Tuesday, February 08, 2005

Firefox security alert and fix

I'm a big Firefox user and I know a lot of you are too, so I wanted to share this post on O'DonnellWeb that details a Firefox security vulnerability and how to fix it.  Note that this fix is very easy, but you are screwing around with configuration settings of the browser, so be careful.  From the post:

This is scary, Firefox is vulnerable to a specific type of phishing attack. See demo at http://www.shmoo.com/idn/

Here is the fix.

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works

No comments: