IE 7 Less Vulnerable than Firefox 2?
Techtree News Staff, Nov 23, 2006 1706 hrs IST
Mozilla Firefox 2 and Microsoft Internet Explorer 7 (IE) are both vulnerable to a bug that steals the login-id and password of users...
The Best of :
Techtree News Staff, Nov 23, 2006 1706 hrs IST
Mozilla Firefox 2 and Microsoft Internet Explorer 7 (IE) are both vulnerable to a bug that steals the login-id and password of users...
According to reports, Mozilla Firefox 2 and Microsoft Internet Explorer 7 (IE) are both vulnerable to a bug that steals the login-id and password of users, with the help of a fake log-in page.
The bug has been dubbed as "Reverse Cross Site Request vulnerability" (RCSR) by Robert Chapin, who first discovered the flaw.
Reportedly, the attack was first carried out from a profile page using a specially crafted HTML that hides the genuine MySpace content from the page, and displays the fake login page instead. The fake page is then sent to another Web site, along with information regarding MySpace users who visited the page using Firefox.
The attacks seen on My Space.com are likely to move on to Firefox as well because the Firefox Password Manager automatically enters any saved passwords and user-id/s into the form, whereas IE is not capable of filling in the saved information automatically.
Therefore, Firefox is more likely to get affected by the flaw, as compared to IE.
According to Chapin, users of both Firefox and IE need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses as well. Further, an RCSR attack is more likely to succeed than an XSS attack because neither IE nor Firefox are designed to check the destination of form data before the user submits them.
Moreover, the browser doesn't indicate the exploitation as it is conducted on a trusted Web site.
As of now, no fix has been issued by Mozilla, and it's not very clear if the other versions of Firefox are also affected by the flaw. Users have been advised to disable the "Remember passwords for sites" from the preference link in Firefox.
Additionally, these attacks could also be highly effective against firewall of local network servers and HTTPS addresses that are not otherwise accessible because the attacker does not need direct access.
i AM ONE OF THE "BLACK HELICOPTER" GROUP THAT BELIEVES MICROSOFT USES ie TO TRACK EVERYWHERE THE OPERATOR GOES. i ENJOY READING COMPARISON ARTICLES. hOWEVER, WHEN IT COMESTO TRUST, FIREFOX IS THE ONLY WAY TO GO! tHE MAIN VALUE OF ie IS ACCESS TO UPDATES.
by LARRY G, WAUKESHA, on Nov 23, 2006 07:39 PM, Report abuse Reply
Is today opposite cAPSLOCK dAY lARRY? hehe.. lay off the booze brotha!
by UnHoly, Miami, on Nov 26, 2006 09:55 AM, Report abuse
by жо&, NY, on Nov 21, 2007 05:29 PM, Report abuse
i'm sort of lost, was trying to find out what (amyours2.com ment) saw it on some e-mail and was trying to track down a person's screen name & e-mail address. Are there ways to do this?? Help Please Pat
by pat, Anchorage Alaska, on Jan 06, 2007 11:00 AM, Report abuse Reply
With the new threat made public, if it is big enough, sure Microsoft will release an update. But I think that if users are careful with auto-fill kinda features, they can possibly avoid entering data into false web pages.
by Senthil Kumar, Chennai, on Nov 23, 2006 08:27 PM, Report abuse Reply
by gffff, ds, on Nov 30, 2006 04:26 PM, Report abuse
ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg
by gffff, ds, on Nov 30, 2006 04:24 PM, Report abuse Reply
This is nothing new we already knew IE was more secure than FF in 2006: www.FirefoxMyths.com
by Andrew, US, on Nov 23, 2006 07:13 PM, Report abuse Reply
1st, if you think ie is more secure than ff you are a moron. 2nd this article is just another msp (microsoft propaganda) article, i mean they are saying FF is more vulnerable since it can save passwords...what the hell does that mean. they are both vulnerable, the same..I cant really tell the diff between microsofts and morons these days
by your moma, somehwere, on Nov 24, 2006 01:24 PM, Report abuse
I agree. There is nothing special about FF anymore. I use Opera and the second choice is IE 7. I have seen enough times when people start calling names (like moron) when they can't face fact.
by zimmer, London, on Nov 24, 2006 07:42 PM, Report abuse
Either an idiot or he works for Microsoft (much more likely)...
