, along with information regarding MySpace users who visited the page using Firefox.

The attacks seen on My are likely to move on to Firefox as well because the Firefox Password Manager automatically enters any savedpasswords and user-id/s into the form, whereas IE is not capable of filling in the saved information automatically.

Therefore, Firefox is more likely to get affected by the flaw, as compared to IE.

According to Chapin, users of both Firefox and IE need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses as well. Further, an RCSR attack is more likely to succeed than an XSS attack because neither IE nor Firefox are designed to check the destination of form data before the user submits them.

Moreover, the browser doesn't indicate the exploitation as it is conducted on a trusted Web site.

As of now, no fix has been issued by Mozilla, and it's not very clear if the other versions of Firefox are also affected by the flaw. Users have been advised to disable the "Remember passwords for sites" from the preference link in Firefox.

Additionally, these attacks could also be highly effective against firewall of local network servers and HTTPS addresses that are not otherwise accessible because the attacker does not need direct access.

No comments: