[stevegunn]

Just found this on Netcraft:

http://news.netcraft.com/archives/2...ofing_flaw.html

"All non-Microsoft browers include a flaw that allows URL spoofing using Unicode characters, which can be exploited by phishing scams seeking to steal login information for online banking accounts. The spoofing flaw, which is demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla and Opera browsers, as well as the Safari browser for Macs.

The spoof exploits flaws in how the browsers interpret Unicode characters. A link using Unicode characters to replace the letter "a" in "Paypal" will display as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

Unicode is a broader character set that includes non-English characters as well as symbols, which is being used on the Internet to support Internationalized Domain Names (IDN). The affected browsers support IDN, while Microsoft's Internet Explorer does not.

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration fucntions). There is no known workaround yet for Opera or Safari, according to a Bugtraq post from Shmoo, which describes itself as "a non-profit think-tank comprised of security professionals" and hosted the Shmoocon conference over the weekend.

URL spoofing exploits are useful to Internet phishing scams, making it easier to trick victims into sharing sensitive information with bogus web sites constructed by fraudsters, which can be coded to present a target institution's URL in the address bar. The impact of the spoofing flaw is limited by the low usage of non-IE browsers, but comes as Firefox is making inroads into Internet Explorer's dominant market position, gaining up to 5 percent of users by some accounts."

It's a quick enough fix, I'd do it now !

[George-Reid]

Steve
Thanks for the info not that I understand half of what its about.
Sorry to be daft but how do you change true to false tried highliting select etc cant seem to change it.
Cheers

George

[Dennis]

Double click it George.

[George-Reid]

Thanks dennis job done
Cheers
George

[stevegunn]

This has now come up on The Register.

It is more serious than I first believed. The patch I gave is not enough.

To Test your Firefox, open http://secunia.com/multiple_browsers_idn_spoofing_test. This is a test at Secunia (a security company web site). If you run this test and the URL showing on your browser is http://www.paypal.com, then your browser is vulnerable.

This also affects Netscape and Opera by the looks of it, as well as Safari on the Mac. All of these browsers are derived from the same Mozilla lineage, I believe.

Not only is this vulnerability in the wild, but it is now public knowledge. I am tempted to switch back to IE 6 until this is fixed. I don't expect this to be too long.

BTW, you are hearing about this vulnerability because Firefox is an open source product. If it was Internet Explorer, you would be hearing a load of denials and flannel from M$. And, believe me, there will be people working on a fix right now.

[Dennis]

I'm getting into open source, my 3 month old Dell hard drive has failed and the computer has gone for a new one. My surfing is being done on a 8 year old Dell running Ubuntu Linux and firefox on dial up as the old one can't handle usb broadband modem. 

[Mark Roberts]

A simple way of avoiding this problem is to type the URL into the addess bar. Don't follow links from untrusted sources.

Mark