[hblug] Firefox Flaw Could Let Attackers Fake Connections

[Michael Adams]

On Sat, 17 Feb 2007 08:58:17 +1300
Michael Adams wrote:

> Original story
> http://www.cbc.ca/technology/story/2007/02/15/tech-firefoxcookiebug-20070215.html
> http://www.f-secure.com/weblog/archives/archive-022007.html#00001114
> 
> On Fri, 16 Feb 2007 15:57:52 +1300
> Perry Spiller wrote:
> 
> >  Firefox Flaw Could Let Attackers Fake Connections
> > Thursday, February 15, 2007 | CBC News
> >  
> > A flaw in the Firefox web browser could trick people into 
> > thinking they are connected to a trusted site when the 
> > program is actually receiving data from an attacker.
> >  
> > The vulnerability, which affects all versions of Firefox's web 
> > browser, could allow a specially designed website to 
> > manipulate the authentication cookies for trusted websites 
> > such as an online bank, said F-Secure Corp. of Helsinki, 
> > Finland, in a post to its security blog. That could allow an 
> > attacker to steal sensitive information.
> >  
> 
> Fascinating on several counts.
> The story doesn't seem to have reached Slashdot or Mozillazine.
> My default config (ask if every new site can post cookies) beats it.
> Test you firefox here.
> http://lcamtuf.dione.cc/ffhostname.html
> 
> F-secure are the authors of f-prot antivirus which is a good (read
> cheap) business virus checker. Ten licenses for US$50 with discounts
> for NPO's and educational institutions. Yet they seem to have in this
> case broken one of the cardinal rules of net security. Advise the
> software manufacturer first to allow a fix to be engineered before
> releasing the news.
> 

Belay that, F-Risk are the authors of F-Prot. Sorry.