by gtirebiter, New York, on Nov 24, 2006 09:32 PM, Report abuse
Hi Andrew i agree with you that IE was more secure than FF in 2006. not only in 2006 it is secure till the end.
by Andrew, mumbai, on Nov 30, 2006 02:18 PM, Report abuse
Switch on to Opera it is the best
by Omkar, Pune, on Nov 29, 2006 03:18 PM, Report abuse Reply
by Sanjay, Ujjain, on Nov 25, 2006 10:11 AM, Report abuse Reply
After reading this article and hearing countless other horrer stories about ff, I am grateful that I never go caught up in the frenzy to convert to ff. IE has never failed me and never will!!!
by Ken, Eugene, on Nov 25, 2006 04:36 AM, Report abuse Reply
You're a fool to give in to mindless FUD. FireFox has never failed me and never will; I can ensure it won't since I have the source code at the tip of my fingers. The real victims here are the brainless people who fall for such simple phishing antics. After all, it isn't the browser's job to supply its user a brain.
by James, None, on Nov 25, 2006 07:49 AM, Report abuse
Use FF password manager for non-critical sites like forums. Critical passwords like bank account etc can be specifically excluded (Tools>Options>Security>Passwords>Exceptions). External password managers like keepass may be used for critical sites.
by Upendran, Chennai, on Nov 24, 2006 07:27 PM, Report abuse Reply
PayPal's gotten hit by the same thing. Look in the URL. If it's overflowing or close to, you're on a fake site. I was sent a phony email asking me to verify my PayPal information, and it took me to a bogus site that almost fooled me at first glance. Firefox actually popped up a warning about that site, but keep your eyes open.
by david, waverly, on Nov 24, 2006 12:42 PM, Report abuse Reply
by Soutiman, Navi Mumbai, on Nov 24, 2006 10:56 AM, Report abuse Reply
I don't know about everyone else, but I get pretty tired of these supposed security flaws cropping up all over the news. Sure, if you visit malicious websites, bad things happen. If you were to drive your car off a cliff, bad things would happen, yet we don't consider this a problem with the car. What we're having to do here is baby the clueless to avoid being labeled as "vulnerable to exploit". If people had to get a licence before "driving" a web browser, there'd be fewer "accidents" on the information highway.
by Dale, Bowling Green, on Nov 24, 2006 12:18 AM, Report abuse Reply
by Nick, Portland, on Nov 24, 2006 01:12 AM, Report abuse
The best comment I have read so far. I wish a lot of people to have this kind of common sense.
by henry, montreal, on Nov 24, 2006 06:36 AM, Report abuse
It is true and absolutely correct.
by Dav, PALO ALTO, on Nov 24, 2006 05:54 AM, Report abuse Reply
Of course you realise that this is a bit bogus as FF vulnerabilities are more transparent as coders have access to source code and can find problems easier. FF are also generally more technical. There will be lots of as yet unfound vulnerability in IE. FF's will also be fixed faster Although good job to MS for getting there, now if they could just fix the css and other formating bugs.
by Aaron, Auckland, on Nov 24, 2006 05:19 AM, Report abuse Reply
This is ridiculous! Why do people want to do this to us?!?! HEY PPL... M.Y.O.F.B!
by Matthew Archer, Oxnard, CA, on Nov 24, 2006 02:17 AM, Report abuse Reply
I never autofill, never allow the site remember my pw. Thats why they have paper/ pen. So jot down the pws there and don't let firefox store or any website anything. I wonder about bank bill pay sites. My bank has got some good inscription and they ask me periodically to verify other than pws.
by Gloria, Denver, on Nov 24, 2006 02:16 AM, Report abuse Reply
for firefoxdo this Edit>Preferences>> Tab> security "uncheck "remember passwords for the sites" "what the bid dea?" i dont know what to do with IE
by shaharyar rao, islamabad, on Nov 23, 2006 06:15 PM, Report abuse Reply
NoScript is a must have extension for all Firefox users. This will prevent unwanted JS code execution.
by Ajith, Dehradun, on Nov 23, 2006 07:35 PM, Report abuse
хер тебе в рыло - сраный урод!!! her tebe v rylo - sranyi urod!!!
by жо&, NY, on Nov 21, 2007 05:33 PM, Report abuse Reply