There is a bug in Mozilla’s flagship Firefox browser related to the way the browser handles obfuscated URLs in iFrames. However, a Mozilla official said the bug poses “very low” risk to users.
Johnathan Nightingale of Mozilla said in a blog post late Tuesday that the bug poses little risk to users. “This issue poses very low risk to users. This attack relies on user confusion about the true destination of a link, and only someone examining the HTML source of the page would ever see the deceptive URL. Most users do not view the source of loading pages, and are therefore unlikely to be impacted by this attack,” Nightingale, the director of development for Firefox, wrote.
He added that the company doesn’t plan to fix the bug, as there is little chance of it being exploited. “There is currently no fix in plan since Mozilla does not believe this can be used to attack users. Firefox ships with built-in phishing and malware protection that warns users if they are attempting to visit a dangerous URL, and these attempts at deception do not impact that protection,” he wrote.
The problem of URL obfuscation is not a new one, and neither is it novel for attackers to use iFrames as an infection vector for visitors to a compromised Web site. Web-based attacks have been employing various forms of URL obfuscation for years now, and iFrames are a favorite of attackers because of their ability to perform malicious actions in the background of a victim’s Web session.
The new flaw, which already is in the Mozilla Bugzilla system, is in all of the current versions of Firefox, according to researchers at Web application security firm Armorize. URL obfuscation often is used by attackers to hide the true address of a malicious site that they’re directing users to, typically as part of a phishing or drive-by download attack. But browsers now check for this behavior and will warn users when a URL appears to have been tampered with, explaining that this may not be the site they’re looking for.
Full story @ threatpost.com
