New browser exploit - all browsers affected (except IE!)

Mouton · 02-07-2005, 11:21 AM

Nothing ioFTPD-related, but I think this is big enough to warrant a post here:

New exploit that works in all browsers (Safari, Opera, Firefox, etc.) but not IE(!)
http://www.boingboing.net/2005/02/06..._exploit_.html

Scary.
Especially with no known (working) fix...
(The Firefox suggested fix doesn't work.)

FTPServerTools · 02-07-2005, 05:33 PM

And Maxthon which is way better then ie anyway. It is more like IE on super steroids..
Popupblocker, tabbed windows, skins, loads and loads of plugins etc...

wooolF[RM] · 02-07-2005, 10:22 PM

Maxthon uses IE's engine (thus it's not affected).

Mouton · 02-08-2005, 10:08 AM

For Safari users: The new version of Saft (and the new free Saft Lite) offers a warning box dialog until Apple can fix the browser proper. http://haoli.dnsalias.com

SnypeTEST · 02-08-2005, 03:17 PM

The firefox fix works for me.

wooolF[RM] · 02-08-2005, 09:00 PM

Works? o.O Bug is still marked as not fixed...

Were u talking about that "fix" with compreg.dat? It's not a very good solution anyway as the file gets regenerated each time you install/reinstall new extension... And disabling all idn service lookups isn't great either...

Mouton · 02-08-2005, 09:01 PM

Safari's Saft got the right way to handle this I think... popup a dialog when a phishing attack is probable. User can then decide if it's a valid IDN or not.

wooolF[RM] · 02-08-2005, 09:16 PM

Weird that FF/Mozilla devs haven't fixed this yet. Usually they are pretty fast

ADDiCT · 02-09-2005, 12:16 AM

The 'bug' actually lies in the standard, the affected browsers can only be blamed for correctly implementing this (bad) standard. IE gets away with it because it's outdated and didn't implement it yet

Bratell · 02-09-2005, 12:53 AM

Quote:

Originally posted by ADDiCT
The 'bug' actually lies in the standard, the affected browsers can only be blamed for correctly implementing this (bad) standard. IE gets away with it because it's outdated and didn't implement it yet

Exactly, It has it advantages to be 3 years behind the competition.

wooolF[RM] · 02-14-2005, 04:07 AM

Finally some solututions for my fav browser - Firefox!

Disable IDN support in firefox, for good:
http://friedfish.homeip.net/extensions/no-idn.xpi

Trustbar for firefox - shows punycoded IDN, and allows for better SSL management
http://trustBar.mozdev.org